Hi,
Is there any way to block users from using a ISA server behind the hotspot?
The issue is that if the ISA server is allowed by one user login then all clients behind is also allowed. Since all users share the same IP and MAC address.
We have a school with a computer class that might possibly use it and we want to have control/traceability for all internet access.
I want all users to have to log in to the hotspot.
One idea I had was to use L7 but I am unsure if it will work and if then what to trigger at in the L7.
If it is possible, is it some one who knows some unique value that the proxy inserts in the header for instance?
I have these two.
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(via:)
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(proxy-connection:)
But I asked a friend of mine who goes through a ISA to check against a online header check and it did not show any of these.
We use HTTPS on the hotspot with login against a RADIUS server. I tested the cookie but that did not help 
Anyone have a idea?
Hello, we have a similar problem at our school and want to have a control and traceability of each student’s internet access to sites which are not on either of our allowed or not allowed lists.
What have you done to control your students?
Thanks
Hi!
Well we have 2 setups roughly speaking… The “normal” network and the “isolated” network. The isolated network is protected by a RB1000 handling a “unsecure” wireless network and also a wired hostspot network (This is due to we have implemented 802.1x on all ports on our switches to prevent non authorized computers on the “normal” network).
The things we do is we log all traffic at firewall level to a global syslog server. The same goes for login requests (Active Directory) and DHCP requests. The hotspot network uses a radius server (win2k8) and it also send logs to the syslog server.
This we do at both networks. All log sites are checked against the same ntp source to make log searching reliable and easy.
At the isolated network we have almost all ports open outbound with exception for P2P(all types), SMTP and NETBIOS. This was the wish of the school that uses it. And since we don’t want this on the normal network we choose to isolate it.
These settings is shared by both the hotspot and wireless network by the way.
This is pretty much the setup. We don’t block Internet sites at the moment.
My advice if you just want to keep track, is to log all traffic and also the logins and DHCP. We have found that this often is enough.
We use a syslog server called LogMON or LogEx.
What is your current setup?
Have a nice day 
No one that have a clue how to identify that proxy?
why do you need that proxy at all?..
Well thats the deal, I want to make sure that no one is able to install one behind my Mikrotik.
We have some schools that have computer classes and if they do install it I will loose our ability to monitor them.