1. Home
  2. Networking Firewalls
  3. Forcing proxy settings

Forcing proxy settings

Hello Folks,

I have a Netscreen - 25 and I'm trying to block all outbound, unproxied traffic. We force IE proxy settings through group policies, but more and more people are just loading Netscape and FireFox to bypass our security.

Ideally, I'd like to block all web traffic that doesn't come from our web filter (St Bernard's iPrism), if if they continue to use FireFox or Netscape, they'll be forced to enter the proxy address.

So far I haven't been able to see anything in the WebUI (ScreenOS version 5.3.0r1.0) that would allow me to do this, and the Juniper knowledgebase is making my eyes blurry.

Thanks in advance for any help!

Reply to
tomme
Loading thread data ...

First make a policy from trust --> untrust from your proxy server's IP to ANY service HTTP, action PERMIT (and NAT) and put it at the top of the policy list.

Then make another policy from trust --> untrust from ANY to ANY for service HTTP action DENY. Move this policy to immediately under the above described policy.

Done.

-Russ.

PS, consider deleting policy 0, trust->untrust any any any permit nat, and adding in the other policies you need for your network to function, explicitly by service. That way, unknown services won't get out.

Reply to
Somebody.

They're not bypassing, they're improving your security if they're not using Internet Exploder any more.

Usually, one will implement a transparent proxy in such a case - is there any documentation for your Netscreen device available for that topic?

Yours, VB.

Reply to
Volker Birk

Thanks Russ, I'll give this a shot and let you know how it turns out. It will have to wait till after hours.

Thanks again for the help!

Reply to
tomme

I'm considering doing an MSI push for FireFox after getting the proxy/firewall set up properly. I'd love to wipe IE out of the environment, or at least give them the own option.

Reply to
tomme

That is the case, when you want to block http traffic. THe other option is to redirect the destination to the proxy (IP, + maybe port if the proxy is not listering on port 80). THat is what Volker mentioned as transparent proxy.

THat is a common technique and therefore should be possible with a netscreen.

Wolfgang

Reply to
Wolfgang Kueter

That's a good tip. I'm sure as soon as this goes into production and people can't use FireFox/Netscape, I'll get flooded with calls. I'm glad you chimed in.

I'm ready to go, just waiting on 5:00 to roll around so I can start kicking people out and get this tested. Thanks for everyone's help. I feel like a newbie again after it turned out to be so simple.

Reply to
tomme

No problem, good luck.

Firefox users will be fine once they input the settings for your new proxy server; just make up a helpful document and distribute it.

-Russ.

Reply to
Somebody.

Just trying to keep it simple for him, sounds like he's all ready to go with setting up the proxy and changing the browsers, I just answered his question "how do I block non-proxy browse traffic".

A transparent proxy is another valid approach.

-Russ.

Reply to
Somebody.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.