Network Content Filtering by Proxy or Firewall?

Posted on 2007-07-24
Last Modified: 2010-04-09
I know there are lots of posts out there regarding the same issue, but I need it broken down for me.

I am running a Server 2003 doing DNS and DHCP on the domain. Right now, I just have an Adtran firewall installed by our ISP doing the NAT and forwarding a port or two for our VPN and Applications.

What I want to do is lock down internet access to the workstations in the domain. I do not want everyone locked down, Administrators, and special groups need to have certain access. These groups are already defined in AD on the 2003 Server.

Is there a way to lock down internet access at different levels for the different groups without having to buy ISA or a content filtering solution?

I am going to be buying a firewall shortly, so I can do all the configuration on that. Any recomendations on what gear I should get to help me out in this area would be useful.

I have read a little about proxies, but I do not understand how they work or where to begin setting one up. Also I have an intranet server that I can install some software on to do all this if someone has any recomendations for a software solution that does not have to be on the server that is doing the DHCP/DNS.
Question by:TTCLIVE

    Author Comment

    One more thing. I ran into this online while researching this issue:

    Can I tell all the workstations to only access the internet through the Server and tell the server to use this DNS configuration and just have all the traffic filtered off site? If I can, how do I do that, and where do I start (as far as telling the workstations to only access the internet through the server, right now they are all set to receive all the ip info automatically).
    LVL 1

    Accepted Solution


    First a proxy server is a server application that would install on a server and all workstation internet traffic would funnel through that server to get to the internet. You would need to a beefy server to handle this workload and the server would need to be multi-homed. This mean that the server would need 2 network cards installed. One NIC would be configured for local network access and the other NIC would be configured to connect to your router for internet access. This solution requires knowledge in server configurations and proxy software.

    A better solution is a hardware firewall solution, which you said you were going to purchase anyway. A SonicWall Firewall will do what you need to do. You can deny or allow access based on computer IP Address. You can setup content filtering and setup an administrator bypass so you can get around the CF with a password that only you would know. Check our and click on the SonicWall Firewall link on the left side. Hope this help :)

    Author Comment

    Okay, I will look into that. I would rather not have to pay licensing and renewal fees for unlimited users on the Sonic Firewall. I will be looking around though for other solutions that do the same thing.

    Until I find out, I actually looked into proxy solutions and found one that will fit my needs. I have a web server running in-house and installed a php proxy ANON Proxy server and would like to figure out how to get the rest of my workstations to use the webserver as the proxy without reconfiguring the default gateway (as the DNS and DHCP is being handled on a different local server and I need to make sure the computers stay connected to this comouter).

    Is there a setting I can change in the DHCP that will tell all internet access to go through the proxy server?

    Let me show you the layout:

    ServerA       Webserver        Worstations

    The workstations are configured to receive configuration automatically, and the ServerA is handling the DNS and DHCP for the network. And the default gateway for everything is the Router IP address.

    So where can I change the default gateway to be the webserver so the proxy will work, and does it really have to have two NIC's and be really beefy? It's just passing traffic right?

    Author Comment

    Nevermind I figured it out. Free proxy server, doing everything I want it to do, no pc upgrades needed. Thanks for the help.
    LVL 1

    Expert Comment

    No problem. If you need any assistance, I can give you me email address apon request. Thanks

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now