We have an issue with some employees who use third party programs that traverse the Internet. These programs are 100% allowed by the organization as they are required for day to day business. Some programs go over the Internet to communicate for certain reasons, such as a live chat help support, or ordering products, etc..
The problem is that some of these users log in and never even touch Internet Explorer for awhile. They will go on and start working right away. Well if they don't try to access an Internet site via IE, then the Ironport does not 'log them in', and they are known as unauthenticated. Of course this doesn't happen with everyone. There's nothing wrong with people coming in a little early and checking the local news online.
We were thinking up if it's possible to have each user 'touch' the ironport web filter in some way during a logon script, unbeknown to the end user, so that they are 'signed in' and whatever Internet connected application they launch has access through to the Internet. Right now they need to at least launch IE and go to some site (say Google or MSN) and via NTLM credentials transparently passed through IE7, 8 or 9, they can simply close the page and go about their business. Note: they MUST go to an external site.... not an internally hosted one (such as our Intranet, time clock or HR self service pages).
So is there any commands we can put in via kix or bat or something that will say "Hey Ironport, %username% just logged in at 10.x.x.x". Then maybe to make it more advanced, a logoff script that says "Hey Ironport, %username% just logged OFF of 10.x.x.x". This way when our hourly timeout happens, they aren't immediately booted from their Internet applications (if they don't keep an IE window open that is).
Right now our ASA Firewall uses WCCP to forward port 80 to the ironport web filter. The Ironport is a transparent proxy.
Thanks!
