Need a method of switching between intranet and internet for zero client users

Posted on 2013-12-20
Last Modified: 2013-12-26
We are moving to a VDI solution with zero clients and Nutanix Servers with VMware.  We are going with a default deny policy on our intranet in which we will only allow a whitelist of urls outbound to the trusted business partners we deal with.
When we implement that, it will break internet browsing so we would have another VLAN or security zone that is less restrictive to be used by everyone for internet browsing.

My question is how do I achieve this without putting two zero-clients and having 2 VM's for every user???

THis is probably simple but I am brain frozen....
Question by:rand1964
  • 5
  • 3
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733564
Perhaps you should use a proxy, have a browser like FireFox setup to use the proxy for internet, and use IE to browse the local intranet and other white-listed sites. The proxy can also, depending on the solution, use an Anti-vrus to scan all data going to/from the internet.

Author Comment

ID: 39733705
Wouldn't that require allowing the uncontrolled internet onto the restricted intranet?

The requirement is that the internal network NEVER allows traffic except to those on the exceptions.

This proxy solution does it still allow total firewalling of internet browsing from intranet?  Can the user still get the VM infected from their browsing of the proxied internet?

Author Comment

ID: 39733716
Maybe it would help if I tried to clarify a bit more what we are trying to do.

Our main network is being locked down tight, one of the things we are using is deny all outward bound traffic except to trusted urls.  The reason we are taking this approach is because we are constantly being hit by malicious phishing attacks that when opened, they go out to a rogue url and pull down keystroke loggers and rootkits.
We are having to take this approach because the perpetrators are relentless and have unlimited funds and manpower.  So, our main network will remain locked down.

Now, in our line of work, researching things using Google and the like are are a must.  So our people must have the ability to access Google and the search results that come up.  Being locked down to only trusted urls make search engines results useless because the urls that are returned from a search will not be able to be gotten to.

That is why we need a separate network that allows access to the internet, but the VM in the restricted network must NEVER be exposed to the unfiltered internet.

I am trying to figure out a way to do this using zero clients...there must be a way to set this up so that a user can "toggle" from the restricted network to the unfiltered internet.

Maybe the only answer is for each user to have two computers, one for the restricted and one for the unrestricted?

Expert Comment

ID: 39733753
Using proxies is an old school method and I no longer recommend.  You need a good Next Generation Firewall such as Palo Alto Networks.  They are the pioneers in the next generation firewall concept.   The point is there firewall is a true layer 7 firewall that filters traffic based on Content-ID, App-ID, and User-ID.  This firewall will give you the most flexibility in terms of filtering.  URL and category based filtering is good, but not enough to protect your network.  You basically need a traffic cop to monitor, analyze, and filter traffic going through any ports you allow open.  For example: The most common being Port 80 and 443, when using URL filtering you allow select URLs to pass through either of these ports.  

URL filtering is not enough because you can have malicious content even on allowed/white listed websites that may redirect traffic.  Therefore, you need to make sure the appliance checks for Malware/Viruses.  Also, the firewall needs to be able to actively identify the content and selectively block portions of the site.  Now there's some really good proxies out there that very caps able at doing this.  One I've used in the past called Webwasher formally by Secure Computing now Mc Afee was a very good product and very granular filtering abilities.  However, it still lacked the ability to filter Application traffic, which in today's Web 2.0/3.0 world is more common.  Most popular sites these days use apps that transverse your firewall over a variety of different ports, which creates Hughes problems for Firewall administrators and companies.  The point Application filtering becomes an important part of allowing or denying components from a website.  For example: You may want certain users to have access to Facebook, but not give them the ability to transfer files, chat, or play Facebook games.  This is what App-ID filtering allows you to do.  You selective enable access to gmail, yahoo mail, etc..., but deny the ability to use chat, upload/download files, and/or restrict other application features.  

So again, Palo Alto Networks Firewall will give you a single point where all inbound/outbound traffic will transverse no matter how you segment your traffic using multiple internal networks with routers, VLANs, and subnets.  Instead you can filter using User IDs and AD groups, etc..., which is also used by proxies.  With Palo Alto Networks firewall you won't use proxy settings since it's you default gateway.  So you can selectively filter content by IP, Subnet, Group, or User ID.

Note other vendors have jump on the Next-Gen Firewall bandwagon so there are other vendors.  My personal choice and what we use internally is Palo Alto Networks.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 39733763
That a great summary of url whitelisting capabilities, and we do use PA.  But the network internet access is not negotiable.  THERE WILL BE NO ACCESS TO ANY URLS OTHER THAN THOSE WE DO BUSINESS WITH for the primary network.

Internet browsing will require a separate method...there will be no free browsing from the primary network.

I am just trying to figure out if I can setup something that doesn't require buying two clients for each user and having a separate VM for browsing.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733795
I'm not familiar with a zero client, but sounds like a virtual or thin client. Thanks for the clarification also. I'm not a fan of NGFW's or UTM systems. It sounds to me like the most you want is clip-board access to/from a host that the users can interact with the internet, but it doesn't touch their locked down machine other than the video portion.
A jump box is what you're after, RDP/Ternimal Service/Citrix from the locked down machine to the more external facing machine. I use 2 screens on my computer, the main computer is in a DMZ and has no access to the internet. The other screen I use to as my RDP desktop for the machine outside the DMZ. My firewall only allows established connections from the DMZ to that other IP. The only data I get from the rdp session is video of the other host and I can copy to or from in the clipboard.
That should save you some money over NGFW/UTM, not to mention much less administration.

Author Comment

ID: 39740920
who makes a "jump box"?
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 39740978
You do :) Think of it like using VNC or RDP to "remote control" another PC. You have you're locked down network, with only outbound permissions to a Terminal Server or Citrix server. That terminal server/citrix server, is controled by the locked down hosts. You see what it sees, and control it from the locked down host. To get something to/from that remote host you use the clipboard, copy and paste is about all you can do. The remote host can't do anything to the locked down host.

Author Closing Comment

ID: 39740995
Thanks!  this is what I was looking to see if I can get the funding for this

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now