+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows Thread, Only Domain users access to internet? in Technical; I know this question is also suspect to my topology. But I'll ask incase there is a general broad solution ...
  1. #1
    jmair's Avatar
    Join Date
    Aug 2007
    Posts
    268
    Thank Post
    57
    Thanked 8 Times in 8 Posts
    Rep Power
    15

    Only Domain users access to internet?

    I know this question is also suspect to my topology. But I'll ask incase there is a general broad solution for this common problem.

    Is there a simple method of only allowing windows authenticated users onto the network?

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,402
    Thank Post
    797
    Thanked 1,591 Times in 1,394 Posts
    Blog Entries
    10
    Rep Power
    428
    Do you have ISA Server?

    Z

  3. #3

    Join Date
    Jul 2007
    Location
    Devon
    Posts
    233
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    15
    802.1x?

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,512 Times in 1,206 Posts
    Rep Power
    328
    I don't understand what the question is! If you have a network domain, users logon so they authenticate and are allowed access. This would make them valid Domain Users, so they can access the internet?

    Apologies if I have mis-understood

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,102
    Thank Post
    512
    Thanked 2,311 Times in 1,787 Posts
    Blog Entries
    24
    Rep Power
    803
    Can you clarify, do you mean:

    Restrict access to the network?
    Restrict access to the domain resources?
    Restrict access to the internet?

    If the first, then you would want some form of 802.1x system.
    If the second, this should be handled via NTFS permissions on any resources.
    If the third, this can be handled by having an authenticated proxy server. So ISA or SchoolGuardian could do this.

  6. #6
    jmair's Avatar
    Join Date
    Aug 2007
    Posts
    268
    Thank Post
    57
    Thanked 8 Times in 8 Posts
    Rep Power
    15
    sorry guys for not being clear.

    We have an all wired network, nothing wireless. I have an ISA setup and a group policy that creates a proxy that directs to the ISA to track where the kiddies are going. But, if a student connects to our network (just plugs in) with a laptop, they have direct access to the internet with no filtering etc.

    Between our T1 line and our intranet is a Sonicwall (super basic firewall). I've tried adding the ISA server between the Sonicwall and the Intranet, but all gateway and configs fail that I have tried. So instead of tackling the question this way, I was wondering if there is another way of solving this problem (the problem being, anybody able to connect to our network, unauthenticated and still having internet access.)

  7. #7

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,070
    Thank Post
    1,681
    Thanked 2,023 Times in 1,496 Posts
    Rep Power
    673
    So what you need to do is stop kids who are plugging their non-school laptops into unused sockets on the network?

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,402
    Thank Post
    797
    Thanked 1,591 Times in 1,394 Posts
    Blog Entries
    10
    Rep Power
    428
    If you set the Default Gateway to the IP address of your ISA server this will force all Internet Traffic through it.

  9. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,102
    Thank Post
    512
    Thanked 2,311 Times in 1,787 Posts
    Blog Entries
    24
    Rep Power
    803
    Quote Originally Posted by jmair View Post
    sorry guys for not being clear.

    We have an all wired network, nothing wireless. I have an ISA setup and a group policy that creates a proxy that directs to the ISA to track where the kiddies are going. But, if a student connects to our network (just plugs in) with a laptop, they have direct access to the internet with no filtering etc.

    Between our T1 line and our intranet is a Sonicwall (super basic firewall). I've tried adding the ISA server between the Sonicwall and the Intranet, but all gateway and configs fail that I have tried. So instead of tackling the question this way, I was wondering if there is another way of solving this problem (the problem being, anybody able to connect to our network, unauthenticated and still having internet access.)
    You have several options. The first is to block all traffic on port 80 except for that sent by the ISA box.

    The next is to do as FN-GM says, to change the default gateway on the DHCP settings.

    The most secure method is to implement some form of NAC system which only allows authorised machines on the network in the first place. I use an IAS box, managed HP switches and an OU full of authorised MAC addreses to achieve this.

  10. #10
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,535
    Thank Post
    815
    Thanked 380 Times in 317 Posts
    Blog Entries
    12
    Rep Power
    80
    If you have a router that supports it, you can enable WCCP so that all web requests are transparently sent through your caching system.

    This means that even if a computer is not part of the domain, it still has to pass traffic though your content filtering.

    We also look for DHCP entries for non authorised computers and crack down on it that way. Usually the kids name their laptops after themselves

    Oh and as others have mentioned, change the gateway to your filtering system. That way they are forced to use it in the firstplace, although this is easily circumvented with the right knowledge.

  11. #11
    jmair's Avatar
    Join Date
    Aug 2007
    Posts
    268
    Thank Post
    57
    Thanked 8 Times in 8 Posts
    Rep Power
    15
    Ok, I've been trying to tackle this problem on the weekends, but am running into a snag. I'll try and be as detailed as I can, and if anybody could give a hand, that would be great!

    I would like to setup my ISA 2006 server between the firewall and the domain. This will force all network users to join the domain to have the proper proxy settings put in place to have access to the internet.

    This is how I see it should work. I'll start from the outside and work my way in.

    Firewall: 10.1.1.254 . This has been our gateway and the LAN port on the firewall has been directly connected to out internal switch.

