Need a method of switching between intranet and internet for zero client users

Posted on 2013-12-20
Last Modified: 2013-12-26
We are moving to a VDI solution with zero clients and Nutanix Servers with VMware.  We are going with a default deny policy on our intranet in which we will only allow a whitelist of urls outbound to the trusted business partners we deal with.
When we implement that, it will break internet browsing so we would have another VLAN or security zone that is less restrictive to be used by everyone for internet browsing.

My question is how do I achieve this without putting two zero-clients and having 2 VM's for every user???

THis is probably simple but I am brain frozen....
Question by:rand1964
  • 5
  • 3
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733564
Perhaps you should use a proxy, have a browser like FireFox setup to use the proxy for internet, and use IE to browse the local intranet and other white-listed sites. The proxy can also, depending on the solution, use an Anti-vrus to scan all data going to/from the internet.

Author Comment

ID: 39733705
Wouldn't that require allowing the uncontrolled internet onto the restricted intranet?

The requirement is that the internal network NEVER allows traffic except to those on the exceptions.

This proxy solution does it still allow total firewalling of internet browsing from intranet?  Can the user still get the VM infected from their browsing of the proxied internet?

Author Comment

ID: 39733716
Maybe it would help if I tried to clarify a bit more what we are trying to do.

Our main network is being locked down tight, one of the things we are using is deny all outward bound traffic except to trusted urls.  The reason we are taking this approach is because we are constantly being hit by malicious phishing attacks that when opened, they go out to a rogue url and pull down keystroke loggers and rootkits.
We are having to take this approach because the perpetrators are relentless and have unlimited funds and manpower.  So, our main network will remain locked down.

Now, in our line of work, researching things using Google and the like are are a must.  So our people must have the ability to access Google and the search results that come up.  Being locked down to only trusted urls make search engines results useless because the urls that are returned from a search will not be able to be gotten to.

That is why we need a separate network that allows access to the internet, but the VM in the restricted network must NEVER be exposed to the unfiltered internet.

I am trying to figure out a way to do this using zero clients...there must be a way to set this up so that a user can "toggle" from the restricted network to the unfiltered internet.

Maybe the only answer is for each user to have two computers, one for the restricted and one for the unrestricted?
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Expert Comment

ID: 39733753
Using proxies is an old school method and I no longer recommend.  You need a good Next Generation Firewall such as Palo Alto Networks.  They are the pioneers in the next generation firewall concept.   The point is there firewall is a true layer 7 firewall that filters traffic based on Content-ID, App-ID, and User-ID.  This firewall will give you the most flexibility in terms of filtering.  URL and category based filtering is good, but not enough to protect your network.  You basically need a traffic cop to monitor, analyze, and filter traffic going through any ports you allow open.  For example: The most common being Port 80 and 443, when using URL filtering you allow select URLs to pass through either of these ports.  

URL filtering is not enough because you can have malicious content even on allowed/white listed websites that may redirect traffic.  Therefore, you need to make sure the appliance checks for Malware/Viruses.  Also, the firewall needs to be able to actively identify the content and selectively block portions of the site.  Now there's some really good proxies out there that very caps able at doing this.  One I've used in the past called Webwasher formally by Secure Computing now Mc Afee was a very good product and very granular filtering abilities.  However, it still lacked the ability to filter Application traffic, which in today's Web 2.0/3.0 world is more common.  Most popular sites these days use apps that transverse your firewall over a variety of different ports, which creates Hughes problems for Firewall administrators and companies.  The point Application filtering becomes an important part of allowing or denying components from a website.  For example: You may want certain users to have access to Facebook, but not give them the ability to transfer files, chat, or play Facebook games.  This is what App-ID filtering allows you to do.  You selective enable access to gmail, yahoo mail, etc..., but deny the ability to use chat, upload/download files, and/or restrict other application features.  

So again, Palo Alto Networks Firewall will give you a single point where all inbound/outbound traffic will transverse no matter how you segment your traffic using multiple internal networks with routers, VLANs, and subnets.  Instead you can filter using User IDs and AD groups, etc..., which is also used by proxies.  With Palo Alto Networks firewall you won't use proxy settings since it's you default gateway.  So you can selectively filter content by IP, Subnet, Group, or User ID.

Note other vendors have jump on the Next-Gen Firewall bandwagon so there are other vendors.  My personal choice and what we use internally is Palo Alto Networks.

Author Comment

ID: 39733763
That a great summary of url whitelisting capabilities, and we do use PA.  But the network internet access is not negotiable.  THERE WILL BE NO ACCESS TO ANY URLS OTHER THAN THOSE WE DO BUSINESS WITH for the primary network.

Internet browsing will require a separate method...there will be no free browsing from the primary network.

I am just trying to figure out if I can setup something that doesn't require buying two clients for each user and having a separate VM for browsing.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39733795
I'm not familiar with a zero client, but sounds like a virtual or thin client. Thanks for the clarification also. I'm not a fan of NGFW's or UTM systems. It sounds to me like the most you want is clip-board access to/from a host that the users can interact with the internet, but it doesn't touch their locked down machine other than the video portion.
A jump box is what you're after, RDP/Ternimal Service/Citrix from the locked down machine to the more external facing machine. I use 2 screens on my computer, the main computer is in a DMZ and has no access to the internet. The other screen I use to as my RDP desktop for the machine outside the DMZ. My firewall only allows established connections from the DMZ to that other IP. The only data I get from the rdp session is video of the other host and I can copy to or from in the clipboard.
That should save you some money over NGFW/UTM, not to mention much less administration.

Author Comment

ID: 39740920
who makes a "jump box"?
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 39740978
You do :) Think of it like using VNC or RDP to "remote control" another PC. You have you're locked down network, with only outbound permissions to a Terminal Server or Citrix server. That terminal server/citrix server, is controled by the locked down hosts. You see what it sees, and control it from the locked down host. To get something to/from that remote host you use the clipboard, copy and paste is about all you can do. The remote host can't do anything to the locked down host.

Author Closing Comment

ID: 39740995
Thanks!  this is what I was looking to see if I can get the funding for this

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question