Our LA has recently moved to an ISA 2006 box from 2000. At the same time they ditched surfcontrol and have implemented Websense.
As the schools have a silly UID&Pass to authenticate to the ISA box for authentication I wanted to use one of my servers as a transparent proxy to authenticate for all my users. I used to use Python (ntlmapps) but it doesnt like the new isa box.
So I started playing with Squid 2.5 (For windows)
Installed this on one of my Server 2003 box's , configured it and away to go..... or so I thought.
I wandered into one of my IT suites today to find a group of Year 4 kids on Youtube, on closer inspection (good job they hadn't noticed) the internet was totally unfiltered
My 1st call was to county to ask if Websense had fallen over etc but nope it was local to my school. It seems that if I point a Browser directly at the ISA server and give the correct credentials when prompted I can get on the internet fine and Youtube/pron etc is all blocked.
Websense Filtered content
If I configure squid (with the same credentials) set it running and then point my browser to squid, it works as a transparent proxy but also manages to bypass the whole filtering system.
On the ISA server logs you can see it making the "handshake" and agreeing that the Username/credentials are correct and looks like its working,but then decides not to filter any content.
Obviously I have turned off Squid and am not going back, but I would love to know how squid is being so clever at getting around the filtering. Its a massive security hole as is.
You will get round it if you set the default gateway to the ISA server as well.
I have setup many Websense and ISA setups in schools in rochdale. Done that a few times and it will allow you set the clients default gateway to ISA and then websense will filter it instead of ignoring the traffic.