Avatar of forsyths_au
forsyths_au
 asked on

ISA Server - Bypass web proxy when users are outside the network

I inherited an ISA Server 2004 in a single adaptor configuration and have 2 related problems

1. Company policy does not allow me to enforce all traffic through ISA and therefore logged traffic but I suddenly have large amounts of download traffic per day I need to identify. Our ISP cannot help due to privacy policies?? and as a managed service I have no admin access to the router to try and identify the traffic/user. Any ideas how to easily trace this? Of course I would love to have ISA set up with 2 nics to solve this but I am not permitted to make that change.

2. The hole above is created by laptop users who needed to be able to change proxy settings for when they are in the field and somewhere in the past they were loaded with Firefox to bypass Group Policy proxy locks on IE and given the direct router address which of course they now use instead of the proxy when they are in the office, otherwise all other users are proxy locked by Group Policy.
How can I proxy block them so they cannot change it in the office but allow them to modify it away from the office and can this be done with Firefox?

As I am not that familiar with ISA, any and all suggestions valued
Microsoft Forefront ISA Server

Avatar of undefined
Last Comment
forsyths_au

8/22/2022 - Mon
Lance_P

Lock down the router to allow only traffic from the ISA .. This way you will have to go through the ISA to access the internet.. You can put the router on a different VLAN as well.
Mohamed Khairy

You can use firewall client with those users instead of web proxy clients.

http://www.isaserver.org/tutorials/isa_clients__part_3_the_firewall_client.html
forsyths_au

ASKER
Thanks Lance & mkhairy for the quick replies but I cannot make changes to the router. As for the client it is my understanding that it would require changing ISA mode to using 2 nics (Edge Mode) and that change has already been ruled out by powers above.. a little knowledge overrules what should be done :/
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Lance_P

You can lock down the router to allow only traffic from one IP... If you cannot make any changes then your options are limited.
forsyths_au

ASKER
Thats the wall I was hitting Lance which lead me to asking those like yourself with more knowledge than me.
The first problem of identifying the download traffic/user I'm hoping may then lead to being allowed to make changes to the ISA mode configuration
Lance_P

Well the simple answer to your management would be that if the user is not going through the ISA .. then you cannot manage the traffic, and to manage it you  need to make some changes. If they will not allow you to do so .. then they cannot ask you to be accountable for the excess traffic.

This is the final option although I stopped using this years ago. Force this through GPO and you should ensure all users are going through the proxy in the office only!

http://sysadminhell.blogspot.com/2009/03/proxy-pac-files-how-to-use-with-laptops.html
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
pwindell

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
forsyths_au

ASKER
Thanks heaps for the responses
I intend to try some of the suggestions over the next 4 - 5 working days and I'll report back
pwindell

Looking back at my post I wanted to clarify something.  When I said,

 "Assuming you had the authority to actually "do your job",....."

It meant nothing negative toward you,..I was only expressing annoyance at the situation you find yourself in.
forsyths_au

ASKER
No problem, It did sound that way on first read but after that I didnt read anything in to it.. I needed help so wasnt about to judge or get precious :)
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Lance_P

Well forsyths_au,

  If you do get someone to change the firewall settings, then all you need to do is allow the ISA and other 'important' devices to connect directly, Everything else must go through the ISA to get internet access (via the ISA proxy ofcourse) That should solve your problem once and for all, and you wont have to worry about WPAD's or PAC's or GPO's.

If you still have high bandwidth usage, you can assume it's one of those direct IP's.

TC.
forsyths_au

ASKER
Hi Lance_P,

It turns out it is my DC sucking it all down from the internet, working on downloading what now and investigating whether to use your suggestion or pwindell's as the final solution to my 2nd question
forsyths_au

ASKER
Lance_P had some good input and ideas but in the end it was pwindell's suggestion that proved the best solution in my particular situation

Thanks everyone
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.