Using my work connection for work.

BoomAM · 27 Mar 2007 at 16:09

Hi.
At work we have a hub for the county, and hence, a lot of bandwidth for the internet.
The problem is, that i cant use any of our bandwidth to either download stuff that isnt FTP/HTTP. Which is annoying.
I ideally want to be able to setup an Hamachi Machine here, so i can access and download resources from my home computer and my work computer.
Ive tryed everything send files between work and home, torrent clients, Hamachi, MSN shared files, ect; But none of them can get past our ISA server or the ISA at county itself.

Now before you all cry 'this sort of talk is against the rules because it circumvents network security at your place of work', let me make one thing clear, i am the Network Manager, so i say what goes!

Anyway, any ideas?

Beansprout · 27 Mar 2007 at 16:10

BoomAM said:
Now before you all cry 'this sort of talk is against the rules because it circumvents network security at your place of work', let me make one thing clear, i am the Network Manager

So set an example then :rolleyes:

Anyway, any ideas?

No

Edit: Well, none apart from the obvious

(setup an FTP/HTTP server at home)

BoomAM · 27 Mar 2007 at 16:19

So set an example then

lol.
Nah, i want to play!

Edit: Well, none apart from the obvious (setup an FTP/HTTP server at home)

Unfortunatelly, i cant be arsed setting my home PC to do that.

Hamachi is the ideal situation, i can share drives at home and at work, but i cant, for the life of me, get it to work.
Ive followed an ISA config guide on the Hamachi website, but it still wont function.

Is there anything out there similar to Hamachi around?

Trifid · 27 Mar 2007 at 16:21

FTP server on a old home computer with IP filtering and password protection would work very well.

Edit: It takes the best part of 30 mins to set up and can go on your home one.

Clarkey · 27 Mar 2007 at 16:51

network manager and you don't know how your own network works? Hmm.

Chief Wiggum · 27 Mar 2007 at 17:18

To 'get around' the limiations of ISA-SVR, at work, we use Proxy Client (MS Firewall Client) I think some config has to be done on the ISA-SVR, but it allows you to open up all the other kind of connections you need. Handy to have these things in network support!

Kev

Chief Wiggum · 27 Mar 2007 at 17:21

Trifid said:
FTP server on a old home computer with IP filtering and password protection would work very well.

Edit: It takes the best part of 30 mins to set up and can go on your home one.

It's worth also noting that FTP is clear-text so isn't very secure, so if you're transferring work-stuff. You'd want to use SFTP or a VPN at the very least....

garyh · 27 Mar 2007 at 17:29

Clarkey said:
network manager and you don't know how your own network works? Hmm.

Indeed...

matja · 27 Mar 2007 at 17:56

Your choice of VPN over httptunnel : HTTP-friendly VPN tunneling.
SSH-over-HTTP combined with socks5 on the ssh daemon end is a nice simple purely-userspace solution with encryption.

httptunnel also has some options to set various HTTP headers to fool most restrictive proxies into letting traffic past.

I've used VPN software over DNS queries (openvpn + nstx = win), when a HTTP proxy wasn't even accessible for me. There's an ICMP version of that, too (icmptx)

Now, its your job as network manager to make sure that users of your network cannot apply similar tactics to bypassing your firewall/proxy

Andri · 27 Mar 2007 at 19:24

i would go with a VPN.

this is how i currently connect to home from work.

derfderfley · 27 Mar 2007 at 20:11

BoomAM said:
Hi.
At work we have a hub for the county, and hence, a lot of bandwidth for the internet.
<SNIP>
But none of them can get past our ISA server or the ISA at county itself.

Now before you all cry 'this sort of talk is against the rules because it circumvents network security at your place of work', let me make one thing clear, i am the Network Manager, so i say what goes!

Anyway, any ideas?

If you have a multiple static IP allocation why not just put the box on the "outside" rather than behind the ISA server. Ok, this will not give you access from your work LAN, but separating a machine used in the way your planning would not be a bad thing anyway. After all why risk your network?

My preferred answer would be to get rid of the ISA server and put a "proper" dedicated hardware firewall in it's place, in the long run it'll serve your company better. Try looking at solutions from Cisco (the ASA range) or Checkpoint firewall1, dependent on your budget.

