Is there a way to have a "safety net" in case user's disable the "automatically detect proxy settings?"
We just installed our first Web Gateway (v7) and we are using the wpad.dat file with DHCP 252 to push out the proxy settings to client machines. The issue we are wondering about is how to handle the IE settings. If users uncheck that option they are able to roam freely on the internet. Any best practices for this that we are missing?
Just block all outgoing connections from the User vlan at the exit firewall... Evidently, the proxy should not be in one of those segment. For some users, we have User rules on the outgoing firewall that require to first authenticate to the firewall. That way, an Admin may test something that don't work with a proxy for example or do a 10 GB FTP download.
The block on the firewall as DBO mentioned is the most sure. As I assume you are pushing the WPAD setting to the clients with group policy, you also have the option of using group policy to make the setting un-editable for the user. Just remove the option of editing the setting and the only thing you would need to worry about is them getting a browser that doesn't follow the system settings.If you also have the SaaS web filtering purchased, you can use the McAfee Client Proxy. This would remove the need for WPAD, and cover all browsers and other applications. Also makes authentication much easier.
What about a guest network - like a guest wireless network? How do you handle this situation for machines that are not typically on our network. Obviously we can use DHCP to push down the proxy but how to prevent them from circumventing it?
Guest WiFi user are going out using a specific IP address(es) I presume. Don't assume they can use .PAC or WPAD. Instead, Intercept it using WCCP to force it to pass in your proxy.
Unfortunately we do not have the equipment available at this location that can do WCCP. We tried to an http redirect from the firewall to the MWG but it's just authenticating every user at every webpage. What other way can we handle a guest wireless network?