Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco cloud base firewall/ScanSafe


Our organization uses a Cisco cloud based firewall/ScanSafe for internet access/content filter.

We moved away from the previous method of an ISA Firewall using pac files.

In the old system we had AD security groups to grant access to the ISA.  With the current Cisco solution the internet is wide open and we trust ScanSafe as secure content filter.

The issue I am now running into is that I now have employees that should not have internet access at all (and didn't under the old system) that now have discovered that they do in fact have internet access.

I am trying to find a solution to this from a client side (hopefully to be implemented as  GPO)

We only use internet explorer as our browser.  As long as I have the "Automatically detect settings" selected nothing else I do will matter, and they get full internet access.

I have tried setting up a proxy server and setting it to but I either succesfully deny internet access, but it will also deny intranet access, which I can not do because all of there time card/HR/company news is all web based.

So the question is:

Does anybody know of any client side settings that will deny internet access but still allow local intranet access?


Super Bronze

Cisco cloud base firewall/ScanSafe

How do you redirect your internet traffic towards the Cisco ScanSafe cloud?

There are a few methods you can use, but please kindly advise how you redirect and we can assist accordingly.

New Member

Cisco cloud base firewall/ScanSafe

From a client side we just set the computers to "Automatically detect settings" no other configuration is needed.

Our internet traffice is basically open, it is just scanned by Cisco's ScanSafe content filter (and antivirus/malware)

I'm the client side engineer, the infrastructure is handled by a seperate company.

Super Bronze

Cisco cloud base firewall/ScanSafe

If the client side is set to "Automatically detect settings", most probably PAC file is being used.

If you have user granularity implemented for your ScanSafe solution, then you can configure Rule under the ScanSafe portal to block internet access for certain group/users. This is settings to be configured under Scansafe solution.

Alternatively, if those users have specific ip address and/or connected to a specific subnet, then you can configure those filtering under your router/firewall.

Other solution would be to remove default gateway on the client's PC, and just have static route configured to access internal resources/intranet. This will ensure that they don't have access to the internet since there is no default gateway.