Solved

Split the internet access between the users of the same network segment

Posted on 2010-08-12
11
367 Views
Last Modified: 2013-12-08
We have two companies on the same network segment due to an old IP phone system using MAC as identifier.  
There are two different Windows 2003 AD domains and two internet connections: one over a Juniper firewall and the other one over an ISA 2006 firewall.  
I need to route the users of each company over their own firewall when in the office and also to allow the notebook users to use the IE “automatically detect settings” option when on the road.  
I am loading the default gateway on the logon script instead of DHCP but I have problems loading the proxy for IE
I cannot use WPAD with DHCP because they are both using the same DHCP sever, neither I can use WPAD with DNS because one of the companies has a remote branch office (and that will push these users to go over the ISA Server in the Head office).
Is there a way using GP to have the users to connect to ISA on port 8080 when in the office and to “automatically detect settings” when on the road?
0
Comment
Question by:MikeTa
  • 5
  • 4
11 Comments
 
LVL 5

Expert Comment

by:allan_jardine
Comment Utility
is it not possible to put your servers on different vlans on your switch and allow access them from only the correct machines - that way you should be able to run seperate DHCP services for each company
0
 

Author Comment

by:MikeTa
Comment Utility
I considered this but the guys that are taking care of the phones told me that by doing this some of the phones will not be able to talk to the phones mangement server.  As I sain it identifies the phones by their MAC address....
0
 
LVL 5

Expert Comment

by:allan_jardine
Comment Utility
Is the phone management server one of your DHCP servers?
0
 

Author Comment

by:MikeTa
Comment Utility
no the DHCP is on one of the Windows DC.  This is a 3COM server.  I don't even know if it is on Windows on on some Linux version.  The phones and the computers on each desk share the same ethernet cable.  It is cascaded from the computer over the phone.  Once connected, the phone server sees it and you can assign an extension to it.  There is no IP involved.  The phone server uses the MAC address as identifier. A VLAN setup will block the MAC propagation...
0
 
LVL 5

Expert Comment

by:allan_jardine
Comment Utility
In that case you should be able to allow your computers to see each other,  the 3COM server and the appropriate Windows DC for their domain/DHCP settings using a port based VLAN. if your switch can be configured like this then you should be OK since all we are doing is preventing some phones and computers seeing a Windows DC
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:MikeTa
Comment Utility
The 3COM server must see and be seen by all the phones at MAC layer level.  The phones are cascaded with the computers meaning that all the computers have to be seeing each other at MAC layer level.  That means that they all need to talk to the same DHCP server asking for IP addreses.  As result you cannot have two diffrent network segments....

This is a live environment with around 70 computers on one side and 50 in the other side and I cannot actually do to much testing and experimenting.  

That's why I think that an appropriate Group Policy setting for the Automatic Browser Configuration can do the job here.  I need an .ins script that automatically configure the browser to connect over the ISA server when in the office and straight when not.  
0
 
LVL 5

Expert Comment

by:allan_jardine
Comment Utility
As an alternative you could try the suggestion in this article. http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21713341.html basically they are changing the default gateway for some of the workstations when they run their login script. No VLAN is necessary in this config.
0
 

Author Comment

by:MikeTa
Comment Utility
This is OK and it is what I already said that tis is what I am doing: I have logon scripts containg the route add command on each domain and no default gateway with DHCP.  

My problem is that for ISA it is not enough: you need something to replace WPAD pointing Internet Explorer to the port 8080.  This should be automatically seted up so that when users are outside the internal network to be able to browse the internet.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
It sounds like you want something to run on the laptops to detect what network they are on.  If they detect they are on the company network, it enforces a proxy.  If on a foreign network, it allows IE to operate as normal.  I've not heard of that before...at least not automated.  Anything else could be solved with a script on the user's desktop that could disable the proxy settings in IE.

Another possibility is to have IE for company network use and Firefox for outside use.  IE configured with the proxy settings and Firefox configured as it normally is.
0
 

Accepted Solution

by:
MikeTa earned 0 total points
Comment Utility
Here is where Microsoft describes it.  I didn't test it yet but I will.  I think this will do the job for me.  

http://technet.microsoft.com/en-us/library/dd361918.aspx
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now