How to Block Non-Web Proxy Clients without Requiring Authentication at the ISA and TMG Firewall
A Web proxy client is a machine that is aware that the ISA or TMG firewall provides a path to Web content on the Internet. The client is aware of the ISA or TMG firewall either because the client was configured with the name or IP address of the firewall, or the client used some kind of autodiscovery mechanism to locate the firewall. In both cases, the Web proxy client applications knows how to remote Web requests to the firewall’s Web proxy filter.
Clients that aren’t aware of the ISA or TMG firewall can still benefit from the caching and filtering features available to Web proxy clients by taking advantage of the Web proxy filter’s hook into the HTTP protocol definition. The Web Proxy filter is similar to the old ISA 2000 HTTP Redirector Filter, which enabled the firewall to intercept HTTP connections from non-Web proxy clients and forward them to the Web Proxy service. In the ISA or TMG firewall, the Web Proxy filter performs a similar task.
One important thing that Web proxy clients can do that non-Web proxy can’t do it authenticate with the firewall. This is useful when you want to prevent non-Web proxy clients from connecting to the Internet. All you need to do is make Access Rules that require authentication.
The problem is that there might be times when you want to allow anonymous outbound access, but want to make sure that that non-Web proxy clients are blocked from connecting. This will allow you to create rules that allow Web proxy clients anonymous outbound access, while blocking machines that haven’t been configure as Web proxy clients.
To make this work you need to do the following:
- Create a new protocol definition for TCP port 80 outbound.
- Create an Access Rule that denies all outbound traffic for that Protocol Definition
- Put that Access Rule above all other rules that allow outbound HTTP
- Unbind the HTTP filter from the existing HTTP Protocol Definition
It’s that simple! Now when SecureNAT or Firewall clients try to connect to the Web using HTTP, their connections will be denied, even if you have an anonymous outbound Access Rule for HTTP. The only way they’ll be able to connect is by being configured as Web proxy clients.
Later I’ll explain to you why this works, and the three entry points into the Web proxy engine.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer