Firewall Wizards mailing list archives
Re: Forcing All Web traffice thew a remote proxy.
From: Shahin Ansari <zohal52 () yahoo com>
Date: Sat, 21 Oct 2006 20:15:48 -0700 (PDT)
You can do this on the firewall using Modular Policy Framework (Cisco lingo ) or Policy Based Routing. The rule is processed before the routing table. "Behm, Jeffrey L." <BehmJL () bv com> wrote: For one client of ours, we blocked all outbound port 80 traffic at the Internet firewall (with some exceptions, as usual!), and then use an "automatic configuration script" that is on the HTTP proxy. When the browser fires up on the end-user PC, it first contacts the proxy server to retrieve the .pac file (auto config script), and based on where it is headed and/or where it came from, it is directed to one of three HTTP proxy servers. Using the auto config script allows us to centrally manage where PC's go for web surfing(via changes to the .pac file). It's the block of direct port 80 access at the Internet firewall that "forces" the PC's to comply with use of the script. I guess they could od manual entry of the proxy settings, but most end users don't quite get how to do that. Additionally, use of active directory group policy "resets" the proxy settings on a regular basis to "force" use the .pac file. Here's a Microsoft Technet article on Automatic Proxy. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ierk /Ch21_b.mspx?mfr=true It talks about using Automatic Configuration and Automatic Proxy. We are using the latter only. The proxy you are directed to does not *have* to be a Microsoft proxy. We have some traffic head to a squid proxy on a Solaris machine(long story). Hope this helps, Jeff -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Craig Van Tassle Sent: Tuesday, October 17, 2006 10:36 AM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Forcing All Web traffice thew a remote proxy. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have several site and I would like to force all traffic thew a remote proxy at one site. I was thinking of setting up some form of NAT rules for pushing everything thew our proxy. How would something like that be implimented? Or what are other thoughs? Thanks, Craig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFNPhuAOTIJ89W4sIRAuRiAJ9wsalrRSDpiLZ7lYdpQbU0cf0ZpQCeIJec XFJkSSa++dyclJU9fCdX61o= =zAeT -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards --------------------------------- Stay in the know. Pulse on the new Yahoo.com. Check it out.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Forcing All Web traffice thew a remote proxy. Craig Van Tassle (Oct 17)
- Re: Forcing All Web traffice thew a remote proxy. John Adams (Oct 19)
- <Possible follow-ups>
- Re: Forcing All Web traffice thew a remote proxy. Behm, Jeffrey L. (Oct 19)
- Re: Forcing All Web traffice thew a remote proxy. Craig Van Tassle (Oct 20)
- Re: Forcing All Web traffice thew a remote proxy. Shahin Ansari (Oct 23)
- Re: Forcing All Web traffice thew a remote proxy. Behm, Jeffrey L. (Oct 23)