# Forefront TMG bypassed!



## querycat (Apr 16, 2013)

Hi all,
I have an issue within my school. It seems a student has bypassed our firewall and proxy settings allowing him to access blocked sites (facebook in this case).

We have Forefront TMG set up within the school domain which has worked very nicely until now. The trouble is, i have no idea how this student has been able to bypass it.

I was able to check his internet settings before the page was closed, and i noted that the internet "Lan Settings." had nothing checked at all. This usually means that they don't gain any internet access at all.

This is the lan settings page for reference, it had no checkboxes checked:
http://km.support.apple.com/library/APPLE/APPLECARE_ALLGEOS/TS1814/TS1814_02--windows_7-001-en.png

All i can think is that the student was using an internet explorer addon, but 99% of the sites that's inhabit them are blocked, and their installation requires administrative privileges.
Or, he's tethered his phone's internet connection to his laptop, but by doing so he'd need to have "Automatically detect settings" checked otherwise he wouldn't get a connection..

I've tried to emulate what he's done but he's outsmarted me!

Does anyone have any ideas as to how this has been achieved, and how i can avoid it being exploited in the future?

Many thanks in advance!


----------



## Wand3r3r (Sep 17, 2010)

Is the TMG server the gateway entry for the students pc?


----------



## querycat (Apr 16, 2013)

Wand3r3r said:


> Is the TMG server the gateway entry for the students pc?


yep


----------



## Wand3r3r (Sep 17, 2010)

Assuming the pcs are in a domain I would suggest a GPO for restricting usb port access. This would prevent phone hookups as well as eliminate a vector for virus's.


----------



## querycat (Apr 16, 2013)

Wand3r3r said:


> Assuming the pcs are in a domain I would suggest a GPO for restricting usb port access. This would prevent phone hookups as well as eliminate a vector for virus's.


Thanks for the advice, however the suggestion would be more problematic than not having it disabled. We urge for the students to back up data on their usb sticks just to be safe, and a number of devices require usb ports (robotics, media devices, IWB's etc.).
Also, i'd believe that if tethering was unavailable via USB they'd have the opportunity to access it via Bluetooth or WiFi.

My main query is how he even had internet access without having any of the proxy/gateway settings set. With that information, i may be able to block access to a couple of things to prevent further exploitation.

I appreciate the help though


----------



## querycat (Apr 16, 2013)

So i managed to figure out the cause.
The student was using a tool called "UltraSurf" which found any available proxy that wasn't the school's secure proxy and accessed it.

Certain hotkeys can be set up within the tool to clear any proxy settings the tool sets, which is why when i saw it they were blank.

It looks like the solution to the problem is to prohibit any internet access from proxys other than the school's own proxy through Forefront TMG.
I'm personally unsure of how to go about this, can anyone assist?


----------



## Wand3r3r (Sep 17, 2010)

Sorry but that doesn't make sense. The traffic still had to go thru TMG to get to a outside proxy. You could just block the application.

Perhaps this will help you figure out the app signature so you can block it
Configuring HTTP filtering

Turns out ultrasurf is a vpn application that connects to the ultrasurf servers to then browse the internet. Blocking its signature should do the trick


----------



## querycat (Apr 16, 2013)

Wand3r3r said:


> Sorry but that doesn't make sense. The traffic still had to go thru TMG to get to a outside proxy. You could just block the application.
> 
> Perhaps this will help you figure out the app signature so you can block it
> Configuring HTTP filtering
> ...


Sorry i worded it fairly poorly. You're right.
I'll attempt to block its signature and if i have trouble doing so i'll let you know.
Thanks Wand3r3r

EDIT: after very minimal research it's obvious to me that there are potentially hundreds of alternatives to UltraSurf... This could be quite a job.


----------

