annasad
asked on
How to Block Thin Client Access
I have some thin client in my network , which are not part of my domain but i want to block their internet access and only allow some internal hosted intranet based sites . how i can achieve that .
remember they are not the part of the domain but they connect to terminal servers for working on AS 400 system .
remember they are not the part of the domain but they connect to terminal servers for working on AS 400 system .
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thin client are located at remote side which are connected behind the firewall Cisco 881 which is connected to Hub side with IPSec Tunnel . now proxy we are using is configured in Cisco 881 which is using cisco scansafe proxy service .
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .
i am not sure how thin client can be configured to configure proxy settings , user created on thin client are not admin users even , or even they are admin, what can be the way to block their internet access ,
if those thin client were using domain users , we could add those users in internet group which later would be authenticated in cisco cloud security .
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .
i am not sure how thin client can be configured to configure proxy settings , user created on thin client are not admin users even , or even they are admin, what can be the way to block their internet access ,
if those thin client were using domain users , we could add those users in internet group which later would be authenticated in cisco cloud security .
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .
forbid any web traffic on your firewall that does NOT come from the proxy/proxies. you should do this anyway to achieve proper security.
ASKER
this does not provide the solution as this is designed as per internal design of the enterprise . the remote to hub internet connectivity is entirely different way and we discussed this with Cisco who is providing this solution . they would come up with a service to resolve this .
" proxy in 881 point the internet traffic to Cloud proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet "
above is a correct explanation
" proxy in 881 point the internet traffic to Cloud proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet "
above is a correct explanation
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i am closing this questions as no possible answer is having sufficient information for solution i am looking forward however there were some insight information . i will distribute the marks however .
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I havent opted any solution as we are using Cisco Scansafe service and they provided a viable solution for this .
if those are the only users on your terminal server then you can:
1. use proxy to block/ allow access (e.g squid proxy - free to use)
2. use your firewall to allow/deny access from lan to wan with exceptions.
3. disable DNS and use hosts file from windows terminal to set resolution to those address.
what kind of firewall are you using ?
do you have internal DNS?
do you use proxy?
post back I will guide you..
Hope it helps,
G