• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1082
  • Last Modified:

How to Block Thin Client Access

I have some thin client in my network , which are not part of my domain but i want to block their internet access and only allow some internal hosted intranet based sites . how i can achieve that .

remember they are not the part of the domain but they connect to terminal servers for working on AS 400 system .
0
annasad
Asked:
annasad
  • 4
  • 3
  • 2
  • +1
4 Solutions
 
PerarduaadastraCommented:
Block them from web access at the firewall using their IP addresses if those addresses are static, and MAC addresses if they aren't.
0
 
GiladnCommented:
Hi,

if those are the only users on your terminal server then you can:

1. use proxy to block/ allow access (e.g   squid proxy - free to use)
2. use your firewall to allow/deny access from lan to wan with exceptions.
3. disable DNS and use hosts file from windows terminal to set resolution to those address.

what kind of firewall are you using ?
do you have internal DNS?
do you use proxy?


post back I will guide you..

Hope it helps,

G
0
 
annasadAuthor Commented:
thin client are located at remote side which are connected behind the firewall Cisco 881 which is connected to Hub side with IPSec Tunnel . now proxy we are using is configured in Cisco 881 which is using cisco scansafe proxy service .

proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

i am not sure how thin client can be configured to configure proxy settings , user created on thin client are not admin users even , or even they are admin, what can be the way to block their internet access ,

if those thin client were using domain users , we could add those users in internet group which later would be authenticated in cisco cloud security .
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
skullnobrainsCommented:
proxy point the internet traffic to internal proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet .

forbid any web traffic on your firewall that does NOT come from the proxy/proxies. you should do this anyway to achieve proper security.
0
 
annasadAuthor Commented:
this does not provide the solution as this is designed as per internal design of the enterprise . the remote to hub internet connectivity is entirely different way and we discussed this with Cisco  who is providing this solution . they would come up with a service to resolve this .

" proxy in 881 point the internet traffic to Cloud proxy servers and all user are authenticated through ldap policies created in domain controllers ... since these thin client machines are not created on domain users , they are not using any proxy and for this reason they go to internet  "

above is a correct explanation
0
 
skullnobrainsCommented:
i am not sure how thin client can be configured to configure proxy settings

simplest would likely be through wpad if you don't want to do manual setup on each client

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

you may alternatively want to setup semi-transparent proxy on the cisco box
0
 
annasadAuthor Commented:
i am closing this questions as no possible answer is having sufficient information for solution i am looking forward however there were some insight information . i will distribute the marks however .
0
 
GiladnCommented:
why not blocking internet access via routing table?
you should have an internet route that says:
 0.0.0.0          0.0.0.0         10.0.0.1  metric 1
for example.

why not execute :
route -p 0.0.0.0 netmask 255.255.255.255 gw 2.2.2.2 metric 1
this should block all internet traffic assuming your existing connection are already routed (internal-LAN), see this for example:

Destination        Netmask          Gateway       Interface  Metric
  0.0.0.0               0.0.0.0             10.0.0.1        10.0.3.76    1               <--  INTERNET (0.0.0.0 all that is not stated in routing table)
 10.0.0.0         255.255.0.0         On-link         10.0.3.76    1               <-- internal network 10.0.0.1/16 goes through existing netowrk card.
that means that all internet goes via 10.0.0.1 and all LAN traffic  to 10.0.0.0/16 network goes through my nic that is connected to the lan.  this should give you a solution..
another solution is to give a different scope to those stations and route to nowhere on your cisco firewall, if for example the subnet is 10.2.1.1  your should route:
source 10.0.2.1.1/16  destination 0.0.0.0 gateway 2.2.2.222 (does not exist)

does this help?


Gilad
0
 
skullnobrainsCommented:
no possible answer is having sufficient information for solution i am looking forward

there are many ways to achieve your goals. feel free to pick one, and ask for help setting it up, or to discuss concerning which solutions would (|not) be practical in your environment and why so we can help you move forward.
0
 
annasadAuthor Commented:
I havent opted any solution as we are using Cisco Scansafe service and they provided a viable solution for this .
0

Featured Post

The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now