Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internet access for internal users

Status
Not open for further replies.
iLinkTech

iLinkTech

IS-IT--Management
Nov 28, 2003
133
DE
Hi all,

OK - W2K domain, 30 seats, one W2K Advanced Server (SP4). Internet access via T1, non-MSOFT firewall product (Watchguard). I need to ensure that only users who are authenticated via Active Directory can access the Internet. I don't want any user simply bringing in a laptop and accessing the Internet without being first logged onto the network (upper management security concerns).

The Watchguard firewall includes a user authentication method but its very clumsy and does not interact at all with AD (you have to log into the firewall and then keep the login screen open while accessing the Internet - not acceptable).

Does anyone know of a product or technique (ideally based on existing W2K software) that can do this seamlessly? It could be a different hardware firewall (please no software fw or ISA server), some type of authentication server (I was thinking about IAS, but can't find any docs on how to use it internally), or anything else that would do this.

Again, I'm looking for a solution that will only allow users who are logged onto the domain access to the Internet.

Thanks :)
 
Sort by date Sort by votes
how about DHCP, set a group policy for people who suppose to have internet access the rights to use the DHCP server, then assign them the access to DHCP address, if any user try to get by this process just simply wont get on, even the internal network

mario
 
Upvote 0 Downvote
Thanks for your quick reply - can you provide more information on your idea? My understanding of DHCP is that as its a pre-logon service (broadcasts, etc) that you couldn't apply a policy. Also, how would you prevent a user from simply entering a static IP on their standalone computer and bypass the policy?

One thought that I had revolved around sending bogus information from the DHCP server (bad default gateway perhaps) and modifying this information after a user had successfully logged on (use a ROUTE command in the logon script) but I'm not sure how effective that would be either.

If you could provide some details, I'd appreciate it.


Thanks
 
Upvote 0 Downvote
How about a proxy server? I beleive you can set up the proxy server to use NT authentication of the workstation for access.
 
Upvote 0 Downvote
Thanks for the great suggestions so far - I'm really trying to avoid ISA or an additional proxy server if possible (though that may be the only way to do this). I know that IAS/RADIUS is designed to work for remote users - any idea how it could be used for this scenario?

I may be simply asking the platform to do too much, but what I would like to see sorta flows like this:

1. User attempts to access Internet from LAN.

2. User's credentials (I believe that they are stored in the environmental variables, i.e. %username%, %computername%, etc) are checked against AD for authenticity and for account status (logged on, off, locked out, etc).

3. If logged on via AD, Internet access is allowed, otherwise display a failure notice (or do nothing when trying to load a web page).

If it can't be done this way, could it be done using digital certificates? Each domain computer would have a certificate; the firewall would only allow communication with the outside world when the correct certificate was present.

At this point, I think that I might be making stuff up, but I need to find a solution that fits our environment. Thanks again for the assistance, please keep the ideas coming :)
 
Upvote 0 Downvote
What I can remember when I was working in the bank, I have to give the MAC address of the new PC so that it can access the network, I believe because of LAN switch security or they are on VLAN. So maybe you can use this LAN switch security feature to control unknown laptops connecting to your network.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
231
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
205
mangentle
mangentle
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
123
hairlessupportmonkey
hairlessupportmonkey
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
385
gbaughma
gbaughma
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
220
fightaccording
fightaccording

Part and Inventory Search

Sponsor

Back
Top