VSpike
asked on
Easily enable/disable web access on SBS2003 network
I'm re-configuring a small school network which is being connected to an ADSL Broadband connection for the first time, which has a number of XP clients and a SBS2003 server.
I've put a second network card in the server to connect to the router, which should allow me to use ISA server (which I must admit I have not used before).
There are two users defined - pupil and staff.
The requirements are:
* Email to be always available for all users
* Web access for the staff to be always available
* Web access for pupils to be easily enabled/disabled by staff, so
that it is only available when a staff member is supervising.
Email access is not currently but could be routed via Exchange. I
realise that ISA server can have schedules set, and can restrict
access to sites and so on, but I'm not sure about the best way to
achieve the third requirement.
A brutal way - since only staff have physical access to the server - is to switch email usage to Exchange and then allow staff to turn on or off the ADSL router box.
As a more elegant approach, I was wondering about something like setting a GPO so that pupils have the SBS server configured as an http proxy while staff have no proxy, and then have a script for staff which turns on and off ISA server proxying.
This would be easily defeated, but we are allowed to assume that pupils will not try to defeat restrictions (yeah, I was sceptical about that too, but that's what they told me).
While I think the above approaches are workable, I'm hoping there is are some better ways.
Any ideas or pointers?
I've put a second network card in the server to connect to the router, which should allow me to use ISA server (which I must admit I have not used before).
There are two users defined - pupil and staff.
The requirements are:
* Email to be always available for all users
* Web access for the staff to be always available
* Web access for pupils to be easily enabled/disabled by staff, so
that it is only available when a staff member is supervising.
Email access is not currently but could be routed via Exchange. I
realise that ISA server can have schedules set, and can restrict
access to sites and so on, but I'm not sure about the best way to
achieve the third requirement.
A brutal way - since only staff have physical access to the server - is to switch email usage to Exchange and then allow staff to turn on or off the ADSL router box.
As a more elegant approach, I was wondering about something like setting a GPO so that pupils have the SBS server configured as an http proxy while staff have no proxy, and then have a script for staff which turns on and off ISA server proxying.
This would be easily defeated, but we are allowed to assume that pupils will not try to defeat restrictions (yeah, I was sceptical about that too, but that's what they told me).
While I think the above approaches are workable, I'm hoping there is are some better ways.
Any ideas or pointers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Rant32
Nice idea...only problem is that the user who runs this must be a domain admin. If you can get over that problem i prefer your solution to mine! Also if somone can use AD U&C they can grant internet access to individual pupils when the have finished work or need the internet at other times for research!
thanks for the ideas
Nick
Nice idea...only problem is that the user who runs this must be a domain admin. If you can get over that problem i prefer your solution to mine! Also if somone can use AD U&C they can grant internet access to individual pupils when the have finished work or need the internet at other times for research!
thanks for the ideas
Nick
ASKER
Currently all pupils log into a single user account ("Pupil") and staff log into a single account ("Staff"). This could be changed if required. I like the suggestions, I'm looking forward to researching and trying them out. Thanks for the interest!
Nickhills, fortunately this is not true. I've just tested this on a Windows XP domain member with a regular user account and all commands I mentioned above work. Remember you have to delegate the right "Modify the membership of a group" on the OU where the group resides. Administrator rights are not required.
The DSMOD, DSQUERY, etc. commands are available after you install ADMINPAK.MSI on the client. If you don't want all Administrative Tools available on the client, then you can also copy the DS*.EXE commands from the server (windows\system32 folder).
The DSMOD, DSQUERY, etc. commands are available after you install ADMINPAK.MSI on the client. If you don't want all Administrative Tools available on the client, then you can also copy the DS*.EXE commands from the server (windows\system32 folder).
If you give every pupil a separate user account then you have more control, but this can be an administrative nightmare as well. Depends on the number of pupils and some other requirements, I guess.
Even better!
you just delegate Modify permissions to your teachers! (I re-read your first post and spotted that)
Interesting, that opens up all sorts of possibilities with DSMOD & DSQUERY, i might go and play :)
Thanks Rant32
you just delegate Modify permissions to your teachers! (I re-read your first post and spotted that)
Interesting, that opens up all sorts of possibilities with DSMOD & DSQUERY, i might go and play :)
Thanks Rant32
ASKER
Sorry for the delay. It seem they gave me incorrect information - they said they had SBS Premium, but they do not, hence ISA server is not installed.
It can be added for around 500 UKP which is quite reasonable, and I will recommend that they do it as I think the flexibility it will give them will be worth it.
Just to check though, am I missing any good solutions here which don't involve ISA server?
It can be added for around 500 UKP which is quite reasonable, and I will recommend that they do it as I think the flexibility it will give them will be worth it.
Just to check though, am I missing any good solutions here which don't involve ISA server?
Make sure to check out MS software offers for educational and academic institutions...
Here in the Netherlands, schools just pay a fixed fee per FTE and they can run about EVERY piece of software they want to (including Windows Server, Terminal Services, Exchange, ISA, Symantec/McAfee Antivirus, you name it)
http://www.microsoft.com/Education/eligible.mspx
Here in the Netherlands, schools just pay a fixed fee per FTE and they can run about EVERY piece of software they want to (including Windows Server, Terminal Services, Exchange, ISA, Symantec/McAfee Antivirus, you name it)
http://www.microsoft.com/Education/eligible.mspx
ASKER
Unfortunately, that includes the academic discount!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I will strongly recommend it then. There may be a delay before I get to implement the suggested solution, but I will return to this question, don't worry.
About defeating the proxy settings: I'd make sure that all traffic has to pass through ISA server. Don't allow transparent access to the web (preferably, don't even configure a default gateway for the public clients).
How do pupils authenticate? Do they use the same user account for the entire classroom? If they each have a user account, are they organized in Organizational Units in your AD? I'm assuming they have a single, common user account, and that you have two groups (Staff and Pupils) with the staff members already populated. The Staff user group can access the ISA server without a schedule.
DSMOD can be your friend, as well. (Group hug!! ;-)
My idea is this: add and remove the student user accounts to and from the Pupils user group as needed. Create a special OU for the Pupils user group. Delegate control to that OU to the Staff/Teachers user group, so that supervisors have permissions to change group membership.
Then use a DSMOD command (included in XP) to script adding users to groups. A staff member must run this. Then you'll have two shortcuts:
dsmod group "CN=Pupils,OU=InternetAcce
for adding a group, replace "-addmbr" with "-rmmbr" to remove the user from the group.
If each pupil has a user account of their own, use
dsquery user "OU=Pupils,OU=Users,OU=Mys
to add all user accounts in the Myschool/Users/Pupils OU to the group.
Hope this helps.