• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Forcing proxy settings for non-network users

What is the best way to enforce a proxy setting for non-network users? For network users we mange this using Group Policy. However, when a visitor brings in a laptop and plugs into our network for Internet access they are bypassing our proxy server and able to go anywhere and download anything. The logical solution would be to deploy this setting using DCHPINFORM but I was unable to get this to work.
We're running Windows 2003 Server, XP Pro Clients, IE 6,IE7 and Firefox.
Thanks in advance!
0
deflint
Asked:
deflint
  • 3
  • 3
  • 2
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
What proxy is it?
0
 
deflintAuthor Commented:
Our proxy Server happens to be WebMarshal. I'm just trying to push out its' IP address via DHCP. Or any other way if there's a better solution.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Have you reviewed the wpad processes?
Although this link is for ISA systems, the process should be very similar
http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx

0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
deflintAuthor Commented:
WPAD doesn't require ISA?
0
 
Keith AlabasterEnterprise ArchitectCommented:
No - but here is an interesting article that might be of use whilst I see what I can find for you....
http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Batch/Q_22387799.html
0
 
Phil_AgcaoiliCommented:
Your first issue is that you allow egress access to everyone.
It so happens that you use GPOs to drive your users towards proxy use.
You need to block Internet access to ALL systems except your proxies.
This will force visitors and others not following the corporate policy to use the proxy.

Also, I've found the most transparent approach to ensure visitors abide by basic security requirements is to drive them towards a Cisco NAC Appliance (formerly Cisco Clean Access) which is an easily deployed Network Admission Control (NAC) product that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. With NAC Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. It identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with your network's security policies and repairs any vulnerabilities before permitting access to the network.

Cisco NAC Appliance also supports posture assessment for guest users.

Here's more info: http://en.wikipedia.org/wiki/Cisco_NAC_Appliance

Another approach for guest users is to drive them to use your wireless network and grant them guest access which is limited (by service) egress Internet access only for a short period of time. This way, you can enforce any content filtering needs and only allow specific access to resources.

Hope this helps.
0
 
Phil_AgcaoiliCommented:
I forgot the mention that you current setup is anarchy right? Anyone can just plug in an get access to servers, printers, and the Net?

If so, my solutions above really lock down what guests have access to.
0
 
deflintAuthor Commented:
Thank for your quick response!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now