forsyths_au
asked on
ISA Server - Bypass web proxy when users are outside the network
I inherited an ISA Server 2004 in a single adaptor configuration and have 2 related problems
1. Company policy does not allow me to enforce all traffic through ISA and therefore logged traffic but I suddenly have large amounts of download traffic per day I need to identify. Our ISP cannot help due to privacy policies?? and as a managed service I have no admin access to the router to try and identify the traffic/user. Any ideas how to easily trace this? Of course I would love to have ISA set up with 2 nics to solve this but I am not permitted to make that change.
2. The hole above is created by laptop users who needed to be able to change proxy settings for when they are in the field and somewhere in the past they were loaded with Firefox to bypass Group Policy proxy locks on IE and given the direct router address which of course they now use instead of the proxy when they are in the office, otherwise all other users are proxy locked by Group Policy.
How can I proxy block them so they cannot change it in the office but allow them to modify it away from the office and can this be done with Firefox?
As I am not that familiar with ISA, any and all suggestions valued
1. Company policy does not allow me to enforce all traffic through ISA and therefore logged traffic but I suddenly have large amounts of download traffic per day I need to identify. Our ISP cannot help due to privacy policies?? and as a managed service I have no admin access to the router to try and identify the traffic/user. Any ideas how to easily trace this? Of course I would love to have ISA set up with 2 nics to solve this but I am not permitted to make that change.
2. The hole above is created by laptop users who needed to be able to change proxy settings for when they are in the field and somewhere in the past they were loaded with Firefox to bypass Group Policy proxy locks on IE and given the direct router address which of course they now use instead of the proxy when they are in the office, otherwise all other users are proxy locked by Group Policy.
How can I proxy block them so they cannot change it in the office but allow them to modify it away from the office and can this be done with Firefox?
As I am not that familiar with ISA, any and all suggestions valued
Lock down the router to allow only traffic from the ISA .. This way you will have to go through the ISA to access the internet.. You can put the router on a different VLAN as well.
You can use firewall client with those users instead of web proxy clients.
http://www.isaserver.org/tutorials/isa_clients__part_3_the_firewall_client.html
http://www.isaserver.org/tutorials/isa_clients__part_3_the_firewall_client.html
ASKER
Thanks Lance & mkhairy for the quick replies but I cannot make changes to the router. As for the client it is my understanding that it would require changing ISA mode to using 2 nics (Edge Mode) and that change has already been ruled out by powers above.. a little knowledge overrules what should be done :/
You can lock down the router to allow only traffic from one IP... If you cannot make any changes then your options are limited.
ASKER
Thats the wall I was hitting Lance which lead me to asking those like yourself with more knowledge than me.
The first problem of identifying the download traffic/user I'm hoping may then lead to being allowed to make changes to the ISA mode configuration
The first problem of identifying the download traffic/user I'm hoping may then lead to being allowed to make changes to the ISA mode configuration
Well the simple answer to your management would be that if the user is not going through the ISA .. then you cannot manage the traffic, and to manage it you need to make some changes. If they will not allow you to do so .. then they cannot ask you to be accountable for the excess traffic.
This is the final option although I stopped using this years ago. Force this through GPO and you should ensure all users are going through the proxy in the office only!
http://sysadminhell.blogspot.com/2009/03/proxy-pac-files-how-to-use-with-laptops.html
This is the final option although I stopped using this years ago. Force this through GPO and you should ensure all users are going through the proxy in the office only!
http://sysadminhell.blogspot.com/2009/03/proxy-pac-files-how-to-use-with-laptops.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks heaps for the responses
I intend to try some of the suggestions over the next 4 - 5 working days and I'll report back
I intend to try some of the suggestions over the next 4 - 5 working days and I'll report back
Looking back at my post I wanted to clarify something. When I said,
"Assuming you had the authority to actually "do your job",....."
It meant nothing negative toward you,..I was only expressing annoyance at the situation you find yourself in.
"Assuming you had the authority to actually "do your job",....."
It meant nothing negative toward you,..I was only expressing annoyance at the situation you find yourself in.
ASKER
No problem, It did sound that way on first read but after that I didnt read anything in to it.. I needed help so wasnt about to judge or get precious :)
Well forsyths_au,
If you do get someone to change the firewall settings, then all you need to do is allow the ISA and other 'important' devices to connect directly, Everything else must go through the ISA to get internet access (via the ISA proxy ofcourse) That should solve your problem once and for all, and you wont have to worry about WPAD's or PAC's or GPO's.
If you still have high bandwidth usage, you can assume it's one of those direct IP's.
TC.
If you do get someone to change the firewall settings, then all you need to do is allow the ISA and other 'important' devices to connect directly, Everything else must go through the ISA to get internet access (via the ISA proxy ofcourse) That should solve your problem once and for all, and you wont have to worry about WPAD's or PAC's or GPO's.
If you still have high bandwidth usage, you can assume it's one of those direct IP's.
TC.
ASKER
Hi Lance_P,
It turns out it is my DC sucking it all down from the internet, working on downloading what now and investigating whether to use your suggestion or pwindell's as the final solution to my 2nd question
It turns out it is my DC sucking it all down from the internet, working on downloading what now and investigating whether to use your suggestion or pwindell's as the final solution to my 2nd question
ASKER
Lance_P had some good input and ideas but in the end it was pwindell's suggestion that proved the best solution in my particular situation
Thanks everyone
Thanks everyone