Solved

How to white-list internal only web access?  Block external web surfing and filter pages.

Posted on 2011-09-29
6
673 Views
Last Modified: 2012-05-12
We have a few machines running Win XP SP3 and Win 7 that we'd like to limit web surfing on.  
How can we best implement this?

REQUIREMENTS:

----------------------------------------------------------------------------------------------------------------------------------
Block Web:    We want to block all other external web-surfing.
Access Internal:   We need to make internally served pages available they are all on one domain.
GPO:     We'd like to apply any solution by policy applied to a single OU.
0
Comment
Question by:ServDeskKnows
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 2

Assisted Solution

by:GoatCreek
GoatCreek earned 100 total points
ID: 36814259
Set the proxy server to 127.0.0.1, bypass proxy for local adresses, add the local network to bypass the proxy server.
0
 

Author Comment

by:ServDeskKnows
ID: 36814271
GoatCreek: I can't use the local proxy.  

That's what we've been doing, but a Citrix client application isn't able to cope with that proxy setting.  I'm looking for an alternative to that exact setup.
0
 
LVL 8

Accepted Solution

by:
MarkieS earned 300 total points
ID: 36814447
Can you utilise something like PAC files or WPAD browser settings.

A PAC file or WPAD.dat like below can be used to direct and/or restrict Web browsing

function FindProxyForURL(url, host) {

// If URL has no dots in domain name, send direct.
      if (isPlainHostName(host))
            return "DIRECT";

// If URL matches, send direct.
      if (shExpMatch(url,"*domain123.com/folder/*") ||
          shExpMatch(url,"*domainXYZ.com:*/*"))                  
            return "DIRECT";


// If hostname matches, send direct.
      if (dnsDomainIs(host, "vpn.domain.com") ||
            dnsDomainIs(host, "abcdomain.com"))
            return "DIRECT";

// If hostname resolves to internal IP, send direct.
      var resolved_ip = dnsResolve(host);
      if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
            isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0") ||
          isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
          isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
            return "DIRECT";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
      return "PROXY PROXYSERVERNAME1:8080; PROXY PROXYSERVERNAME2:8080; DIRECT";

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Assisted Solution

by:GoatCreek
GoatCreek earned 100 total points
ID: 36895578
You can set the proxy settings also by AD policy
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 100 total points
ID: 36986622
It is no where near as complex and it is being made here.

You just set the Firewall/Proxy to just not allow certain machines to the Internet.  That's it,...Done.

Internal browsing does not go through the proxy in the first pace,..so that is irrelevant.  The whole point of a LAT (Local Address Table) on a firewall/proxy is to define the interior LAN so that the Firewall/Proxy already ignores request sent to any such destination,...so there is nothing "extra" that you have to do there.
0
 

Author Closing Comment

by:ServDeskKnows
ID: 37603638
Proxy works, but I was trying to avoid it.

Extra points to PAC files and a nod to Firewall configuration.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question