Andyt_uk · 27 Mar 2007 at 21:21

what would be the point as you'd still be limited by your upload speed on your home machine.

BoomAM · 28 Mar 2007 at 08:46

Clarkey said:
network manager and you don't know how your own network works? Hmm.

Cheaky monkey.
1) Ive just started here, so im still gathering the information on how this network is setup/operating.
2) Even when i manage to open the ports/protocols on our ISA, county, which our internet goes through, have their own ISA which does the same blocks.

derfderfley said:
My preferred answer would be to get rid of the ISA server and put a "proper" dedicated hardware firewall in it's place, in the long run it'll serve your company better. Try looking at solutions from Cisco (the ASA range) or Checkpoint firewall1, dependent on your budget.

Tbh, your idea of a proper firewall intreagues me, and is an idea ive had in the past.
The problem is though, that our ISA also runs our SurfControl software, for filtering pupils web usage, so we cant really get rid of it unfortunatelly.
I suppose we could remove the ISA part of the server, run plain Surf Control, and then have a HW Firewall between the SurfControl server & the internet though.

matja said:
Now, its your job as network manager to make sure that users of your network cannot apply similar tactics to bypassing your firewall/proxy

Again with the cheakyness.

I wouldnt worry about the users being able to do the same.
The user accounts for this network are so well locked down in that regards that the only 'misusage' we get is naughty internet sites.

Johny Boy · 28 Mar 2007 at 14:53

Your new and it was set up for a reason.

How about you learn why before you starting eating up all that bandwidth which was obviously bought for a reason.

But tbh I don't buy it.

BoomAM · 28 Mar 2007 at 17:05

Johny Boy said:
Your new and it was set up for a reason.

How about you learn why before you starting eating up all that bandwidth which was obviously bought for a reason.

But tbh I don't buy it.

It wasnt 'setup'.
We are a central hub for our county. As a result, we get a discount, and an extra chunk of bandwidth for the same price.
Even at heavy times of the day, we barely use 2Mbps of the 10Mbps+ allocated to us.

Im not justifying myself to you or to anyone else. I dont see why i should.
I dont see why some members of this forum are just so suspicious of everything put in front of them.
If you doubt that im network manager, do a search for threads ive made lately, and you'll see a sizable chunk of them are regarding network management issues and related topics. I wouldnt have made them if i was average joe staff member would i!?

##EDIT##
Here we go, some evidence for you to peruse at your own leisure:
http://forums.overclockers.co.uk/showthread.php?t=17709847
http://forums.overclockers.co.uk/showthread.php?t=17707797
http://forums.overclockers.co.uk/showthread.php?t=17705304
http://forums.overclockers.co.uk/showthread.php?t=17704568
http://forums.overclockers.co.uk/showthread.php?t=17703524
http://forums.overclockers.co.uk/showthread.php?t=17705394
http://forums.overclockers.co.uk/showthread.php?t=17703538
http://forums.overclockers.co.uk/showthread.php?t=17702406
http://forums.overclockers.co.uk/showthread.php?t=17701247
http://forums.overclockers.co.uk/showthread.php?t=17696728
http://forums.overclockers.co.uk/showthread.php?t=17695822
http://forums.overclockers.co.uk/showthread.php?t=17699605
To name but a few threads from a quick search.

derfderfley · 28 Mar 2007 at 19:58

BoomAM said:
Cheaky monkey.
1) Ive just started here, so im still gathering the information on how this network is setup/operating.
2) Even when i manage to open the ports/protocols on our ISA, county, which our internet goes through, have their own ISA which does the same blocks.

Hmm this suggests that your ISA server is already sat behind another ISA server before your connection reaches the outside world ?

BoomAM said:
Tbh, your idea of a proper firewall intreagues me, and is an idea ive had in the past.
The problem is though, that our ISA also runs our SurfControl software, for filtering pupils web usage, so we cant really get rid of it unfortunatelly.
I suppose we could remove the ISA part of the server, run plain Surf Control, and then have a HW Firewall between the SurfControl server & the internet though.

