Hi,
We've got a public IP on our router but stopped using it when the kids discovered they could plug in a network cable, not use a proxy and get straight out to internet.
Is there a way to force use of a proxy server (at isp). We don't have ISA. Need to enable public IP for remote access.
Thanks
Last edited by karldenton; 15th June 2009 at 04:15 PM.
Would have to be some sort of firewall rule. Block all/most IPs from any outbound traffic except <proxy port> to <proxy IP>
Force it in Group Policy and Turn access to internet options off. suppose they could still use USB firefox then though
I assume that the kids are using there own equipment. If not and it is a windows domain use GPO in AD to enforce your security policies. I would stop their equipment by using reserved IP address on the equipment you know about so they can't get an ip from DHCP.
Yeah the machines are there own laptops
The best solution short of NAC would be a firewall that has has a rule that redirects all port 80/443 traffic to a transparent proxy. This is set to allow things like Java/Quicktime/Windows Updates through without authentication but stomp on anything else. On the block page you could put info on how to setup personal machines for the school proxy.
Last edited by Geoff; 16th June 2009 at 03:39 PM.
Buy ISA and install it. It's relatively cheap for schools and, if you're letting users use their own laptops, it will also save your internal network from endless harm by restricting access to whichever parts you choose.
You need some form of firewall device to act as your router. Something like Smoothwall Express or IPCop will do this job, and allow you to enable transparent proxying also.
Anymore ideas on this ??
Got vpn working fine over the holidays. Just need to stop pupils connecting their own equipment and connecting without a proxy.
Tried setting a rule on the firewall to block all traffic except those going to Redstone IP addresses - works fine for a while then something must change at Redstone and you've got to turn the setting off
Could I put the router on a different IP Range? That would stop them getting out but then need to route traffic to the new IP?
You could put 2 network cards in a box with smoothwall express on it one card will have the external(public) address and create a new internal ip range. smoothwal can sort the routes out for you. or you can do the same with isa etc... depends on how much you want to spend!
I'd rather not spend anything if possible !. Our ISP do the filtering, router does the firewall rules and VPN. Just need to stop the students connecting outwards.
Changes in DHCP?
Smoothwall express is the free version.
the way i explained doesn't allow acces without going through an internal proxy first. like chrish said smoothwall express is the free version. but there are paid for alternative like isa which in essence would do the same job. you'd change your internal dhcp addressing to a different range so the kids have no chance of getting out on the internet with out the proxy settings inserted.
Yeah we've got the smoothwall school guardian on trial at the moment.
Sorry for sounding dumb but:
Our internal network at the moment is 192.168.42.*
So install Express.
Keep internal network the same but change router to a different range eg 192.168.1.1
Get smoothwall to do the routes. Can you set an upstream proxy in smoothwall so its filtered by our isp too?
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks