Firefox in the Enterprise

Discussion in 'Business & Enterprise Computing' started by vader, Nov 1, 2011.

  1. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    We already have transparent proxy in place. TMG's last two rules are: if you're authenticated, then out you go. If you're not authenticated, access denied. Clients try to go out via TMG when nothing's configured.

    Wel still require internet traffic to be AD authenticated. That doesn't mean we don't have a transparent proxy

    Yet again, I was just posting from a configuration point of view, not security and just giving an example of a possible setting. Since we don't know the OP's setup we can only guess.

    The reason I said it wasn't very good, is that there are often issues if you or your ISP has an upstream transparent proxy that's squid, it seems to break TMG/ISA. http://www.edugeek.net/forums/inter...79977-using-tmg-server-transparent-proxy.html
     
    Last edited: Nov 2, 2011
  2. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,198
    Location:
    Brisbane
    If I have a bug with software I pay support contracts for, I file that bug with the developer and make them fix it. If they don't fix it in a timely fashion, I stop using their software.

    Whether it's Microsoft or Joe Blogg's Backyard Software Studio, I treat them the same. I pay for software that works, and expect bugs to be fixed in a timely fashion when I pay for support. Life's too short to fuck around with bad software that doesn't work as it should, and doesn't get fixed by companies you pay good money to.
     
  3. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    I completely agree. I haven't logged the bug because it hasn't affected me and I'm quite fine with how it's set up. I've logged previous bugs and had them resolved, no issues here. If ISA/TMG was failing to meet my needs, I'd be implementing something else.

    I'm sure all this is helping the OP.
     
  4. OP
    OP
    vader

    vader Member

    Joined:
    Jan 25, 2003
    Messages:
    2,487
    Location:
    Bathurst; NSW
    Thanks for the info guys.

    That was my first response however someone very high up told my boss it was going to happen, and he told me...

    Thanks

    All traffic is forced through a proxy.

    Will consider that, but suspect it will be overrulled.

    I've noticed.
    If we can force a few settings by GP it makes regular updates a little easier, however having said that, once its out updates are unlikely to be done.
    My concern here is that these users would have local admin rights and could mess around with a config file.

    Installing any random addons they feel like springs to mind.
     
  5. ics

    ics Member

    Joined:
    Jul 8, 2002
    Messages:
    209

    What your after is front motion firefox. It's a modified version of FF that can be deployed and managed via group policy

    Good luck,

    T
     
  6. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,198
    Location:
    Brisbane
    Then what do you need to lock down on the client side?
     
  7. OP
    OP
    vader

    vader Member

    Joined:
    Jan 25, 2003
    Messages:
    2,487
    Location:
    Bathurst; NSW
    Thanks,
    Playing round with that now.

    Stop users from installing plugins and updates, and messing round with the configuration in general.
     
  8. Annihilator69

    Annihilator69 Member

    Joined:
    Feb 17, 2003
    Messages:
    6,087
    Location:
    Perth
  9. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    If you used a REAL proxy server like squid, this would be completely unnecessary *sarcasm*
     
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,198
    Location:
    Brisbane
    Sarcasm aside, decent network security will mitigate your risks for users "messing around with config". (The worst problem is users specifying their own proxies, which you can trivially work around with proper whitelisting and network control).

    And who honestly cares if they install updates and plugins? Any network plugins like TOR will fail if your network security is set up correctly. And useful things like Firebug, Noscript, Adblock and other tools aren't exactly a major drama (I'd encourage users to have these installed, and indeed I replicate similar functionality into my proxy deployments by using Adblock and NoScript configs to build proxy blacklists).

    When it comes to web browsers, I don't have huge problems letting them update themselves. Proactive patch security for the win. And again, if you really want to stop this (say if you're unlucky enough to have some shitty apps in your org that breaks with browser updates), you can happily block the Mozilla update servers at your proxy and/or firewall.

    Or you can keep trying to hammer a square peg into a round hole by using Group Policy to hack around non-Microsoft software. I guess when the only tool you've got is a hammer, every problem looks like a nail.

    Microsoft live in a vacuum. The average Microsoft employee doesn't really understand the world outside of Microsoft (plenty of blogs out there from folks who have left Microsoft, and document this very problem). From a marketing and management point of view, releasing a tool that allows trivial config and deployment of third party applications would be making it easier for customers to use non-Microsoft software, which isn't the done thing over there.

    Microsoft has been making good ground when it comes to the concept of integrating into the wider software ecosystem, and not just pushing homogeneous Microsoft environments at any cost. All the same, they've still got a long way to go until the idea penetrates company-wide.
     
    Last edited: Nov 6, 2011
  11. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    3rd time I'll say it - it's not about security. It's providing a standard environment with standard settings, so your helpdesk doesn't spend most their time troubleshooting why certain things occur a certain way and troubleshooting settings. This especially applies when you're in a non-techie company.
     
  12. OP
    OP
    vader

    vader Member

    Joined:
    Jan 25, 2003
    Messages:
    2,487
    Location:
    Bathurst; NSW
    Tell me, how does decent network security and proxies work when users take their lappys off the network?
    You may not have any users that have lappys, but I do and have to consider them as well.
    This is not to say that network security does not have an important role to play - it does. However its not the solution to every scenario.
    Hmmmm reminds me of some quote about every problem looks like a nail ;)

    Seriously?
    Well how about anyone who has to clean up after a plugin or update that breaks functionality fo some legacy app for one, or trying to fix a security incident caused by some dodgy plugin that someone has installed, or someone who has to try and troubleshoot some weird issues caused to a third party app.