There is no problem with fitting a decent hardware firewall and still using your ISA server as a proxy for all web traffic. It's a fairly trivial thing to lock down network access so only defined hosts are allowed access out for web traffic (such as your content filtering box) while stopping the rest of the network randomly bypassing the proxy server in a attempt to get unfiltered internet access.
Most of the major firewall vendors offer UTM (unified Threat Management) now, which can include content (web as a example) filtering been done on the firewall as well. My suggestion would be to let a firewall be a firewall and buy a content filtering box to handle the web filtering. This is a solution we have implemented for a customer in the past, if you want to know some more, we should probably take this to email (it's below my sig).

Just had a read through the links to your other threads, is this for a school / college or a university? As it's not unheard of for School internet connections to be filtered at the ISP level before they reach the "outside world".

BoomAM · 29 Mar 2007 at 09:14

derfderfley said:
Hmm this suggests that your ISA server is already sat behind another ISA server before your connection reaches the outside world ?

First of all, i'd like to thank you(and the others who were) for being helpful on this subject.

Yes you are correct, our ISA connects to the county internet hub about 3m from where im sitting.

, which then pipes all of our net traffic, and 10-20 other sites net traffic, back to county IT, where it appears to go through several ISAs (named after colours), which im asuming are load balancing for them.

There is no problem with fitting a decent hardware firewall and still using your ISA server as a proxy for all web traffic. It's a fairly trivial thing to lock down network access so only defined hosts are allowed access out for web traffic (such as your content filtering box) while stopping the rest of the network randomly bypassing the proxy server in a attempt to get unfiltered internet access.
Most of the major firewall vendors offer UTM (unified Threat Management) now, which can include content (web as a example) filtering been done on the firewall as well. My suggestion would be to let a firewall be a firewall and buy a content filtering box to handle the web filtering. This is a solution we have implemented for a customer in the past, if you want to know some more, we should probably take this to email (it's below my sig).

Just had a read through the links to your other threads, is this for a school / college or a university? As it's not unheard of for School internet connections to be filtered at the ISP level before they reach the "outside world".

By content filtering box, do you just mean something to literally act as a filter?
So our existing ISA Server+SurfControl would work would it not if i removed the ISA aspect?

derfderfley · 29 Mar 2007 at 19:46

BoomAM said:
First of all, i'd like to thank you(and the others who were) for being helpful on this subject.
Yes you are correct, our ISA connects to the county internet hub about 3m from where im sitting. , which then pipes all of our net traffic, and 10-20 other sites net traffic, back to county IT, where it appears to go through several ISAs (named after colours), which im assuming are load balancing for them.

In which case I'd have a word and ask them list list exactly what ports and protocols they are blocking. I have a sneaking suspicion that they will be blocking all sorts upstream from you.

BoomAM said:
By content filtering box, do you just mean something to literally act as a filter?
So our existing ISA Server+SurfControl would work would it not if i removed the ISA aspect?

I would think it would be possible to use your ISA server in that way. But don't quote me on it, as I don't spend much time with MS's server products. If I'm honest I wouldn't trust a MS box to act as a firewall for a network, I'd fit a dedicated hardware firewall, but that's because of the nature of what I do for a living

BoomAM · 30 Mar 2007 at 19:03

derfderfley said:
In which case I'd have a word and ask them list list exactly what ports and protocols they are blocking. I have a sneaking suspicion that they will be blocking all sorts upstream from you.

Tbh, my thoughts exactely.
Problem is, that speaking to county for anything is like speaking to a fish. Ie; not much point.
I asked them a week before a planned Video Conference to open some specific ports, they didnt, then a week AFTER it was ment to take place, they got back to me about it! :mad:

Too late now! lol.

I would think it would be possible to use your ISA server in that way. But don't quote me on it, as I don't spend much time with MS's server products. If I'm honest I wouldn't trust a MS box to act as a firewall for a network, I'd fit a dedicated hardware firewall, but that's because of the nature of what I do for a living

I suppose we have the added bonus of being behind more than one layer out in/out bound protection, but tbh, ISA servers get on my wick, so much effort to get them to do the simplest thing.