ISA/Surf Control access for remote users

[marko2002]

Hi Guys,

Here's my current setup:
X1 Domain Controller (2003 Server) with ISA2000 and Surf Control web filter installed. I know this isn't an ideal setup but I'm currently working on another server to host ISA and Surf Control. Internally, all users are forced through the ISA/Surf Control server using Group Policy so no probs here. Externally, I've opened our ISA server for remote users to authenticate against and use on their home PC's for their own security (i.e. their internet connection would be filtered in the same way as internal PC's).

My main concern is that remote users could begin 'hogging' our bandwidth as all page request's would obviously be routed through our ISA server and we would in effect become their 'webcache'. Would there be a way for remote users to utilise their own internet connection for downloading web pages whilst still authenticating against my ISA/Surf Control filter so inappropriate sites are blocked and those sites allowed would be allowed?.

Advice greatly received.

Marko

 

[dearingkr]

You can configure their client to use the local gateway to get to the internet, but it is not a good idea for security reasons.
When a VPN client connects to your network via VPN, they become part of your network. If you do as above, you are adding an insecure internet connection to your network.


MCSE CCNA CCDA

 

[marko2002]

Hi dearingkr, thanx 4 the reply - I do realise that opening up the webcache in this way can be insecure though the plan is once I've sussed the thing I'm going to create a seperate cache server on a workgroup rather than my domain and use this as the dedicated webcache, though for now my main concern is basically to find a way to allow users to connect to the ISA server/web filter and use it as though they were on the internal network. This server is purely a cache server and not my firewall - the point being it caches and filters (using SurfControl Web Filter) and I need to try and find a way to allow external users to utilise the filter whilst not hogging my bandwidth - more a case of the filter saying 'yes' or 'no' to the requested web page and if 'yes' their internet connection is used to download the page rather than mine.
Any further help is greatly appreciated

 

[marko2002]

Just another quick point - I have actually managed to get some test users externally connected to the webcache/filter by opening the relevant port on my firewall router and all works perfectly - I merely now need to know if it's possible to get these external users to use their own internet connection to download pages rather than all traffic being routed through my own webcache/filter server!. I know this probably defeats the purpose of a 'webcache' in the first place, but I'm not particularly worried about users utilising the webcache, instead I'm more interested in them using the web filter (Surf Control).
Cheers

 

[dearingkr]

I doubt there is a way you can do what you want.

If you use the webcache, then the server is actually going out and getting the information (using it's internet connection) and returning the requested page to the client.

MCSE CCNA CCDA

 

[marko2002]

Hi again dearingkr - I didnt think so - oh well, back to the drawing board. On another note then, what kind of limitations would you expect on a, say, 4Mb download/400K upload internet connection. I understand that my 4mb download is probably of no relevance to external users but the 400K upload is obviously the maximum speed available to external users to receive pages from my cache server.

Having said that, the more users connecting to the cache, the less bandwidth available to each - therefore I'de need to consider what bandwidth I'd need for approximately 100 external users. Any idea's?!