Solved

How to Block Thin Client Access

Posted on 2014-04-10
10
927 Views
Last Modified: 2014-07-15
I have some thin client in my network , which are not part of my domain but i want to block their internet access and only allow some internal hosted intranet based sites . how i can achieve that .

remember they are not the part of the domain but they connect to terminal servers for working on AS 400 system .
0
Comment
Question by:annasad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 125 total points
ID: 39991479
Block them from web access at the firewall using their IP addresses if those addresses are static, and MAC addresses if they aren't.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 39991500
Hi,

if those are the only users on your terminal server then you can:

1. use proxy to block/ allow access (e.g   squid proxy - free to use)
2. use your firewall to allow/deny access from lan to wan with exceptions.
3. disable DNS and use hosts file from windows terminal to set resolution to those address.

what kind of firewall are you using ?
do you have internal DNS?
do you use proxy?


post back I will guide you..

Hope it helps,

G
0
 
LVL 1

Author Comment

by:annasad
ID: 39992384
thin client are located at remote side which are connected behind the firewall Cisco 881 which is connected to Hub side with IPSec Tunnel . now proxy we are using is configured in Cisco 881 which is using cisco scansafe proxy service .

proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

i am not sure how thin client can be configured to configure proxy settings , user created on thin client are not admin users even , or even they are admin, what can be the way to block their internet access ,

if those thin client were using domain users , we could add those users in internet group which later would be authenticated in cisco cloud security .
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 27

Expert Comment

by:skullnobrains
ID: 39996023
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

forbid any web traffic on your firewall that does NOT come from the proxy/proxies. you should do this anyway to achieve proper security.
0
 
LVL 1

Author Comment

by:annasad
ID: 40103966
this does not provide the solution as this is designed as per internal design of the enterprise . the remote to hub internet connectivity is entirely different way and we discussed this with Cisco  who is providing this solution . they would come up with a service to resolve this .

" proxy in 881 point the internet traffic to Cloud proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet  "

above is a correct explanation
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
ID: 40120139
i am not sure how thin client can be configured to configure proxy settings

simplest would likely be through wpad if you don't want to do manual setup on each client

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

you may alternatively want to setup semi-transparent proxy on the cisco box
0
 
LVL 1

Author Comment

by:annasad
ID: 40140364
i am closing this questions as no possible answer is having sufficient information for solution i am looking forward however there were some insight information . i will distribute the marks however .
0
 
LVL 11

Assisted Solution

by:Giladn
Giladn earned 125 total points
ID: 40141582
why not blocking internet access via routing table?
you should have an internet route that says:
 0.0.0.0          0.0.0.0         10.0.0.1  metric 1
for example.

why not execute :
route -p 0.0.0.0 netmask 255.255.255.255 gw 2.2.2.2 metric 1
this should block all internet traffic assuming your existing connection are already routed (internal-LAN), see this for example:

Destination        Netmask          Gateway       Interface  Metric
  0.0.0.0               0.0.0.0             10.0.0.1        10.0.3.76    1               <--  INTERNET (0.0.0.0 all that is not stated in routing table)
 10.0.0.0         255.255.0.0         On-link         10.0.3.76    1               <-- internal network 10.0.0.1/16 goes through existing netowrk card.
that means that all internet goes via 10.0.0.1 and all LAN traffic  to 10.0.0.0/16 network goes through my nic that is connected to the lan.  this should give you a solution..
another solution is to give a different scope to those stations and route to nowhere on your cisco firewall, if for example the subnet is 10.2.1.1  your should route:
source 10.0.2.1.1/16  destination 0.0.0.0 gateway 2.2.2.222 (does not exist)

does this help?


Gilad
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
ID: 40146580
no possible answer is having sufficient information for solution i am looking forward

there are many ways to achieve your goals. feel free to pick one, and ask for help setting it up, or to discuss concerning which solutions would (|not) be practical in your environment and why so we can help you move forward.
0
 
LVL 1

Author Closing Comment

by:annasad
ID: 40197978
I havent opted any solution as we are using Cisco Scansafe service and they provided a viable solution for this .
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Is your computer hacked? learn how to detect and delete malware in your PC
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question