Solved

How do I blocking access to all but one website in a TS environment

Posted on 2011-03-23
9
612 Views
Last Modified: 2012-05-11
So here's the situation. I have a TS that multiple users access with varying degrees of permissions. We are in the process of setting up an account that needs access to one and only one website for data entry. So far I have looked in to using the built in content advisor in IE but the settings there are global and will affect every user. I have also looked into a solution using our firewall a Sonicwall TZ 210 but that also appears to be an all or none solution. If anyone out there has an idea of what can be done it would be greatly appreciated.
0
Comment
Question by:JRCSAPC
9 Comments
 
LVL 10

Expert Comment

by:akhalighi
Comment Utility
Sonicwall works based on IP address , cannot work based on user account. what if you put that user in a different OU and deploy IE restrictions through Group Policy ? this way only that user will be affected as it's the only one that has that policy enabled ...
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
Unfortunately this is not possible with native Windows or with the SonicWALL.  I am a SonicWALL partner and their road map includes using the SSO agent to allow custom block/allow lists on a per user basis but they do not currently have an ETA for delivery of this new firmware.

In the past I have had good luck with Cyberpatrol.  Inexpensive and can be customized on a per user basis.  http://www.cyberpatrol.com

The only other option I can think of is to implement ISA server or another proxy that will allow you to limit web addresses on a per user basis but those will be much more expensive than the previous option.
0
 
LVL 4

Accepted Solution

by:
Jerry Mills earned 250 total points
Comment Utility
Remote in to terminal server as that user.
 
Go to Internet Options in the Control Panel. Go to the Connections tab and click LAN settings. Uncheck "Automatically detect settings" and then check "Use proxy server" and put settings in for for website you want. This will time out send the Web browser each time your user tries to pull up an Internet site to that site.  

Setup a shortcut on desktop with IP address as destination.
0
 

Author Comment

by:JRCSAPC
Comment Utility
akhalighi you said that Sonicwall can be configured to block via ip. Is that destination IP or source? Because if it's source that would be awesome as i can just static the terminals where these users will be and set up the firewall to limit access from that ip.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 21

Expert Comment

by:mcsween
Comment Utility
SonicWALL content filtering works based on DNS
Firewall and NAT rules work based on IP Address

You can use the firewall to block access to all but a few or even one ip address using the SonicWALL.

This works on source and/or destination IP address as well as source and destination firewall zone.  This isn't going to work for you though because your source IP address will always be the terminal server as that is where the request is coming from.  The IP of the actual user terminal will only come into play for traffic going between the Terminal Server and the terminal itself.

Just for your knowledge though you would setup this block policy like this:

In SonicWALL management interface click Firewall, Services
Click Add Group
Name: HTTP&HTTPS
Add HTTP and HTTPS services to the group, OK
click Firewall, Access Rules
In the Zone matrix pick LAN as the source and WAN as the destination
Click New Rule
Action: Allow
Service: HTTP&HTTPS
Source: (Create New Network)
In New Network box
Name: TerminalServer
Zone: LAN
Type: HOST
IP Address: (IP of Terminal Server)
Destination: New Network
Name: Website you want to allow
Zone: WAN
Type: HOST
IP Address: (IP of Site you want to Allow)
OK
Give it a comment and click OK
New Rule
Action: Deny
Service: HTTP&HTTPS
Source: TerminalServer
Destination: Any
Give it a comment and click OK

Make sure the Allow rule is listed above the Block rule

You can allow multiple by creating an Address Group and adding each item to it like we did with the service group.


0
 
LVL 13

Assisted Solution

by:upalakshitha
upalakshitha earned 250 total points
Comment Utility
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility

Create a GPO called ...Data Entry Internet, using Group policy management console.

Edit the GPO -
User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings

Assign a proxy of 127.0.0.1, and check the box that says use same for all...
In the exception box, type the name of the website you want them to bypass the proxy.
ie.
"www.experts-exchange.com"

Create a Security Group to associate with the Security filtering of the GPO in group policy management console.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now