Tille - I can see you, read those man pages!   Tille's Site

How to Ignore an ISA Proxy/Firewall

Problems:

The following restrictions apply:

  • The MS ISA proxy server does not respect standards
  • ISA requires domain\username/password authentication
  • Only ports 80 and 443 are allowed for outgoing connections
  • Web pages are blocked for the strangest reasons by Web Sense
  • Downloads are scanned by Interscan Web Security
  • Linux can not be used (afaik), i.e. with connect.c, standard SSH port forwarding, putty or the HTTP Tunnel package: the ISA server refuses the connections and sends authentication errors.

Solution

I fought my way out using an external server. I configured the SSH daemon to listen on port 443 (HTTPS) so that I can hide traffic in secure HTTP packets. In /etc/ssh/sshd_config, add this line below the one that says to listen on port 22:

Port 443

Note: do this only if you are not offering HTTPS services on your server.

Then I downloaded putty (from Freshmeat, an allowed site). In the "Session" part of the configuration tree, I enter my external server name, enter port number 443 and specify to use SSH.

In the "Connection part, select "Proxy". Then mark proxy type HTTP, enter the proxy hostname and port, domain\username and password. Open the connection and test.

If SSH connections to your server work using this method, you can take on the next problem, the surfing restrictions.

I configured a Squid proxy server on my remote server, using the following configuration in /etc/squid/squid.conf:

acl allowed_hosts src x.y.z.0/255.255.255.0
http_access allow allowed_hosts

In the above, replace x.y.z.0 with your network. I left the rest of the default configuration as it came with the Debian package. Make sure that the proxy server is running: if there are errors in the ACLs, it is likely that it does not start. Check your log files.

Now on your firewalled workstation, take putty again and configure it to connect port 80 on the local host to the proxy port 3128 (Squid default) on the remote host, while keeping the settings to connect on port 443 on the remote host. In "Connection - SSH - Tunnels" enter 80 as the source port and remote_hostname:3128 as destination. Select Local and click the Add button. Then open this connection. You get the remote loginprompt. Connect.

Now take your favorite browser and enter localhost and port 80 as proxy setting. Test by surfing to a forbidden websense category.

NOTE: you might get in trouble doing this. Do these things on your own responsability.

To feel even better at home, you can install Cygwin, see this article for a short explanation on the most important configuration settings.
Home

© 1995-2010 Machtelt Garrels - tille - Powered by vIm - Best viewed with your eyes - Validated by W3C - Last update 20100511