topic Cisco cloud base firewall/ScanSafe in Network Security

Cisco cloud base firewall/ScanSafe

kmonagatos — Mon, 11 Mar 2019 23:32:13 GMT

Hello,

Our organization uses a Cisco cloud based firewall/ScanSafe for internet access/content filter.

We moved away from the previous method of an ISA Firewall using pac files.

In the old system we had AD security groups to grant access to the ISA. With the current Cisco solution the internet is wide open and we trust ScanSafe as secure content filter.

The issue I am now running into is that I now have employees that should not have internet access at all (and didn't under the old system) that now have discovered that they do in fact have internet access.

I am trying to find a solution to this from a client side (hopefully to be implemented as GPO)

We only use internet explorer as our browser. As long as I have the "Automatically detect settings" selected nothing else I do will matter, and they get full internet access.

I have tried setting up a proxy server and setting it to 127.0.0.1 but I either succesfully deny internet access, but it will also deny intranet access, which I can not do because all of there time card/HR/company news is all web based.

So the question is:

Does anybody know of any client side settings that will deny internet access but still allow local intranet access?

Thanks,

Cisco cloud base firewall/ScanSafe

Jennifer Halim — Wed, 18 Jul 2012 06:16:32 GMT

How do you redirect your internet traffic towards the Cisco ScanSafe cloud?

There are a few methods you can use, but please kindly advise how you redirect and we can assist accordingly.

Cisco cloud base firewall/ScanSafe

kmonagatos — Wed, 18 Jul 2012 14:31:24 GMT

From a client side we just set the computers to "Automatically detect settings" no other configuration is needed.

Our internet traffice is basically open, it is just scanned by Cisco's ScanSafe content filter (and antivirus/malware)

I'm the client side engineer, the infrastructure is handled by a seperate company.

Cisco cloud base firewall/ScanSafe

Jennifer Halim — Wed, 18 Jul 2012 14:40:09 GMT

If the client side is set to "Automatically detect settings", most probably PAC file is being used.

If you have user granularity implemented for your ScanSafe solution, then you can configure Rule under the ScanSafe portal to block internet access for certain group/users. This is settings to be configured under Scansafe solution.

Alternatively, if those users have specific ip address and/or connected to a specific subnet, then you can configure those filtering under your router/firewall.

Other solution would be to remove default gateway on the client's PC, and just have static route configured to access internal resources/intranet. This will ensure that they don't have access to the internet since there is no default gateway.