Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Limit Internet Access to domain users only

Status
Not open for further replies.
MD5150

MD5150

Programmer
Aug 25, 2004
101
US

Currently, any computer plugged in to our network gets access to the internet. And sometimes this is useful, like when someone brings in a machine from home that needs fixing and we need to download drivers or whatever. On the other hand, I have manufacturing operators on the graveyard shift that can bring in their own laptops, plug into a desktop switch, and surf the web freely, which we don't allow them to do as they really do need to concentrate on their work.

So is it possible to limit internet access to only those computers on our domain, and if we want a non-domain machine to access the internet, we can do a quick procedure of some sort for allowing it to connect?

We already have a guest wireless in place, but this is more for desktops without wireless, and for preventing access at the desktop switch level.

We've talked about building a box for the switch, but I'd rather fix the problem using network permissions or GP or something.

Any suggestions on the best way to do this?

Thanks,

Mike

 
Sort by date Sort by votes
My first inclination is to say that you'll have to have a proxy/filter appliance involved in that flow as well. My appliance is Active Directory aware so being a member of a specific group grant's or deny's (and at different levels) access out to the Internet.

Authentication could also be done at the switch level (if you have a switch that can do that) to where if they do not authenticate correctly, then that port is diabled, or they get put into a non-routable vlan that cannot access the Internet, or something like that.

Doing it via AD permission/policy only, would involve, and I'm guessing, some way to strip the IP configuration off of the machine if not properly authenticated... don't know if that could be done or not... never thought to try.

 
Upvote 0 Downvote
You didn't mention how your infrastructure is laid out, but some can provide access based on RADIUS (IAS) authentication. We use it for VPN access. RADIUS requires the user be a member of a specific group.

It might be something to look at.

Other solutions, like Websense, can grant access to specific users and groups, and even provide granularity as to what each user/group can access.

Pat Richard
Microsoft Exchange MVP
Contributing author Microsoft Exchange Server 2007: The Complete Reference
 
Upvote 0 Downvote

We're running Win2003 Server with 2 basic 24-port Linksys switches in the rack and with a basic Linksys firewall.

Thanks for the suggestions. I think I understand what has to be done now. A tool that taps into the AD groups sounds like the way to go. I'll have to see what is available within our price range.

Thanks for the tips.

Mike
 
Upvote 0 Downvote
Its not cheap but you could look at MS ISA 2004, you can then create groups which are allowed to web browse or not web browse. There are many more things you can do e.g. allow access to particular sites and block access too...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
354
goombawaho
goombawaho
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
122
hairlessupportmonkey
hairlessupportmonkey
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
197
mangentle
mangentle
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
134
ADB100
ADB100
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
192
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top