Solved

How to Block Thin Client Access

Posted on 2014-04-10
10
889 Views
Last Modified: 2014-07-15
I have some thin client in my network , which are not part of my domain but i want to block their internet access and only allow some internal hosted intranet based sites . how i can achieve that .

remember they are not the part of the domain but they connect to terminal servers for working on AS 400 system .
0
Comment
Question by:annasad
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 125 total points
ID: 39991479
Block them from web access at the firewall using their IP addresses if those addresses are static, and MAC addresses if they aren't.
0
 
LVL 11

Expert Comment

by:Giladn
ID: 39991500
Hi,

if those are the only users on your terminal server then you can:

1. use proxy to block/ allow access (e.g   squid proxy - free to use)
2. use your firewall to allow/deny access from lan to wan with exceptions.
3. disable DNS and use hosts file from windows terminal to set resolution to those address.

what kind of firewall are you using ?
do you have internal DNS?
do you use proxy?


post back I will guide you..

Hope it helps,

G
0
 
LVL 1

Author Comment

by:annasad
ID: 39992384
thin client are located at remote side which are connected behind the firewall Cisco 881 which is connected to Hub side with IPSec Tunnel . now proxy we are using is configured in Cisco 881 which is using cisco scansafe proxy service .

proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

i am not sure how thin client can be configured to configure proxy settings , user created on thin client are not admin users even , or even they are admin, what can be the way to block their internet access ,

if those thin client were using domain users , we could add those users in internet group which later would be authenticated in cisco cloud security .
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 27

Expert Comment

by:skullnobrains
ID: 39996023
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

forbid any web traffic on your firewall that does NOT come from the proxy/proxies. you should do this anyway to achieve proper security.
0
 
LVL 1

Author Comment

by:annasad
ID: 40103966
this does not provide the solution as this is designed as per internal design of the enterprise . the remote to hub internet connectivity is entirely different way and we discussed this with Cisco  who is providing this solution . they would come up with a service to resolve this .

" proxy in 881 point the internet traffic to Cloud proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet  "

above is a correct explanation
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
ID: 40120139
i am not sure how thin client can be configured to configure proxy settings

simplest would likely be through wpad if you don't want to do manual setup on each client

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

you may alternatively want to setup semi-transparent proxy on the cisco box
0
 
LVL 1

Author Comment

by:annasad
ID: 40140364
i am closing this questions as no possible answer is having sufficient information for solution i am looking forward however there were some insight information . i will distribute the marks however .
0
 
LVL 11

Assisted Solution

by:Giladn
Giladn earned 125 total points
ID: 40141582
why not blocking internet access via routing table?
you should have an internet route that says:
 0.0.0.0          0.0.0.0         10.0.0.1  metric 1
for example.

why not execute :
route -p 0.0.0.0 netmask 255.255.255.255 gw 2.2.2.2 metric 1
this should block all internet traffic assuming your existing connection are already routed (internal-LAN), see this for example:

Destination        Netmask          Gateway       Interface  Metric
  0.0.0.0               0.0.0.0             10.0.0.1        10.0.3.76    1               <--  INTERNET (0.0.0.0 all that is not stated in routing table)
 10.0.0.0         255.255.0.0         On-link         10.0.3.76    1               <-- internal network 10.0.0.1/16 goes through existing netowrk card.
that means that all internet goes via 10.0.0.1 and all LAN traffic  to 10.0.0.0/16 network goes through my nic that is connected to the lan.  this should give you a solution..
another solution is to give a different scope to those stations and route to nowhere on your cisco firewall, if for example the subnet is 10.2.1.1  your should route:
source 10.0.2.1.1/16  destination 0.0.0.0 gateway 2.2.2.222 (does not exist)

does this help?


Gilad
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
ID: 40146580
no possible answer is having sufficient information for solution i am looking forward

there are many ways to achieve your goals. feel free to pick one, and ask for help setting it up, or to discuss concerning which solutions would (|not) be practical in your environment and why so we can help you move forward.
0
 
LVL 1

Author Closing Comment

by:annasad
ID: 40197978
I havent opted any solution as we are using Cisco Scansafe service and they provided a viable solution for this .
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EIGRP - redistribute without the default route 5 67
Cisco WRVS4400N 11 61
802.1x and RDP Issues 6 80
Cisco EAP TLS, ACS and changing Root CA 4 20
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question