Solved

How do I blocking access to all but one website in a TS environment

Posted on 2011-03-23
9
616 Views
Last Modified: 2012-05-11
So here's the situation. I have a TS that multiple users access with varying degrees of permissions. We are in the process of setting up an account that needs access to one and only one website for data entry. So far I have looked in to using the built in content advisor in IE but the settings there are global and will affect every user. I have also looked into a solution using our firewall a Sonicwall TZ 210 but that also appears to be an all or none solution. If anyone out there has an idea of what can be done it would be greatly appreciated.
0
Comment
Question by:JRCSAPC
9 Comments
 
LVL 10

Expert Comment

by:akhalighi
ID: 35201970
Sonicwall works based on IP address , cannot work based on user account. what if you put that user in a different OU and deploy IE restrictions through Group Policy ? this way only that user will be affected as it's the only one that has that policy enabled ...
0
 
LVL 21

Expert Comment

by:mcsween
ID: 35201988
Unfortunately this is not possible with native Windows or with the SonicWALL.  I am a SonicWALL partner and their road map includes using the SSO agent to allow custom block/allow lists on a per user basis but they do not currently have an ETA for delivery of this new firmware.

In the past I have had good luck with Cyberpatrol.  Inexpensive and can be customized on a per user basis.  http://www.cyberpatrol.com

The only other option I can think of is to implement ISA server or another proxy that will allow you to limit web addresses on a per user basis but those will be much more expensive than the previous option.
0
 
LVL 4

Accepted Solution

by:
Jerry Mills earned 250 total points
ID: 35202071
Remote in to terminal server as that user.
 
Go to Internet Options in the Control Panel. Go to the Connections tab and click LAN settings. Uncheck "Automatically detect settings" and then check "Use proxy server" and put settings in for for website you want. This will time out send the Web browser each time your user tries to pull up an Internet site to that site.  

Setup a shortcut on desktop with IP address as destination.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:JRCSAPC
ID: 35202733
akhalighi you said that Sonicwall can be configured to block via ip. Is that destination IP or source? Because if it's source that would be awesome as i can just static the terminals where these users will be and set up the firewall to limit access from that ip.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 35203022
SonicWALL content filtering works based on DNS
Firewall and NAT rules work based on IP Address

You can use the firewall to block access to all but a few or even one ip address using the SonicWALL.

This works on source and/or destination IP address as well as source and destination firewall zone.  This isn't going to work for you though because your source IP address will always be the terminal server as that is where the request is coming from.  The IP of the actual user terminal will only come into play for traffic going between the Terminal Server and the terminal itself.

Just for your knowledge though you would setup this block policy like this:

In SonicWALL management interface click Firewall, Services
Click Add Group
Name: HTTP&HTTPS
Add HTTP and HTTPS services to the group, OK
click Firewall, Access Rules
In the Zone matrix pick LAN as the source and WAN as the destination
Click New Rule
Action: Allow
Service: HTTP&HTTPS
Source: (Create New Network)
In New Network box
Name: TerminalServer
Zone: LAN
Type: HOST
IP Address: (IP of Terminal Server)
Destination: New Network
Name: Website you want to allow
Zone: WAN
Type: HOST
IP Address: (IP of Site you want to Allow)
OK
Give it a comment and click OK
New Rule
Action: Deny
Service: HTTP&HTTPS
Source: TerminalServer
Destination: Any
Give it a comment and click OK

Make sure the Allow rule is listed above the Block rule

You can allow multiple by creating an Address Group and adding each item to it like we did with the service group.


0
 
LVL 13

Assisted Solution

by:upalakshitha
upalakshitha earned 250 total points
ID: 35207387
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 35488881

Create a GPO called ...Data Entry Internet, using Group policy management console.

Edit the GPO -
User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings

Assign a proxy of 127.0.0.1, and check the box that says use same for all...
In the exception box, type the name of the website you want them to bypass the proxy.
ie.
"www.experts-exchange.com"

Create a Security Group to associate with the Security filtering of the GPO in group policy management console.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35510981
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question