    Well I would change "it's not about security" to "it's not just about security". I agree with your other comments on some of the reasons behind an SOE.
     
    Last edited: Nov 7, 2011
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,198
    Location:
    Brisbane
    A transparent proxy (more accurately, a router/firewall) hijacks web-bound traffic and redirects it to a proxy. From the browser's point of view, it's entirely ignorant to the fact that it's using a proxy at all. When users are off your network, they get direct Internet access without having to change their configuration, use a different profile, or require any additional administrative privileges. Likewise if they travel between different sites of the same company, their config (or more precisely, their lack of config) always works.

    Likewise any stray laptops or tablets on your network are forced to comply.

    Many ISPs do this without their users ever knowing it's in place.

    I've had laptop users in every single business I've worked for, and my method has worked with less maintenance and helpdesk intervention. Particularly so in very large organisations that use multiple sites with different settings per site, and laptop users who frequently travel between them.

    More recently, I've worked for a variety of places that have a "bring your own device" policy that grants users the ability to bring phones and tablets. While they don't get directly to production data, they are also put behind transparent proxies in order to prevent access to certain websites while on site.

    Yes, seriously. I've worked at a place only 6 months ago that required IE7 for a particular legacy app. IE8 and up broke that app badly. Users had IE7 installed on their machines for that purpose, and Firefox or Chrome for everything else. Firefox and Chrome could auto-update all day long, and IE7 stayed there for that one shithouse app that some shithouse dev studio refused to update to work with a browser made this decade.

    See above. I've used this method in over half a dozen businesses ranging from 100 users on one site to 1600 users spread unevenly across 35 sites with great success. In all cases it resulted in less work for helpdesk, and fewer troubleshooting problems.

    I don't make assertions about things I haven't succeeded with in the real world. This isn't some hair-brained theoretical setup. I've built this dozens of times over with great success, and often thanks from both end users and helpdesk staff who have one less thing to worry about.
     
    Last edited: Nov 7, 2011
  14. OP
    OP
    vader

    vader Member

    Joined:
    Jan 25, 2003
    Messages:
    2,487
    Location:
    Bathurst; NSW
    Im well aware of what a proxy, transparent or otherwise does.

    I think you missed my point here.
    You can block them from downloading & installing stuff with the proxy when they are internal to your network, however when they are on an external network there is no proxy so they have direct access and can install stuff that you dont want them to.
    Hence why a proxy is not a working solution in this instance.
     
  15. nimmers

    nimmers Member

    Joined:
    Dec 20, 2005
    Messages:
    1,301
    Location:
    Sydney
    I always point and laugh at the poor server/desktop admin that ends up owning the SCOM/SMS/Altiris/Kaseya or whatever system. What a prick of a job to have.

    This never gets better! I can remember 10 years ago I managed some Fedora Core 1 desktops.

    -User asks for some software
    -SSH in to users PC
    -install the software they want from an RPM in the corporate yum repo
    -e-mail the user and tell them the software they asked for is ready to use

    10 years later with expensive tools its still not as easy or elegant on Windows.
     
  16. bsbozzy

    bsbozzy Member

    Joined:
    Nov 11, 2003
    Messages:
    3,925
    Location:
    Sydney
    What "stuff" are you referring to? Flash and other plugins or full blown apps?
     
  17. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,198
    Location:
    Brisbane
    Group Policy configured proxy isn't going to solve this problem either. Unless you specifically want your users to have zero Internet access while they are offsite.

    Amen to that. Although these days I just add a single line to my Puppet config and forget about it. :)
     
    Last edited: Nov 7, 2011
  18. Kalm.

    Kalm. Member

    Joined:
    Jan 16, 2008
    Messages:
    23
    How is that easier or more elegant compared to ;

    • User emails/calls helpdesk requesting 'some software'
    • Helpdesk staff add users pc to a SG
    • Software is installed from corporate repo(s) and user is emailed without any interaction

    ?
     
  19. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,198
    Location:
    Brisbane
    For starters, there's a lot more prep work you have to do to get it to that point, which wastes a lot of time for special cases or one-off applications.

    Secondly, it requires the user to log off and log back on, which is a pedantic point, but valid none the less. "yum -y install blah" means "blah" is up and running in seconds, with no need to interrupt the user's current session.

    Tools like YUM and APT are second to none for package management, and even better when combined with higher level management tools like Satellite/Spacewalk/Landscape. Once you spend a bit of time with these tools, you realise just how far behind Microsoft are with their corporate systems and package management.

    What people don't often realise is I started my life out as a Windows-only sysadmin, and quickly found myself irritated with the huge volumes of manual labour required for trivial tasks. I turned to Linux purely to be able to do more productive work in less time. The pleasant side effect of that was also being paid a shitload more, which didn't hurt. :)
     
  20. Kalm.

    Kalm. Member

    Joined:
    Jan 16, 2008
    Messages:
    23
    Whilst I haven't done it day-to-day in a while, I've setup 100's of sccm packages in my time. Most would take a maximum of 10 minutes to prep and be ready for deployment to 1, 10 or thousands of endpoints.

    The more involved ones for particularly difficult apps might take 1/2 hour to script up.

    Wrong. There's zero requirement to logoff/logon to have apps installed with sccm. Apps can be installed in minutes or seconds if really required.

    Or you could just kiosk it, and have the user pick and install their apps on demand from a pre-defined catalog approved for installation on their pc's.

    No admin/IT staff involved whatsoever.

    If an application requires a restart/reboot/logoff whatever, that can be done as part of an install with zero effort.

    I think you're a bit out of touch with the current MS landscape. The System Center suite has come a long way.
     

Share This Page

Advertisement: