Safari IE Firefox - Group Policy -> ISA Proxy

May 6th, 2008, 7:21 am

Hi guys,
Some interesting things developed over the course of setting up an ISA server for user tracking/reporting for web usage. We also have smartfilter installed on there for filtering (K-12 District).

As you may know, to get users to authenticate with ISA for web tracking you can:
A. Install the Firewall Client
B. Set browsers to use proxy settings pointing at your ISA server.

Obviously, we are using B since people bring in phones/laptops etc and are able to use internet. With some rules set up in ISA to block regular HTTP out, and an Active Directory policy to set proxy settings, and to disable changing connection settings.
But this is only for domain computers, so looking into a way to set up a page that instructs personal laptops/phones to use the proxy settings to connect, anyone got ideas?

Now for theintersting part:
IE works as intended. Login credentials are sent to ISA and the connection tab is missing in ie7, greyed out in ie6.
Safari is mostly there. You cannot go to change connection settings, but login credentials are not passed, so it nicely asks for user/pass.
Firefox is untouched. You can't just browse(http blocked), but can set up a proxy server at home or know of one, change your settings and out you go.

To combat firefox(haven't tested konq/opera/etc) we are going to block all access out except for ftp to all machines, and watch for things being denied from servers.
One issue with that, is the nice vista sidebar items that don't play with proxy, and likewise osx's items will be blocked. End of world? No, but would be nice if all apps used ie proxy settings or you could set your own.

May 6th, 2008, 7:13 pm

I don't understand a couple of things. Are the "people" who bring in laptops employees of the company, outside clients or a combination of the two?

You mentioned credentials. What login credentials are required for the non domain laptops?

May 8th, 2008, 11:41 am

people = staff/students

I don't care what their local logins are, I just want their stuff filtered as it would be liability to the district, since they are using our internet connection.

I wish for a page to appear (kind of like tmobile has at starbucks) where when you try to connect, and can't, it will refer you to directions (which I would script for each browser/os) to change settings to use the proxy server to get out.

Each person connecting would already have a domain username that ISA checks AD for so that would not be an issue.

May 8th, 2008, 12:40 pm

So, all you want is a single redirect script which you can find through Google. The directions for each browser and OS can all be on the same page.