Solved

How to Block Thin Client Access

Posted on 2014-04-10
10
773 Views
Last Modified: 2014-07-15
I have some thin client in my network , which are not part of my domain but i want to block their internet access and only allow some internal hosted intranet based sites . how i can achieve that .

remember they are not the part of the domain but they connect to terminal servers for working on AS 400 system .
0
Comment
Question by:annasad
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 125 total points
Comment Utility
Block them from web access at the firewall using their IP addresses if those addresses are static, and MAC addresses if they aren't.
0
 
LVL 11

Expert Comment

by:Giladn
Comment Utility
Hi,

if those are the only users on your terminal server then you can:

1. use proxy to block/ allow access (e.g   squid proxy - free to use)
2. use your firewall to allow/deny access from lan to wan with exceptions.
3. disable DNS and use hosts file from windows terminal to set resolution to those address.

what kind of firewall are you using ?
do you have internal DNS?
do you use proxy?


post back I will guide you..

Hope it helps,

G
0
 
LVL 1

Author Comment

by:annasad
Comment Utility
thin client are located at remote side which are connected behind the firewall Cisco 881 which is connected to Hub side with IPSec Tunnel . now proxy we are using is configured in Cisco 881 which is using cisco scansafe proxy service .

proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

i am not sure how thin client can be configured to configure proxy settings , user created on thin client are not admin users even , or even they are admin, what can be the way to block their internet access ,

if those thin client were using domain users , we could add those users in internet group which later would be authenticated in cisco cloud security .
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

forbid any web traffic on your firewall that does NOT come from the proxy/proxies. you should do this anyway to achieve proper security.
0
 
LVL 1

Author Comment

by:annasad
Comment Utility
this does not provide the solution as this is designed as per internal design of the enterprise . the remote to hub internet connectivity is entirely different way and we discussed this with Cisco  who is providing this solution . they would come up with a service to resolve this .

" proxy in 881 point the internet traffic to Cloud proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet  "

above is a correct explanation
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
Comment Utility
i am not sure how thin client can be configured to configure proxy settings

simplest would likely be through wpad if you don't want to do manual setup on each client

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

you may alternatively want to setup semi-transparent proxy on the cisco box
0
 
LVL 1

Author Comment

by:annasad
Comment Utility
i am closing this questions as no possible answer is having sufficient information for solution i am looking forward however there were some insight information . i will distribute the marks however .
0
 
LVL 11

Assisted Solution

by:Giladn
Giladn earned 125 total points
Comment Utility
why not blocking internet access via routing table?
you should have an internet route that says:
 0.0.0.0          0.0.0.0         10.0.0.1  metric 1
for example.

why not execute :
route -p 0.0.0.0 netmask 255.255.255.255 gw 2.2.2.2 metric 1
this should block all internet traffic assuming your existing connection are already routed (internal-LAN), see this for example:

Destination        Netmask          Gateway       Interface  Metric
  0.0.0.0               0.0.0.0             10.0.0.1        10.0.3.76    1               <--  INTERNET (0.0.0.0 all that is not stated in routing table)
 10.0.0.0         255.255.0.0         On-link         10.0.3.76    1               <-- internal network 10.0.0.1/16 goes through existing netowrk card.
that means that all internet goes via 10.0.0.1 and all LAN traffic  to 10.0.0.0/16 network goes through my nic that is connected to the lan.  this should give you a solution..
another solution is to give a different scope to those stations and route to nowhere on your cisco firewall, if for example the subnet is 10.2.1.1  your should route:
source 10.0.2.1.1/16  destination 0.0.0.0 gateway 2.2.2.222 (does not exist)

does this help?


Gilad
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
Comment Utility
no possible answer is having sufficient information for solution i am looking forward

there are many ways to achieve your goals. feel free to pick one, and ask for help setting it up, or to discuss concerning which solutions would (|not) be practical in your environment and why so we can help you move forward.
0
 
LVL 1

Author Closing Comment

by:annasad
Comment Utility
I havent opted any solution as we are using Cisco Scansafe service and they provided a viable solution for this .
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now