Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Block WEB traffic 1

Status
Not open for further replies.
Trekk

Trekk

Programmer
Joined
Aug 16, 2001
Messages
66
Location
US
Where to start
We have a PIX firewall and a Microsoft ISA server.
I have a few users who know how to undo the proxy settings in IE via the registry.
Setting them as non admins on their PC is not an option


I want to block them at the PIX; all internet outbound traffic goes through the PIX

I think I need to create an ACL to block outbound web traffic unless it comes from the proxy, thus forcing them to use the proxy for web browsing.

Here is where it gets complicated, the President and Vice President don’t go through the proxy server, they don’t want to be restricted????

So how do I create a ACL that blocks the users I am having trouble with and still allow the Pres and Vice to surf the web

Thanks in advance
 
Sort by date Sort by votes
hmmm... since you are using a proxy, you will have to allow the IP of the proxy through the PIX. But can you setup the Pres and VP with static IP's and no go through the proxy? Then specifically allow those 2 IP's through the access list and block https access for everything else but the proxy and the 2 static IP's.
 
Upvote 0 Downvote
Yes I can do that, infact that is what I want to do, but I dont know hwow to correctly specify it in the PIX

Thanks
 
Upvote 0 Downvote
access-list outbound permit tcp host pres_ip any eq www
access-list outbound permit tcp host vp_ip any eq www
access-list outbound permit tcp host proxy_ip any eq www
access-list outbound deny tcp any any eq www
access-list outbound permit ip any any
... or whatever other outbound rules you might have.

Then...
access-group outbound in interface inside


 
Upvote 0 Downvote
That is what I needed
Thank you
 
Upvote 0 Downvote
Do you have a windows domain with active directory?
Even if you don't why not make the pres and vise pres members of a group that doesn't get filtered in ISA and everyone else in a group that does. That way if you have the capabilities of both pix and isa at your disposal, for all. You may run into a situation in the future where it will be handy having the pres and vise pres going through the proxy.
 
Upvote 0 Downvote
When I evaluated ISA a few years ago, user-based authentication only worked with IE. If that's no longer the case, then that would be a good idea.

I know that BorderManager authentication does work with all browsers, but ISA just got into an endless authentication loop.
 
Upvote 0 Downvote
we are actually implementing AD in a couple of months, I had to find a way to address thos issues be for then, but it is a good idea

Thank you
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

salanje87
  • Locked
  • Question Question
Block Broadcast storming.
Replies
3
Views
942
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
398
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
325
ISDPCMAN
ISDPCMAN
markd885
  • Locked
  • Question Question
PAC file redirect web page to another gateway
Replies
0
Views
362
markd885
markd885
DivemasterBill
  • Locked
  • Question Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
441
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top