    ISA server. With two NIC cards, I would like to utilize both cards. I have named them Internal(10.1.1.10) and External (10.1.1.11). When the user access the network, it uses the Internal 10.1.1.10 and passes the internet request threw 10.1.1.11 (with a gateway set to 10.1.1.254) that is directly plugged into the Firewall.

    The User. The user attains the gateway and proxy setting via group policy. Without it, and NON authenticated domain user will not have direct and easy access to the internet.



    To me, it seems as though it should work fine. But I must be missing something. The firewall doesn't have anything "special", just a few NATs going to our network, but that should be resolved threw the ISA automatically because it's on the same domain I would think. I'm at a loss and I'm open to any suggestions on where I may be goofing up. I need to get this thing going and want my weekends back =)

  12. #12

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,705
    Thank Post
    829
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    What are your subnet masks like, it looks like both of your ISA interfaces are in the same IP subnet. This would stop it from working as it cannot route to the same subnet.

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,705
    Thank Post
    829
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    You will want to have a separate subnet on each side of the ISA box. I would recommend leaving the internal stations as they are on the 10.1.1.x subnet ans using something like 192.168.0.x between your firewall and ISA box. Unless the 10.1.1.x network is a requirement of your LEA or something.

    Even then you should be able to use ISA to NAT the internal IP addresses to something usable on the LEA network.

    Internal Network 10.1.1.x mask 255.255.255.0 > ISA {int 10.10.1.10 - ext 192.168.0.1} > Firewall {int 192.168.0.2 - ext stays the same} > Web

    Client Default gateway 10.10.1.10
    ISA internal Default gateway none
    ISA external Default gateway 192.168.0.2

    In this config you may need to reconfigure routing on the firewall, it also assumes that your internal subnet mask is 255.255.255.0

    The other option which would leave the firewall config alone would be to change the internal network:

    Internal Network 172.16.x.x mask 255.255.0.0 > ISA {int 172.16.0.10 - ext 10.1.1.11} > Firewall {int 10.1.1.254 - ext stays the same} > Web

    Client Default gateway 172.16.0.10
    ISA internal Default gateway none
    ISA external Default gateway 10.1.1.254

    Here you get more internal IP addresses, but you would need to alter DHCP and DNS as well as any servers and devices with fixed ips to the new range.
    Last edited by SYNACK; 16th March 2008 at 05:03 PM.

  14. #14
    jmair's Avatar
    Join Date
    Aug 2007
    Posts
    268
    Thank Post
    57
    Thanked 8 Times in 8 Posts
    Rep Power
    15
    Quote Originally Posted by SYNACK View Post
    You will want to have a separate subnet on each side of the ISA box. I would recommend leaving the internal stations as they are on the 10.1.1.x subnet ans using something like 192.168.0.x between your firewall and ISA box. Unless the 10.1.1.x network is a requirement of your LEA or something.

    Even then you should be able to use ISA to NAT the internal IP addresses to something usable on the LEA network.

    Internal Network 10.1.1.x mask 255.255.255.0 > ISA {int 10.10.1.10 - ext 192.168.0.1} > Firewall {int 192.168.0.2 - ext stays the same} > Web

    Client Default gateway 10.10.1.10
    ISA internal Default gateway none
    ISA external Default gateway 192.168.0.2

    In this config you may need to reconfigure routing on the firewall, it also assumes that your internal subnet mask is 255.255.255.0

    The other option which would leave the firewall config alone would be to change the internal network:

    Internal Network 172.16.x.x mask 255.255.0.0 > ISA {int 172.16.0.10 - ext 10.1.1.11} > Firewall {int 10.1.1.254 - ext stays the same} > Web

    Client Default gateway 172.16.0.10
    ISA internal Default gateway none
    ISA external Default gateway 10.1.1.254

    Here you get more internal IP addresses, but you would need to alter DHCP and DNS as well as any servers and devices with fixed ips to the new range.
    Ahh, that will be a little more work (only because of some of the schools picky software), but it's something that needs to be done.
    Thanks for the much needed info, I didn't know that the masks needed to unique from eachother on each side for this to work. I'll give it a crack again next weekend and will post with problems then.

    Thanks again for the info!

  15. #15

    Join Date
    Mar 2007
    Posts
    323
    Thank Post
    6
    Thanked 7 Times in 6 Posts
    Rep Power
    16
    Christ, I've been wondering about our setup as well.

    We have an ISA server but doesnt seem to be working correctly. I add sites to block and half the time it doesnt work.

    I've put this down to being in the wrong place physically and because of the ip settings.

    We had teksys set it all up yrs ago but since then things have moved around the office.

    Does it really have to be on a dif subnet? Im certain has hasnt been when it was working?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 16
    Last Post: 29th February 2008, 11:15 PM
  2. Replies: 9
    Last Post: 12th August 2007, 01:35 PM
  3. Replies: 3
    Last Post: 10th April 2007, 08:40 AM
  4. Replies: 10
    Last Post: 31st March 2007, 05:40 PM
  5. 1 Domain + 1 domain + syncronised users = possible?
    By tarquel in forum Wireless Networks
    Replies: 52
    Last Post: 30th October 2006, 02:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •