As of this writing, if all patches are applied, the transparent proxy
should not be listening on the outside address for any HTTP connect
commands. Yet it still is vulnerable. I have a site who uses TP and was hit
very hard from the outside because of this issue. The IP address that was
being hit, had to be changed to alleviate this problem. They also use
groupwise webaccess. Here's the problem. According to all I've read, if
authentication is turned on, TP will deny the outside requests. On the
inside, SSO is used to authenticate to the proxy and works fine. But if the
outside webaccess user's try to connect, they fail through SSO because they
are not logged in. The remote users do not carry a laptop with them, and
may be at any Internet enabled machine. How is one supposed to deal with
this mess?