Solved

Restricting Intranet/Internet Access w/ MS Proxy 2.0

Posted on 1998-07-02
14
780 Views
Last Modified: 2013-12-19
We are implementing a Microsoft Proxy 2.0 array on our network as the Web Proxy Solution.

Quick Background:
Our policy for internet/intranet access is, everyone can have intranet access, but only authorised people can use the internet.
All our workstations are Windows NT 4 workstation, and our only browser is IE 4.01.
All users must use a Proxy Server, because they are spread across 18 sites connected via WAN links, each with a proxy server, which is in a Microsoft Proxy Array.

With Microsoft Proxy 2.0 Permissions enabled on the Web Proxy, the levels of access are only Full (ie. Intranet AND internet) or None (as in No Access :).

This isn't a solution for us.

I must be able to allow all users to use the proxy server, but only members of a specific group 'Internet Users', access to the Internet.

I don't want to use any system which controls access based on IP address.

If a user gets authorisation to use the Internet, I put them in the Group, and they login again and have Internet Access, on whatever machine they use in the whole network.

I have tried enforcing IE 4.01 restrictions which will stop users not in the 'Internet Users' group accessing the IE zone 'Internet Zone', but with IEAK you cannot totally diable access to a zone, just disable most 'Active' components of that zone.

Can anyone help?

Hope the question isn't too complex, if so, please ask for a clarification.
0
Comment
Question by:thomasda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 1

Author Comment

by:thomasda
ID: 1566525
Adjusted points to 210
0
 
LVL 37

Expert Comment

by:bbao
ID: 1566526
I had this question, but I have already solved it with good idea. :-)

Just creat a new local group named Internet Visitors, and it includes all the globe groups and individual users that allowed to access the net, then, from proxy manager, grant access rights to this group only. The disadvantage is I cannot set No Access right. It looks that it is not supported in proxy manager.

For more info please refer my PAQ at:
www.experts-exchange.com/Q.10040238
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566527
Thanks, but this is what I am already doing.
I need to let all users use the Proxy Server, but only allow some to go to the internet.
I need this, because at most sites, the intranet server is over a slow 64k link, therefore they need to use their local microsoft proxy server (member of an array) to access the intranet, but I don't want them to use that same array to access the internet.

I think the answer needs to be more lateral.  Is there some other add-on, 3rd party product, anything, so long as it uses NT permissions _without_ prompting the user for a userID and password, that can let me do this.

I will keep increasing the points on this, as I earn them, till it can be solved!
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 37

Expert Comment

by:bbao
ID: 1566528
If so, it can be solved by two proxy servers. The two servers act in an array or cascade structure. One of them is aimed to cache intranet, which has no access control on it, another one is for Internet accessing, which performs access control so grants only specified local or globe domain group can visit Internet.
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566529
I will try this.  I don't think it will work.
If the User Bob is in the Internet Users group, and he makes a request to connect to a resource on the Internet, I don't think the proxy server he is connected to (with no permission control enabled) will transfer to it's upstream proxy (the one with permission control enabled) the users name.
The second proxy server (with permission control) only will be receiving the request from the first proxy server, not the user Bob.
Users Rights are not 'Transitive', ie. they don't flow with the request as the request is passed through multiple proxy servers, I am pretty sure.
I will test this though.
0
 
LVL 37

Expert Comment

by:bbao
ID: 1566530
Yes, user rights can not be transitive, but in this case, there is no such "transitive", the first proxy server just forward original request to its upstream or secondary proxy server within an array, the second proxy server picks up the request and verify the user's SID to determine if the user can get through its gateway.

Anyway, please have a try, that is the real answer. :-)
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566531
It doesn't work bbao...

I setup this...

IE-->PROXY2-->PROXY1-->Internet

IE - Internet Explorer 4.01, on NT 4
PROXY2 - MSProxy 2.0 with all Access Control Disabled
PROXY1 - MSProxy 2.0 only allowing members of "Internet Users" to the WWW Proxy Service

When setting up the Upstream Routing Web Proxy (This is configuring PROXY2 to use PROXY1 as an upstream proxy)...

If I say, Do NOT use credentials to communicate with upstream proxy/array, I get this error (from PROXY2)...
Proxy Reports:
12201 A chained proxy server or array member requires proxy-to-proxy authentication. Please contact your server administrator.  (I think this is coming from PROXY1, but could be PROXY2)

When I say YES use credentials, and put in an non-existant userid/password, I get this error (I tried %username% as a userID on a wild try)...
Proxy Reports:
1326 Logon failure: unknown user name or bad password.  (I am 100% sure this error is coming from PROXY1)

When I say YES use credentials, and put in domain\userid of someone who is in the "Internet Users" group, (the UserID I entered was Administrator, not myself) it works.

But in the Verbose log of my second Proxy Server (PROXY1) I get all access logged against Administrator.  It doesn't have my userID in it.  So ANYONE on PROXY2 can now access the internet.

It don't work.

I did see some very interesting lines coming through on PROXY1's log file.. it is this...
-, -, -, N, 7/17/98, 17:10:56, W3Proxy, PROXY1, -, -, -, -, -, -, -, -, tcp, -, http://ms_proxy_auth_query/, -, -, 0, 0

This looks very interesting.. PROXY1 has Access control enabled, this line came from that proxy server.

This only appeared when I told PROXY2 to use PROXY1 as an upstream proxy.

It looks like an undocumented Microsoft Feature that I think I would be extremely interested in.

Can ANYONE help me some more please?

Come on you MCSE +Internet's.. lets see you earn that +Internet! :)
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566532
Adjusted points to 280
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566533
There is no answer to this question as it is just not possible with microsoft Proxy without a plugin...

I have proven this..

0
 
LVL 1

Author Comment

by:thomasda
ID: 1566534
Can someone let me know how to delete this question?
0
 

Expert Comment

by:zimmy
ID: 1566535
Maybe you could answer it yourself. Be sure to give yourself an 'A'. :)
0
 

Expert Comment

by:taylorc7
ID: 1566536
Assuming that the group allowed Internet access is not required to be monitored by the Proxy Server;  Configure the 'special' group's browser to NOT use the Proxy.  They can now surf both Intranet and Internet.  To force everyone else to use the proxy and thus be excluded from Internet.....

Place an access-list in your router connecting to the internet.  Allow this 'special' group of IP address' access to www.
Allow the proxy access to www.
Allow the entire class of IP's access to www via/thru the proxy.
Deny the entire class of IP' access to www.

Now your Proxy is in charge of who can go to the Internet.
Remember that the group allowed direct access will NOT be monitored by the Proxy.
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566537
All our users MUST use a proxy server, because they are on a remote WAN with only a 64k link to head office.

This is not possible with only MS Proxy.  We have made it work by using the plug-in I-GEAR from www.urlabs.com.

How can I close this problem without giving away my points...

0
 

Accepted Solution

by:
khairi earned 280 total points
ID: 1566538
use Delete option ..instead of grading the answer

Do I get my 280
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Speed Test 5 137
Slow network share for Windows 10 laptops 8 77
Application integration into Active Directory 3 37
Windows Server DFS priority 6 12
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question