February 5th, 2002, 04:50 PM
Proxy 2.0 anonymous access
need help, i want to have anonymous access disabled for the www service in microsoft proxy 2.0 but it wont let me use any programs like aol IM, icq, real audio, mirc, etc with it disabled, as soon as i enable it, it lets me use it. With it disabled it gives me some access denied pasword error or authentication error or something. what should i do, i dont want it enabled as we keep getting people hacking into our system and using our proxy to access internet. Any suggestions?? could i change the port from 80 to something else so no scanners will pick it up on the default port??? HELP!!!
February 5th, 2002, 05:44 PM
If I were you, I would put a firewall or a router ACL in front of the Proxy server. If it is a cisco router the ACL is simple...just message me and I will tell you how. If you have any type of firewall, I can probably also help you.
If you disable anonymous access to the proxy...you will be forcing users to authenticate to the proxy for every outbound session, which is a pain in the a$$. Ideally, once you have a router or FW set up, you would also only permit outbound traffic from your proxy server. which will eliminate the chance of someone figuring out how to bypass the proxy.
Of course there are several ways to accomplish the same thing, but this is the method I would recommend. There should also be a setting within MS Proxy to only permit connections from specified IP's, but I am not very familiar with it so I can't say for sure. If there is though, that would also work.
February 5th, 2002, 05:50 PM
i thought that it is a firewall??? whats the difference??
I think i am just missing a setting somewhere, i think i can have anonymous access enabled but there has to be another setting to block to only outbound, does anyone know proxy 2.0 that could help me with that?? Any help is appreciated.
February 5th, 2002, 08:54 PM
Just to clarify...a proxy server technically is not a firewall, it is an application gateway. ALthough they have many things in common, a proxy server will inspect traffic all the way up to the Application layer, while a firewall is only layer 4 or the Transport Layer.
When using an HTTP proxy, someone with direct access could potentially connect to and use it as a web proxy. When putting a firewall or router with an access control list in front of it, you can easily specify which traffic is permitted to get to the proxy on port 80. In this case only your internal users. Like I said earlier, it is very easy to do, and chances are your Internet router already has the capability to use ACL's. So it probably won't require anything else on your part.
Let me know your exact setup, and I will give you the best solution
February 5th, 2002, 09:09 PM
Thats how we did it at one point invictus. Had a NAT box sitting between the Proxy Server an the outside world. Not anymore, because I got rid of the Microsoft Proxy Server, but that is beside the point. Many people don't consider NAT a firewall, but the outside world couldn't see the Proxy Server, and that was the important part.
\"Ignorance is bliss....
but only for your enemy\"
February 5th, 2002, 09:28 PM
You are absolutely correct...NAT is NOT a firewall. But like I said...the firewall will filter traffic to the proxy...and has nothing to do with NAT.
Or for example...a Cisco ACL would look something like this:
router(config)#access-list 100 deny any any eq any
Which would be applied inbound on the outside interface.
And inbound on the inside interface you might have something like this:
router(config)#access-list 101 permit <proxy IP> any eq HTTP
router(config)#access-list 101 permit <proxy IP> any eq HTTPS
router(config)#access-list 101 permit <proxy IP> any eq FTP
router(config)#access-list 101 deny any any
February 5th, 2002, 09:34 PM
ok , my setup here is this. I have a speedstream dsl router for internet access connected to a proxy server running proxy 2.0 and windows nt 4.0 sp6. we have our other location in mexico connecting to our network via citrix metaframe. surrogate socket is running on the proxy server to direct the internet traffic from citrix nfuse, which is not using the 80 port, to the citrix server. i dont want to have to buy any extra software or setup another server as a firewall. what can i do???
February 5th, 2002, 09:51 PM
Your router should be able to handle this...because I am almost positive Speedstream will support some sort of ACL's. Someone will have to help me on the exact method though.
What you will do is apply an ACL to the outside interface on your router to allow only citrix traffic (port 1494) to the citrix server, and only allow this traffic from the Mexico location's ip address. Nfuse may use a different port however. All other inbound traffic should be blocked.
Outbound...I am assuming users are just using proxied services (HTTP, HTTPS, and FTP)? If so, configure the speedstream to allow only these services only from the proxy server. All other traffic should be blocked (filtered).
This setup will still allow the Citrix users to do what they need to do, while blocking all other traffic inbound. And outbound only the standard set of services will be allowed and only from the Proxy. Which will force users to go through the proxy server so they do not have the ability to bypass it.
I hope this gets you started...hopefully someone can help us on the speedstream config. I am willing to give you as much help as necessary...so please don't hesitate to ask. If you wish send me a private message, and I will give you my personal email, to make it easier.