Outbound Internet control

[ed]

Hi all,

OK - W2K domain, 30 seats, one W2K Advanced Server (SP4).
Internet access via T1, non-MSOFT firewall product
(Watchguard). I need to ensure that only users who are
authenticated via Active Directory can access the
Internet. I don't want any user simply bringing in a
laptop and accessing the Internet without being first
logged onto the network (upper management security
concerns).

The Watchguard firewall includes a user authentication
method but its very clumsy and does not interact at all
with AD (you have to log into the firewall and then keep
the login screen open while accessing the Internet - not
acceptable).

Does anyone know of a product or technique (ideally based
on existing W2K software) that can do this seamlessly? It
could be a different hardware firewall (please no software
fw or ISA server), some type of authentication server (I
was thinking about IAS, but can't find any docs on how to
use it internally), or anything else that would do this.

Again, I'm looking for a solution that will only allow
users who are logged onto the domain access to the
Internet.

Thanks

 

[Mike D]

If you got an MS AD network then no one can log into the network to get
Internet access right? I mean they are not apart of the domain to
authenticate them...
Mike D

 

[Steven L Umbach]

That is difficult to do since internet access basically just needs the
default gateway configured in tcp/ip properties. Since you have thirty
computers you could give them static IP address or create reservations for
them in the dhcp scope with no spare addresses and then configure your
firewall to allow outbound access to just those IP addresses which still may
not stop someome from manually configuring their own computer with an
allowed address which may or may not work depending if the other IP address
is online. Switches using mac filtering or 802.1x authentication would work,
but that would not be cheap. I would also consider talking to upper
management about implementing a signed user policy prohibiting what you want
to stop with defined consequences. You will be amazed at how fast that
activity drops off after someone gets a three day suspension. --- Steve

 

[Lanwench [MVP - Exchange]]

Might also want to look into putting ISA or another proxy server into the
mix.

 

[Steven L Umbach]

That would work, but he said he was not interested in ISA server [so I did
not bring it up]. --- Steve

"Lanwench [MVP - Exchange]"

 

[ed]

Thanks, that's the conclusion that I came to also - I'll
try to tackle it from another angle - wish there was a way
to make it work like the W2003 802.1x policies for
wireless

- Ed

 

[Lanwench [MVP - Exchange]]

Someday I will learn how to read!!!

That would work, but he said he was not interested in ISA server [so
I did not bring it up]. --- Steve

"Lanwench [MVP - Exchange]"

Might also want to look into putting ISA or another proxy server
into the mix.

 

[Steven L Umbach]

That's OK Mom. I always appreciate your advice : ) . --- Steve


"Lanwench [MVP - Exchange]"

Someday I will learn how to read!!!

That would work, but he said he was not interested in ISA server [so
I did not bring it up]. --- Steve

"Lanwench [MVP - Exchange]"

Might also want to look into putting ISA or another proxy server
into the mix.

Steven L Umbach wrote:
That is difficult to do since internet access basically just needs
the default gateway configured in tcp/ip properties. Since you have
thirty computers you could give them static IP address or create
reservations for them in the dhcp scope with no spare addresses and
then configure your firewall to allow outbound access to just those
IP addresses which still may not stop someome from manually
configuring their own computer with an allowed address which may or
may not work depending if the other IP address is online. Switches
using mac filtering or 802.1x authentication would work, but that
would not be cheap. I would also consider talking to upper
management about implementing a signed user policy prohibiting what
you want to stop with defined consequences. You will be amazed at
how fast that activity drops off after someone gets a three day
suspension. --- Steve


Hi all,

OK - W2K domain, 30 seats, one W2K Advanced Server (SP4).
Internet access via T1, non-MSOFT firewall product
(Watchguard). I need to ensure that only users who are
authenticated via Active Directory can access the
Internet. I don't want any user simply bringing in a
laptop and accessing the Internet without being first
logged onto the network (upper management security
concerns).

The Watchguard firewall includes a user authentication
method but its very clumsy and does not interact at all
with AD (you have to log into the firewall and then keep
the login screen open while accessing the Internet - not
acceptable).

Does anyone know of a product or technique (ideally based
on existing W2K software) that can do this seamlessly? It
could be a different hardware firewall (please no software
fw or ISA server), some type of authentication server (I
was thinking about IAS, but can't find any docs on how to
use it internally), or anything else that would do this.

Again, I'm looking for a solution that will only allow
users who are logged onto the domain access to the
Internet.

Thanks

 

[Lanwench [MVP - Exchange]]

That's OK Mom. I always appreciate your advice : ) . --- Steve

No problem - here's a fresh Tollhouse cookie for you.

"Lanwench [MVP - Exchange]"

Someday I will learn how to read!!!

That would work, but he said he was not interested in ISA server [so
I did not bring it up]. --- Steve

"Lanwench [MVP - Exchange]"
message Might also want to look into putting ISA or another proxy server
into the mix.

Steven L Umbach wrote:
That is difficult to do since internet access basically just needs
the default gateway configured in tcp/ip properties. Since you
have thirty computers you could give them static IP address or
create reservations for them in the dhcp scope with no spare
addresses and then configure your firewall to allow outbound
access to just those IP addresses which still may not stop
someome from manually configuring their own computer with an
allowed address which may or may not work depending if the other
IP address is online. Switches using mac filtering or 802.1x
authentication would work, but that would not be cheap. I would
also consider talking to upper management about implementing a
signed user policy prohibiting what you want to stop with defined
consequences. You will be amazed at how fast that activity drops
off after someone gets a three day suspension. --- Steve


Hi all,

OK - W2K domain, 30 seats, one W2K Advanced Server (SP4).
Internet access via T1, non-MSOFT firewall product
(Watchguard). I need to ensure that only users who are
authenticated via Active Directory can access the
Internet. I don't want any user simply bringing in a
laptop and accessing the Internet without being first
logged onto the network (upper management security
concerns).

The Watchguard firewall includes a user authentication
method but its very clumsy and does not interact at all
with AD (you have to log into the firewall and then keep
the login screen open while accessing the Internet - not
acceptable).

Does anyone know of a product or technique (ideally based
on existing W2K software) that can do this seamlessly? It
could be a different hardware firewall (please no software
fw or ISA server), some type of authentication server (I
was thinking about IAS, but can't find any docs on how to
use it internally), or anything else that would do this.

Again, I'm looking for a solution that will only allow
users who are logged onto the domain access to the
Internet.

Thanks