I know this question is also suspect to my topology. But I'll ask incase there is a general broad solution for this common problem.
Is there a simple method of only allowing windows authenticated users onto the network?
Do you have ISA Server?
Z
802.1x?
I don't understand what the question is! If you have a network domain, users logon so they authenticate and are allowed access. This would make them valid Domain Users, so they can access the internet?
Apologies if I have mis-understood
Can you clarify, do you mean:
Restrict access to the network?
Restrict access to the domain resources?
Restrict access to the internet?
If the first, then you would want some form of 802.1x system.
If the second, this should be handled via NTFS permissions on any resources.
If the third, this can be handled by having an authenticated proxy server. So ISA or SchoolGuardian could do this.
sorry guys for not being clear.
We have an all wired network, nothing wireless. I have an ISA setup and a group policy that creates a proxy that directs to the ISA to track where the kiddies are going. But, if a student connects to our network (just plugs in) with a laptop, they have direct access to the internet with no filtering etc.
Between our T1 line and our intranet is a Sonicwall (super basic firewall). I've tried adding the ISA server between the Sonicwall and the Intranet, but all gateway and configs fail that I have tried. So instead of tackling the question this way, I was wondering if there is another way of solving this problem (the problem being, anybody able to connect to our network, unauthenticated and still having internet access.)
So what you need to do is stop kids who are plugging their non-school laptops into unused sockets on the network?
If you set the Default Gateway to the IP address of your ISA server this will force all Internet Traffic through it.
You have several options. The first is to block all traffic on port 80 except for that sent by the ISA box.Originally Posted by jmair
The next is to do as FN-GM says, to change the default gateway on the DHCP settings.
The most secure method is to implement some form of NAC system which only allows authorised machines on the network in the first place. I use an IAS box, managed HP switches and an OU full of authorised MAC addreses to achieve this.
If you have a router that supports it, you can enable WCCP so that all web requests are transparently sent through your caching system.
This means that even if a computer is not part of the domain, it still has to pass traffic though your content filtering.
We also look for DHCP entries for non authorised computers and crack down on it that way. Usually the kids name their laptops after themselves
Oh and as others have mentioned, change the gateway to your filtering system. That way they are forced to use it in the firstplace, although this is easily circumvented with the right knowledge.
Ok, I've been trying to tackle this problem on the weekends, but am running into a snag. I'll try and be as detailed as I can, and if anybody could give a hand, that would be great!
I would like to setup my ISA 2006 server between the firewall and the domain. This will force all network users to join the domain to have the proper proxy settings put in place to have access to the internet.
This is how I see it should work. I'll start from the outside and work my way in.
Firewall: 10.1.1.254 . This has been our gateway and the LAN port on the firewall has been directly connected to out internal switch.
ISA server. With two NIC cards, I would like to utilize both cards. I have named them Internal(10.1.1.10) and External (10.1.1.11). When the user access the network, it uses the Internal 10.1.1.10 and passes the internet request threw 10.1.1.11 (with a gateway set to 10.1.1.254) that is directly plugged into the Firewall.
The User. The user attains the gateway and proxy setting via group policy. Without it, and NON authenticated domain user will not have direct and easy access to the internet.
To me, it seems as though it should work fine. But I must be missing something. The firewall doesn't have anything "special", just a few NATs going to our network, but that should be resolved threw the ISA automatically because it's on the same domain I would think. I'm at a loss and I'm open to any suggestions on where I may be goofing up. I need to get this thing going and want my weekends back =)
What are your subnet masks like, it looks like both of your ISA interfaces are in the same IP subnet. This would stop it from working as it cannot route to the same subnet.
You will want to have a separate subnet on each side of the ISA box. I would recommend leaving the internal stations as they are on the 10.1.1.x subnet ans using something like 192.168.0.x between your firewall and ISA box. Unless the 10.1.1.x network is a requirement of your LEA or something.
Even then you should be able to use ISA to NAT the internal IP addresses to something usable on the LEA network.
Internal Network 10.1.1.x mask 255.255.255.0 > ISA {int 10.10.1.10 - ext 192.168.0.1} > Firewall {int 192.168.0.2 - ext stays the same} > Web
Client Default gateway 10.10.1.10
ISA internal Default gateway none
ISA external Default gateway 192.168.0.2
In this config you may need to reconfigure routing on the firewall, it also assumes that your internal subnet mask is 255.255.255.0
The other option which would leave the firewall config alone would be to change the internal network:
Internal Network 172.16.x.x mask 255.255.0.0 > ISA {int 172.16.0.10 - ext 10.1.1.11} > Firewall {int 10.1.1.254 - ext stays the same} > Web
Client Default gateway 172.16.0.10
ISA internal Default gateway none
ISA external Default gateway 10.1.1.254
Here you get more internal IP addresses, but you would need to alter DHCP and DNS as well as any servers and devices with fixed ips to the new range.
Last edited by SYNACK; 16th March 2008 at 06:03 PM.
Ahh, that will be a little more work (only because of some of the schools picky software), but it's something that needs to be done.
Thanks for the much needed info, I didn't know that the masks needed to unique from eachother on each side for this to work. I'll give it a crack again next weekend and will post with problems then.
Thanks again for the info!
Christ, I've been wondering about our setup as well.
We have an ISA server but doesnt seem to be working correctly. I add sites to block and half the time it doesnt work.
I've put this down to being in the wrong place physically and because of the ip settings.
We had teksys set it all up yrs ago but since then things have moved around the office.
Does it really have to be on a dif subnet? Im certain has hasnt been when it was working?
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
