Solved

Restricting Intranet/Internet Access w/ MS Proxy 2.0

Posted on 1998-07-02
14
738 Views
Last Modified: 2013-12-19
We are implementing a Microsoft Proxy 2.0 array on our network as the Web Proxy Solution.

Quick Background:
Our policy for internet/intranet access is, everyone can have intranet access, but only authorised people can use the internet.
All our workstations are Windows NT 4 workstation, and our only browser is IE 4.01.
All users must use a Proxy Server, because they are spread across 18 sites connected via WAN links, each with a proxy server, which is in a Microsoft Proxy Array.

With Microsoft Proxy 2.0 Permissions enabled on the Web Proxy, the levels of access are only Full (ie. Intranet AND internet) or None (as in No Access :).

This isn't a solution for us.

I must be able to allow all users to use the proxy server, but only members of a specific group 'Internet Users', access to the Internet.

I don't want to use any system which controls access based on IP address.

If a user gets authorisation to use the Internet, I put them in the Group, and they login again and have Internet Access, on whatever machine they use in the whole network.

I have tried enforcing IE 4.01 restrictions which will stop users not in the 'Internet Users' group accessing the IE zone 'Internet Zone', but with IEAK you cannot totally diable access to a zone, just disable most 'Active' components of that zone.

Can anyone help?

Hope the question isn't too complex, if so, please ask for a clarification.
0
Comment
Question by:thomasda
14 Comments
 
LVL 1

Author Comment

by:thomasda
ID: 1566525
Adjusted points to 210
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 1566526
I had this question, but I have already solved it with good idea. :-)

Just creat a new local group named Internet Visitors, and it includes all the globe groups and individual users that allowed to access the net, then, from proxy manager, grant access rights to this group only. The disadvantage is I cannot set No Access right. It looks that it is not supported in proxy manager.

For more info please refer my PAQ at:
www.experts-exchange.com/Q.10040238
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566527
Thanks, but this is what I am already doing.
I need to let all users use the Proxy Server, but only allow some to go to the internet.
I need this, because at most sites, the intranet server is over a slow 64k link, therefore they need to use their local microsoft proxy server (member of an array) to access the intranet, but I don't want them to use that same array to access the internet.

I think the answer needs to be more lateral.  Is there some other add-on, 3rd party product, anything, so long as it uses NT permissions _without_ prompting the user for a userID and password, that can let me do this.

I will keep increasing the points on this, as I earn them, till it can be solved!
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 1566528
If so, it can be solved by two proxy servers. The two servers act in an array or cascade structure. One of them is aimed to cache intranet, which has no access control on it, another one is for Internet accessing, which performs access control so grants only specified local or globe domain group can visit Internet.
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566529
I will try this.  I don't think it will work.
If the User Bob is in the Internet Users group, and he makes a request to connect to a resource on the Internet, I don't think the proxy server he is connected to (with no permission control enabled) will transfer to it's upstream proxy (the one with permission control enabled) the users name.
The second proxy server (with permission control) only will be receiving the request from the first proxy server, not the user Bob.
Users Rights are not 'Transitive', ie. they don't flow with the request as the request is passed through multiple proxy servers, I am pretty sure.
I will test this though.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 1566530
Yes, user rights can not be transitive, but in this case, there is no such "transitive", the first proxy server just forward original request to its upstream or secondary proxy server within an array, the second proxy server picks up the request and verify the user's SID to determine if the user can get through its gateway.

Anyway, please have a try, that is the real answer. :-)
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566531
It doesn't work bbao...

I setup this...

IE-->PROXY2-->PROXY1-->Internet

IE - Internet Explorer 4.01, on NT 4
PROXY2 - MSProxy 2.0 with all Access Control Disabled
PROXY1 - MSProxy 2.0 only allowing members of "Internet Users" to the WWW Proxy Service

When setting up the Upstream Routing Web Proxy (This is configuring PROXY2 to use PROXY1 as an upstream proxy)...

If I say, Do NOT use credentials to communicate with upstream proxy/array, I get this error (from PROXY2)...
Proxy Reports:
12201 A chained proxy server or array member requires proxy-to-proxy authentication. Please contact your server administrator.  (I think this is coming from PROXY1, but could be PROXY2)

When I say YES use credentials, and put in an non-existant userid/password, I get this error (I tried %username% as a userID on a wild try)...
Proxy Reports:
1326 Logon failure: unknown user name or bad password.  (I am 100% sure this error is coming from PROXY1)

When I say YES use credentials, and put in domain\userid of someone who is in the "Internet Users" group, (the UserID I entered was Administrator, not myself) it works.

But in the Verbose log of my second Proxy Server (PROXY1) I get all access logged against Administrator.  It doesn't have my userID in it.  So ANYONE on PROXY2 can now access the internet.

It don't work.

I did see some very interesting lines coming through on PROXY1's log file.. it is this...
-, -, -, N, 7/17/98, 17:10:56, W3Proxy, PROXY1, -, -, -, -, -, -, -, -, tcp, -, http://ms_proxy_auth_query/, -, -, 0, 0

This looks very interesting.. PROXY1 has Access control enabled, this line came from that proxy server.

This only appeared when I told PROXY2 to use PROXY1 as an upstream proxy.

It looks like an undocumented Microsoft Feature that I think I would be extremely interested in.

Can ANYONE help me some more please?

Come on you MCSE +Internet's.. lets see you earn that +Internet! :)
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 1

Author Comment

by:thomasda
ID: 1566532
Adjusted points to 280
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566533
There is no answer to this question as it is just not possible with microsoft Proxy without a plugin...

I have proven this..

0
 
LVL 1

Author Comment

by:thomasda
ID: 1566534
Can someone let me know how to delete this question?
0
 

Expert Comment

by:zimmy
ID: 1566535
Maybe you could answer it yourself. Be sure to give yourself an 'A'. :)
0
 

Expert Comment

by:taylorc7
ID: 1566536
Assuming that the group allowed Internet access is not required to be monitored by the Proxy Server;  Configure the 'special' group's browser to NOT use the Proxy.  They can now surf both Intranet and Internet.  To force everyone else to use the proxy and thus be excluded from Internet.....

Place an access-list in your router connecting to the internet.  Allow this 'special' group of IP address' access to www.
Allow the proxy access to www.
Allow the entire class of IP's access to www via/thru the proxy.
Deny the entire class of IP' access to www.

Now your Proxy is in charge of who can go to the Internet.
Remember that the group allowed direct access will NOT be monitored by the Proxy.
0
 
LVL 1

Author Comment

by:thomasda
ID: 1566537
All our users MUST use a proxy server, because they are on a remote WAN with only a 64k link to head office.

This is not possible with only MS Proxy.  We have made it work by using the plug-in I-GEAR from www.urlabs.com.

How can I close this problem without giving away my points...

0
 

Accepted Solution

by:
khairi earned 280 total points
ID: 1566538
use Delete option ..instead of grading the answer

Do I get my 280
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now