Synopsis: This article describes methods of ensuring that your users cannot bypass the CensorNet when connecting to the web.

CensorNet Professional version 4 is intended as a Sideways Proxy^[1]. As such, it is possible that users can bypass it if you do not take steps to ensure that their access is blocked if they try. Here we discuss some of the most common ways of doing so.

The first method, available to all sites, is to configure the firewall/router that connects your network to the Internet such that it will only allow access to external web resources from the CensorNet. That way, if your users configure their browsers so that they don't use the proxy, the firewall/router will simply drop their packets and they won't be able to reach the
outside.

Common ports to secure in this fashion are 80 (HTTP) and 443 (HTTPS). You may also wish to block port 21 (FTP) so that you can enforce permitted file type policy too.

If you have an Active Directory or NDS server, you should be able to configure a policy that ensures that when the user logs in, their proxy settings are enforced. This
should mean that users are then unable to turn the proxy settings off.

Users with an AD server can also make use of the NTLM AUTH facility that CNv4 supports.

Users will have had to authenticate with the network server in order to make use of the network at all. If you configure your CensorNet with a closed policy and make that the
default, users will only be able to surf if you have configured them into a group with a schedule of permissive policies.

Anyone plugging in a spare laptop which doesn't authenticate against your AD first will find that the CensorNet will
simply block them. This policy works best in conjunction with the firewall settings configuration described at the
beginning of this article.

Notes:

1. The latest versions of the CensorNet can be configured in in-line (transparent) mode. In this configuration, there is no chance that a user can bypass the CensorNet.