Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
3
Replies

Cisco cloud base firewall/ScanSafe

kmonagatos
Level 1
Level 1

‎07-17-2012 03:46 PM - edited ‎03-11-2019 04:32 PM

Hello,

Our organization uses a Cisco cloud based firewall/ScanSafe for internet access/content filter.

We moved away from the previous method of an ISA Firewall using pac files.

In the old system we had AD security groups to grant access to the ISA.  With the current Cisco solution the internet is wide open and we trust ScanSafe as secure content filter.

The issue I am now running into is that I now have employees that should not have internet access at all (and didn't under the old system) that now have discovered that they do in fact have internet access.

I am trying to find a solution to this from a client side (hopefully to be implemented as  GPO)

We only use internet explorer as our browser.  As long as I have the "Automatically detect settings" selected nothing else I do will matter, and they get full internet access.

I have tried setting up a proxy server and setting it to 127.0.0.1 but I either succesfully deny internet access, but it will also deny intranet access, which I can not do because all of there time card/HR/company news is all web based.

So the question is:

Does anybody know of any client side settings that will deny internet access but still allow local intranet access?

Thanks,                  

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-17-2012 11:16 PM

How do you redirect your internet traffic towards the Cisco ScanSafe cloud?

There are a few methods you can use, but please kindly advise how you redirect and we can assist accordingly.

0 Helpful

kmonagatos
Level 1
Level 1
In response to Jennifer Halim

‎07-18-2012 07:31 AM

From a client side we just set the computers to "Automatically detect settings" no other configuration is needed.

Our internet traffice is basically open, it is just scanned by Cisco's ScanSafe content filter (and antivirus/malware)

I'm the client side engineer, the infrastructure is handled by a seperate company.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to kmonagatos

‎07-18-2012 07:40 AM

If the client side is set to "Automatically detect settings", most probably PAC file is being used.

If you have user granularity implemented for your ScanSafe solution, then you can configure Rule under the ScanSafe portal to block internet access for certain group/users. This is settings to be configured under Scansafe solution.

Alternatively, if those users have specific ip address and/or connected to a specific subnet, then you can configure those filtering under your router/firewall.

Other solution would be to remove default gateway on the client's PC, and just have static route configured to access internal resources/intranet. This will ensure that they don't have access to the internet since there is no default gateway.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card