Thanks  Marcin - it looks like that might just do the job.

I have enabled [026/3076/080] IE-Proxy-Server with my proxyserver IP :port on the group of the users I wish to allocate this.

However, does not seem to work.

Now is there something I need to configure on the ASA as well?

Like when I am enforcing the group lock or enforcing acls per user that some of the configuration is on the ASA?

I tried to look for info on this, sadly have not found anything yet.

Martin,

"debug aaa common 100" will show you if ASA understands those settings.

I understand that you're using Anyconnect? Otherwise there is no way to enforce proxy settings on thin clients.

Marcin

Hi Marcin,

From my syslog (syslog-ng) I can see the user connecting the handshake. However I never see the IP address of the proxy server nor the setting "IE-Proxy-Server" in the syslog messages. Yes I am using the Anyconnect client.

Anything else I could try?

Regards,

Martin

Martin,

Do you see those settings sent from ACS down to ASA?

Check "debug aaa common 100" when connecting, "debug radius all" could be interesting too.

Marcin

Marcin, I only see the user / group lock settings from taking place. (Even downloable ACL's)

Nothing from the "[3076\080] IE-Proxy-Server"  or it's IP address / port number.

I know with the group lock / downloadable ACL's some configuration had to be done on the ASA.

Is this the case with the IE-Proxy-Server as well? Or should the setting with in ACS be enough?

Martin,

Too meny veriables, would you be willing to open a SR for this? AFAIK it should work, from ASA's perspetive it's a supported attribute.

Marcin

Just some feedback from myside.

this is what I have done on the ASA

group-policy attributes
dns-server value
msie-proxy server value

And now the Proxy settings gets forced.