?
Solved

Easily enable/disable web access on SBS2003 network

Posted on 2006-04-21
15
Medium Priority
?
350 Views
Last Modified: 2008-03-04
I'm re-configuring a small school network which is being connected to an ADSL Broadband connection for the first time, which has a number of XP clients and a SBS2003 server.

I've put a second network card in the server to connect to the router, which should allow me to use ISA server (which I must admit I have not used before).

There are two users defined - pupil and staff.

The requirements are:

* Email to be always available for all users
* Web access for the staff to be always available
* Web access for pupils to be easily enabled/disabled by staff, so
that it is only available when a staff member is supervising.

Email access is not currently but could be routed via Exchange.  I
realise that ISA server can have schedules set, and can restrict
access to sites and so on, but I'm not sure about the best way to
achieve the third requirement.

A brutal way - since only staff have physical access to the server - is to switch email usage to Exchange and then allow staff to turn on or off the ADSL router box.

As a more elegant approach, I was wondering about something like setting a GPO so that pupils have the SBS server configured as an http proxy while staff have no proxy, and then have a script for staff which turns on and off ISA server proxying.  

This would be easily defeated, but we are allowed to assume that pupils will not try to defeat restrictions (yeah, I was sceptical about that too, but that's what they told me).

While I think the above approaches are workable, I'm hoping there is are some better ways.

Any ideas or pointers?
0
Comment
Question by:VSpike
  • 5
  • 4
  • 3
12 Comments
 
LVL 1

Accepted Solution

by:
nickhills earned 1000 total points
ID: 16506341
first of all, if your running exchange, you don't really want to be pulling out your network connection when there is no-one supervising, unless of course you only expect internal emails.

isa2004 is your friend here - install isa and then configure two users, pupil and staff as you say. These users can use an ADSI query to select individuals or groups of users, so you can distinguish against staff & pupil domain accounts.

then you need to create two policies for web access, one or the staff account, and one for the pupils. the staff account can be unrestricted, but you can impose content filters and the like for pupils, as well as time of day restriction policies that will prevent access at certain times.

if you want an 'on-off' switch, then create a third policy that overrides the default pupil policy, and enable/disable that as when access is required.  I think you could even script the enabling/disabling of the policies so teachers only have to click a shortcut to turn it on.

that way exchange gets to keep its connection to the web making your internet mail somewhat more reliable.

regards,
Nick
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16506728
I agree with the network connections, there are cleaner ways to do this.

About defeating the proxy settings: I'd make sure that all traffic has to pass through ISA server. Don't allow transparent access to the web (preferably, don't even configure a default gateway for the public clients).

How do pupils authenticate? Do they use the same user account for the entire classroom? If they each have a user account, are they organized in Organizational Units in your AD? I'm assuming they have a single, common user account, and that you have two groups (Staff and Pupils) with the staff members already populated. The Staff user group can access the ISA server without a schedule.

DSMOD can be your friend, as well. (Group hug!! ;-)

My idea is this: add and remove the student user accounts to and from the Pupils user group as needed. Create a special OU for the Pupils user group. Delegate control to that OU to the Staff/Teachers user group, so that supervisors have permissions to change group membership.

Then use a DSMOD command (included in XP) to script adding users to groups. A staff member must run this. Then you'll have two shortcuts:

dsmod group "CN=Pupils,OU=InternetAccess,DC=mydomain,DC=ads" -addmbr "CN=Classroom3,OU=Users,OU=MySchool,DC=mydomain,DC=ads"

for adding a group, replace "-addmbr" with "-rmmbr" to remove the user from the group.

If each pupil has a user account of their own, use

dsquery user "OU=Pupils,OU=Users,OU=Myschool,DC=mydomain,DC=ads" | dsmod group "CN=Pupils,OU=Internetaccess,DC=mydomain,DC=ads" -addmbr

to add all user accounts in the Myschool/Users/Pupils OU to the group.

Hope this helps.
0
 
LVL 1

Expert Comment

by:nickhills
ID: 16507164
Rant32

Nice idea...only problem is that the user who runs this must be a domain admin. If you can get over that problem i prefer your solution to mine! Also if somone can use AD U&C they can grant internet access to individual pupils when the have finished work or need the internet at other times for research!

thanks for the ideas
Nick
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:VSpike
ID: 16507244
Currently all pupils log into a single user account ("Pupil") and staff log into a single account ("Staff").  This could be changed if required.  I like the suggestions, I'm looking forward to researching and trying them out.  Thanks for the interest!
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16507549
Nickhills, fortunately this is not true. I've just tested this on a Windows XP domain member with a regular user account and all commands I mentioned above work. Remember you have to delegate the right "Modify the membership of a group" on the OU where the group resides. Administrator rights are not required.

The DSMOD, DSQUERY, etc. commands are available after you install ADMINPAK.MSI on the client. If you don't want all Administrative Tools available on the client, then you can also copy the DS*.EXE commands from the server (windows\system32 folder).
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16507571
If you give every pupil a separate user account then you have more control, but this can be an administrative nightmare as well. Depends on the number of pupils and some other requirements, I guess.
0
 
LVL 1

Expert Comment

by:nickhills
ID: 16507841
Even better!
you just delegate Modify permissions to your teachers! (I re-read your first post and spotted that)

Interesting, that opens up all sorts of possibilities with DSMOD & DSQUERY, i might go and play :)
Thanks Rant32
0
 
LVL 1

Author Comment

by:VSpike
ID: 16542242
Sorry for the delay.  It seem they gave me incorrect information - they said they had SBS Premium, but they do not, hence ISA server is not installed.

It can be added for around 500 UKP which is quite reasonable, and I will recommend that they do it as I think the flexibility it will give them will be worth it.

Just to check though, am I missing any good solutions here which don't involve ISA server?

0
 
LVL 12

Expert Comment

by:Rant32
ID: 16544120
Make sure to check out MS software offers for educational and academic institutions...

Here in the Netherlands, schools just pay a fixed fee per FTE and they can run about EVERY piece of software they want to (including Windows Server, Terminal Services, Exchange, ISA, Symantec/McAfee Antivirus, you name it)

http://www.microsoft.com/Education/eligible.mspx
0
 
LVL 1

Author Comment

by:VSpike
ID: 16548438
Unfortunately, that includes the academic discount!
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 1000 total points
ID: 16548492
Ack. Well, then you'll probably get ISA 2004 which is even more flexible.

You should be able to convince them to purchase it, excellent proxy caching, user authentication, and ISA can really keep nasty stuff out the door (no executable downloads).

I have no other recommendation.
0
 
LVL 1

Author Comment

by:VSpike
ID: 16550812
Thanks.  I will strongly recommend it then.  There may be a delay before I get to implement the suggested solution, but I will return to this question, don't worry.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question