I am on holiday at present but I am sure I will need to set this up when I get back. So I'm doing some advance homework.
I am looking to restrict network access to certain logins, in particular, restricting internet access.
Our new Windows network is using Forefront TMG as firewall. It is not part of the domain but does have access to a RADIUS server - currently for VPN use.
Our new clients are Windows 7 but many teachers machines will be Win XP. I know from previous experience that some of the old school XP machines could not run SP3 (or was it SP2?) due to video card issues, so lets assume, any solution should work for Windows XP SP1.
Currently the school, office and IT LANs route through a Windows 2008R2 server using RRAS LAN routing. The Forefront TMG firewall is on the IT LAN, but out of the active server domain. I see from the Forefront documentation that creating access groups on a per user basis will slow things down - plus, I assume that authentication will be an issue with Forefront being in DMZ. So I assume that using TMG to filter on per user basis is not a solution.
I guess that I can create a per user group GPO that sets the IE proxy to something benign (localhost?) but I would rather have a network based solution.
But the LAN routing Windows 2008R2 machine seems a good central point for restricting network usage. Is there anything that can possibly be done here, maybe with RRAS, NPS, IPSEC or the firewall?
I think what the teachers will be asking for is a classroom PC that when logged in with a generic 'Classroom' username within little or no password protection, will not provide any network access for the user, except to the intranet for email and taking the register. Just like it use to be in the old days, when the school had no network security other than disconnecting it from the LAN and teachers didn't use email or take the register electronically.
Thanks in advance
Last edited by ianh64; 15th August 2010 at 04:46 PM.
If I where you i would'nt make it any tougher then it is. I don't see any problem by putting an TMG server into the domain. (check out the back-to-back TMG solution) it will unlock those great features what TMG is entended to do. Offcourse it will cost some performance but it will be no problem at all if you have the right hardware or VM specs. so no ipsec (that means PKI) difficulties and knowledge required.
Thanks for the info. Any other suggestions? No funds available for an additional 2 processor license (even with educational pricing) of TMG to put in a back firewall.
What about moving the edge firewall back into the Domain? Too risky? It's supporting Exchange Edge Server/Forefront for Exchange Server and TMG. It was a design decision to put it on its own and took some effort to do and bringing it back into Domain is not without risk although thinking of moving it from virtual machine to an inexpensive machine so there will be some fallback if it doesn't work right from the box now test network is now production network.
Have decided to purchase a hardware firewall for edge protection and move Forefront TMG back into the domain and probably run with the TMG client. This will give us edge firewall protection without the expense of additional TMG licenses and the ability if needed for user authentication and filtering in TMG.