Ask a question

Search Forums:

• Search Forefront Edge Security - Internet Access Forum
• Search All Forefront Edge Security Forums
• Search All Microsoft TechNet Forums

 

ISA 2006 - Webproxy Bypass

• Thursday, September 10, 2009 3:29 PMarvato01

   
  

  0

  Sign In to Vote
  Hi All,
  Can somebody please advise? I have discovered a major problem with our proxy server. Users have discovered the easy way to surf anonymously.
  
  Setup:
  ISA 2006, Unihomed, Only providing the Webproxy service.
  Browsers configured to "automatically detect settings" (I've confgured the dhcp option), and also checked the box "to use automatic configuration script"
  Polcies in ISA server use Active Directory groups.
  We have two AD groups, "unrestricted" and "restricted" users. This works without problem and all internet traffic gets proxied via ISA server.
  
  Problem:
  I added a http website to the allowed list for restricted users. What I noticed then was very strange, the website in question was http://login.live.com
  (in fact it can be any website where eventually the address bar goes green and changes to https/secure)
  
  The users have worked out that if they go to a https site that is allowed for them to access all they have to do is
  enter any username/password, the authentication will fail, but that does not matter as long as the address bar changes
  to a secure https connection.
  What they then do, without closing the browser, they overtype the address bar with any website they want to go to and IE takes
  them there.
  
  for example:
  
  I enter the following url, into ie:
  
  https://www.hsbc.co.uk
  wait for the address bar to turn green/https.
  then overtype the https://...., with any url you want.
  
  Internet explorer will take you straight there....
  
  Now when I enabled monitoring on proxy server, I could see all the web traffic up to the point where the user breaks the policy.
  This means that the the client browser goes directly to the website. No record is logged in ISA, in the example above the last
  log entry will show https://www.hsbc.co.uk, but no webistes after that.
  
  Wireshark has confirmed that the client goes direct to the website, bypassing the proxy server.
  
  Now the webproxy service can be bypassed whenever the "automatically detect settings" and/or "use automatic configuration script"
  check boxes are enabled.
  
  The only way I worked out how to prevent this happening is to fill in the proxy server settings ip/name, under the proxy section
  by ticking the check box "use a proxy server for your LAN". In which case the browser/ISA server will think about the website you
  are tying to get to then eventually send the browser the "deny" page I've setup.
  
  But I don't want to put in the proxy server ip's into the browser as it affect laptops users.... when they try to connect
  to the internet from home.
  
  Conclusion:
  It appears that when you use any of the two "automatic configuration" check boxes you can easily bypass the proxy, it looks like the browser waits for a reply to
  the url request from the client, it doesn't get one quickly enough, so the client browser says the proxy is not avialable
  and decides to go directly to the website.
  
  If you open up another IE session on the same terminal and try to go to a "not" allowed website you get our deny page.
  But within the IE window that is now directy accessing the internet you can go to any website you want to.
  
  I thought the simple fix to this was to disable direct access. By unchecking the box, on the internal network properties, Web Browser tab:
  
  "If ISA server is unavailable, use this backup route to connect to the Internet - Direct Access"
  
  But this does not make any difference, even after unchecking the ie network options, auto detect..., then reneabling them. apparently you have to do this
  to get the client to fetch the new wpad.dat
  
  
  Is there any way to force webproxy clients to not access the internet directly if the ISA server is not available/does not reply quickly enough?
  
