JRCSAPC
asked on
How do I blocking access to all but one website in a TS environment
So here's the situation. I have a TS that multiple users access with varying degrees of permissions. We are in the process of setting up an account that needs access to one and only one website for data entry. So far I have looked in to using the built in content advisor in IE but the settings there are global and will affect every user. I have also looked into a solution using our firewall a Sonicwall TZ 210 but that also appears to be an all or none solution. If anyone out there has an idea of what can be done it would be greatly appreciated.
akhalighi
Sonicwall works based on IP address , cannot work based on user account. what if you put that user in a different OU and deploy IE restrictions through Group Policy ? this way only that user will be affected as it's the only one that has that policy enabled ...
Unfortunately this is not possible with native Windows or with the SonicWALL. I am a SonicWALL partner and their road map includes using the SSO agent to allow custom block/allow lists on a per user basis but they do not currently have an ETA for delivery of this new firmware.
In the past I have had good luck with Cyberpatrol. Inexpensive and can be customized on a per user basis. http://www.cyberpatrol.com
The only other option I can think of is to implement ISA server or another proxy that will allow you to limit web addresses on a per user basis but those will be much more expensive than the previous option.
In the past I have had good luck with Cyberpatrol. Inexpensive and can be customized on a per user basis. http://www.cyberpatrol.com
The only other option I can think of is to implement ISA server or another proxy that will allow you to limit web addresses on a per user basis but those will be much more expensive than the previous option.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
akhalighi you said that Sonicwall can be configured to block via ip. Is that destination IP or source? Because if it's source that would be awesome as i can just static the terminals where these users will be and set up the firewall to limit access from that ip.
SonicWALL content filtering works based on DNS
Firewall and NAT rules work based on IP Address
You can use the firewall to block access to all but a few or even one ip address using the SonicWALL.
This works on source and/or destination IP address as well as source and destination firewall zone. This isn't going to work for you though because your source IP address will always be the terminal server as that is where the request is coming from. The IP of the actual user terminal will only come into play for traffic going between the Terminal Server and the terminal itself.
Just for your knowledge though you would setup this block policy like this:
In SonicWALL management interface click Firewall, Services
Click Add Group
Name: HTTP&HTTPS
Add HTTP and HTTPS services to the group, OK
click Firewall, Access Rules
In the Zone matrix pick LAN as the source and WAN as the destination
Click New Rule
Action: Allow
Service: HTTP&HTTPS
Source: (Create New Network)
In New Network box
Name: TerminalServer
Zone: LAN
Type: HOST
IP Address: (IP of Terminal Server)
Destination: New Network
Name: Website you want to allow
Zone: WAN
Type: HOST
IP Address: (IP of Site you want to Allow)
OK
Give it a comment and click OK
New Rule
Action: Deny
Service: HTTP&HTTPS
Source: TerminalServer
Destination: Any
Give it a comment and click OK
Make sure the Allow rule is listed above the Block rule
You can allow multiple by creating an Address Group and adding each item to it like we did with the service group.
Firewall and NAT rules work based on IP Address
You can use the firewall to block access to all but a few or even one ip address using the SonicWALL.
This works on source and/or destination IP address as well as source and destination firewall zone. This isn't going to work for you though because your source IP address will always be the terminal server as that is where the request is coming from. The IP of the actual user terminal will only come into play for traffic going between the Terminal Server and the terminal itself.
Just for your knowledge though you would setup this block policy like this:
In SonicWALL management interface click Firewall, Services
Click Add Group
Name: HTTP&HTTPS
Add HTTP and HTTPS services to the group, OK
click Firewall, Access Rules
In the Zone matrix pick LAN as the source and WAN as the destination
Click New Rule
Action: Allow
Service: HTTP&HTTPS
Source: (Create New Network)
In New Network box
Name: TerminalServer
Zone: LAN
Type: HOST
IP Address: (IP of Terminal Server)
Destination: New Network
Name: Website you want to allow
Zone: WAN
Type: HOST
IP Address: (IP of Site you want to Allow)
OK
Give it a comment and click OK
New Rule
Action: Deny
Service: HTTP&HTTPS
Source: TerminalServer
Destination: Any
Give it a comment and click OK
Make sure the Allow rule is listed above the Block rule
You can allow multiple by creating an Address Group and adding each item to it like we did with the service group.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Create a GPO called ...Data Entry Internet, using Group policy management console.
Edit the GPO -
User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings
Assign a proxy of 127.0.0.1, and check the box that says use same for all...
In the exception box, type the name of the website you want them to bypass the proxy.
ie.
"https://www.experts-exchange.com"
Create a Security Group to associate with the Security filtering of the GPO in group policy management console.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.