Question #936
I have some users that some how succeeded to download programs like HTTP PORT that can be found at url Http://www.technetva.com/httport/index.htm for more details and the other one is Socks2HTTP that can be found at url http://www.totalrc.com/ they mange to converting SOCKS v.5 requests into HTTP requests and tunneling them through HTTP proxy or virtually open almost any tcp port I tried to block this by applying content rules but no lack. What should I do?
Answer
What programs like HTTP Port and Socks2HTTP do is simply establish a connection to a proxy server and send the following string to the proxy server:
CONNECT URL:PORT HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
URL:PORT being the server to which the unauthorised user wants to connect to.
ISA-Server does have support for CONNECT method, but by default only allows this method for destination ports 443 and 563, so that users from inside connot abuse ISA-Server Proxy. Therefore your users should probably be connecting to a proxy server outside your network.
What you should do is block access to the ip address of the proxy server which is allowing your users to bounce their connections. You should also consider blocking connections to default proxy server ports: 8080, 3128 and socks access 1080. Another solution would be to allow connections to pre-defined destination ports only.
Other things you should block are connections to www.http-tunnel.com and similar services. You should also be aware that clients from inside could also install software on their home pc and bounce from there.