  please find below my wpad.dat
  
  
  //Copyright (c) 1997-2006 Microsoft Corporation
  BackupRoute="DIRECT";
  UseDirectForLocal=true;
  function MakeIPs(){
  }
  DirectIPs=new MakeIPs();
  cDirectIPs=0;
  function MakeCARPExceptions(){
  }
  CARPExceptions=new MakeCARPExceptions();
  cCARPExceptions=0;
  function MakeNames(){
  }
  DirectNames=new MakeNames();
  cDirectNames=0;
  HttpPort="8080";
  cNodes=1;
  function MakeProxies(){
  this[0]=new Node("mypxy01.domain.local",0,1.000000);
  }
  Proxies = new MakeProxies();
  function Node(name, hash, load){
  this.name = name;
  this.hash = hash;
  this.load = load;
  this.score = 0;
  return this;
  }
  function FindProxyForURL(url, host){
  var hash=0, urllower, i, fIp=false, ip, nocarp=false, skiphost=false;
  var list="", pl, j, score, ibest, bestscore;
  urllower = url.toLowerCase();
  if((urllower.substring(0,5)=="rtsp:") ||
  (urllower.substring(0,6)=="rtspt:") ||
  (urllower.substring(0,6)=="rtspu:") ||
  (urllower.substring(0,4)=="mms:") ||
  (urllower.substring(0,5)=="mmst:") ||
  (urllower.substring(0,5)=="mmsu:"))
  return "DIRECT";
  if(UseDirectForLocal){
  if(isPlainHostName(host))
  fIp = true;}
  for(i=0; i<cDirectNames; i++){
  if(shExpMatch(host, DirectNames)){
  fIp = true;
  break;}
  if(shExpMatch(url, DirectNames))
  return "DIRECT";
  }
  if(cDirectIPs == 0){
  if(fIp)
  return "DIRECT";}
  else{
  ip = host;
  if(fIp)
  ip = dnsResolve(host);
  var isIpAddr = /^(\d+.){3}\d+$/;
  if(isIpAddr.test(ip)){
  for(i=0; i<cDirectIPs; i += 2){
  if(isInNet(ip, DirectIPs, DirectIPs[i+1]))
  return "DIRECT";}}
  else if(isPlainHostName(host))
  return "DIRECT";
  }
  if(cCARPExceptions > 0){
  for(i = 0; i < cCARPExceptions; i++){
  if(shExpMatch(host, CARPExceptions)){
  nocarp = true;}
  if(shExpMatch(url, CARPExceptions)){
  nocarp = true;
  skiphost = true;
  break;
  }}}
  if(!skiphost)
  hash = HashString(host,hash);
  if(nocarp)
  hash = HashString(myIpAddress(), hash);
  pl = new Array();
  for(i = 0; i<cNodes; i++){
  Proxies.score = Proxies.load * Scramble(hash ^ Proxies.hash);
  pl = i;
  }
  for(j = 0; j < cNodes; j++){
  bestscore = -1;
  for(i = 0; i < cNodes-j; i++){
  score = Proxies[pl].score;
  if(score > bestscore){
  bestscore = score;
  ibest = i;
  }}
  list = list + "PROXY " + Proxies[pl[ibest]].name + ":" + HttpPort + "; ";
  pl[ibest] = pl[cNodes-j-1];
  }
  list = list + BackupRoute;
  return list;
  }
  var h_tbl = new Array(0,0x10D01913,0x21A03226,0x31702B35,0x4340644C,0x53907D5F,0x62E0566A,0x72304F79,0x8680C898,0x9650D18B,0xA720FABE,0xB7F0E3AD,0xC5C0ACD4,0xD510B5C7,0xE4609EF2,0xF4B087E1);
  function HashString(str, h){
  for(var i=0; i<str.length; i++){
  var c = str.charAt(i);
  if(c ==':' || c == '/') break;
  c = CharToAscii(c.toLowerCase());
  h = (h >>> 4) ^ h_tbl[(h ^ c) & 15];
  h = (h >>> 4) ^ h_tbl[(h ^ (c>>>4)) & 15];
  h = MakeInt(h);
  }
  return h;
  }
  function Scramble(h){
  h += ((h & 0xffff) * 0x1965) + ((((h >> 16) & 0xffff) * 0x1965) << 16) + (((h & 0xffff) * 0x6253) << 16);
  h = MakeInt(h);
  h += (((h & 0x7ff) << 21) | ((h >> 11) & 0x1fffff));
  return MakeInt(h);
  }
  var Chars =" !\"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~€???????????Ž????????????ž? ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþ ";
  function CharToAscii(c){
  return Chars.indexOf(c) + 32;
  }
  function MakeInt(x){
  x %= 4294967296;
  if(x < 0)
  x += 4294967296;
  return x;
  }
  
  
  when unchecked the option to directly access the internet, I compared the wpad.dat file with the earlier one, but it was identical.
  
  This is the bit that I think may be causing the problem:
  
  BackupRoute="DIRECT";
  
  
  Please can somebody offer any advise?
  
  Regards
  • Reply
  • Quote