Solved

Split the internet access between the users of the same network segment

Posted on 2010-08-12
11
368 Views
Last Modified: 2013-12-08
We have two companies on the same network segment due to an old IP phone system using MAC as identifier.  
There are two different Windows 2003 AD domains and two internet connections: one over a Juniper firewall and the other one over an ISA 2006 firewall.  
I need to route the users of each company over their own firewall when in the office and also to allow the notebook users to use the IE “automatically detect settings” option when on the road.  
I am loading the default gateway on the logon script instead of DHCP but I have problems loading the proxy for IE
I cannot use WPAD with DHCP because they are both using the same DHCP sever, neither I can use WPAD with DNS because one of the companies has a remote branch office (and that will push these users to go over the ISA Server in the Head office).
Is there a way using GP to have the users to connect to ISA on port 8080 when in the office and to “automatically detect settings” when on the road?
0
Comment
Question by:MikeTa
  • 5
  • 4
11 Comments
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33421576
is it not possible to put your servers on different vlans on your switch and allow access them from only the correct machines - that way you should be able to run seperate DHCP services for each company
0
 

Author Comment

by:MikeTa
ID: 33421660
I considered this but the guys that are taking care of the phones told me that by doing this some of the phones will not be able to talk to the phones mangement server.  As I sain it identifies the phones by their MAC address....
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33421687
Is the phone management server one of your DHCP servers?
0
 

Author Comment

by:MikeTa
ID: 33421761
no the DHCP is on one of the Windows DC.  This is a 3COM server.  I don't even know if it is on Windows on on some Linux version.  The phones and the computers on each desk share the same ethernet cable.  It is cascaded from the computer over the phone.  Once connected, the phone server sees it and you can assign an extension to it.  There is no IP involved.  The phone server uses the MAC address as identifier. A VLAN setup will block the MAC propagation...
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33422350
In that case you should be able to allow your computers to see each other,  the 3COM server and the appropriate Windows DC for their domain/DHCP settings using a port based VLAN. if your switch can be configured like this then you should be OK since all we are doing is preventing some phones and computers seeing a Windows DC
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:MikeTa
ID: 33423138
The 3COM server must see and be seen by all the phones at MAC layer level.  The phones are cascaded with the computers meaning that all the computers have to be seeing each other at MAC layer level.  That means that they all need to talk to the same DHCP server asking for IP addreses.  As result you cannot have two diffrent network segments....

This is a live environment with around 70 computers on one side and 50 in the other side and I cannot actually do to much testing and experimenting.  

That's why I think that an appropriate Group Policy setting for the Automatic Browser Configuration can do the job here.  I need an .ins script that automatically configure the browser to connect over the ISA server when in the office and straight when not.  
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33426958
As an alternative you could try the suggestion in this article. http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21713341.html basically they are changing the default gateway for some of the workstations when they run their login script. No VLAN is necessary in this config.
0
 

Author Comment

by:MikeTa
ID: 33428983
This is OK and it is what I already said that tis is what I am doing: I have logon scripts containg the route add command on each domain and no default gateway with DHCP.  

My problem is that for ISA it is not enough: you need something to replace WPAD pointing Internet Explorer to the port 8080.  This should be automatically seted up so that when users are outside the internal network to be able to browse the internet.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33490298
It sounds like you want something to run on the laptops to detect what network they are on.  If they detect they are on the company network, it enforces a proxy.  If on a foreign network, it allows IE to operate as normal.  I've not heard of that before...at least not automated.  Anything else could be solved with a script on the user's desktop that could disable the proxy settings in IE.

Another possibility is to have IE for company network use and Firefox for outside use.  IE configured with the proxy settings and Firefox configured as it normally is.
0
 

Accepted Solution

by:
MikeTa earned 0 total points
ID: 33500355
Here is where Microsoft describes it.  I didn't test it yet but I will.  I think this will do the job for me.  

http://technet.microsoft.com/en-us/library/dd361918.aspx 
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now