why does a fresh copy of XP get around proxy servers?

[Patrick Duffy]

I manage a university residence hall network. We have a web
filter in place on our network that acts as a proxy server.

In the past with Windows 98 it worked just fine. In fact,
without the proxy setting on Windows 98 the PC is not able
to connect to the Internet.

The problem lies with Windows XP. If you take an XP
machine out of the box and plug it into our network. It
will automatically connect to the Internet. We don't have
to change any settings. If the filter settings are not
configured, then the computer will bypass the filter and
load any site that the person wants to load.

We have network access in all the residence halls for
students that have computers. If a student has a new
computer with Windows XP then they are not filtered. We
really need to prevent this from happening.

We have DHCP with a range of IP addresses for the student
VLAN. They are physically connected to the HP Core Switch,
when then is connected to the switch we allow for servers.
Our firewall is connected via the inside NIC to this same
switch.

Can anyone help?

 

[Matt DuBois [MSFT]]

IE 6, which is what comes as part of XP, can automatically detect and
configure itself for a proxy server on the network in some situations. Are
you just thinking the proxy is being bypassed because the XP boxes don't
need to be configured, or have you seen someone access a site that should be
blocked?

If the XP machines are bypassing the proxy, it all boils down to this: If
there is a way that web traffic can get to the internet, then the proxy can
be bypassed. The only way to make sure everyone goes through the proxy is
to make it impossible for them not to. From how you describe your current
configuration, it sounds as if the proxy is in more of a "server on the
network" than a "gatekeeper to the internet" setup. The Windows 98 machines
can probably be easily configured to bypass the proxy as well, you just
happened to get lucky with some default setting that kept it from being that
way out of the box.

So, you need to either move the filter in your topology so that it can
inspect all outgoing internet traffic (assuming it is capable of that and
high enough performance to keep up), or you need to block outgoing traffic
from everywhere except the proxy server. That would force everyone that
wants to use the web to use the proxy. You have the option to block all
traffic, or just the traffic from the student VLAN (which would allow
faculty and labs to get to the internet without going through the proxy, if
desired). You COULD try to block only traffic bound for web ports, but that
can be bypassed on the client side.

 

[vish]

Your best bet is probably do it at a firewall level,
only allow connections out of your firewall that come from
the proxy(ies). This way you have to go through a proxy to
be allowed out of your network

It could be that XP is automatically picking up your proxy
and feeding the connection through that.