• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

Non Authenticated domain users are able to access the internet through webmarshal

Unfortunately I am not familiar with Webmarshal and before I head to site would like to pick someones brain as I can't find information through google searches relevant to this issue.

Authenticated domain users get GPOs which force them through Webmarshal and thus applies rules to them, I assume by forcing them to use webmarshal as the proxy server however non authenticated users do not get the GPO and get DHCP and then can access the internet without restriction.

Is there a guide to block non authenticated users or I see suggested change it from using GPO to using a WPAD file?
0
webdude2000
Asked:
webdude2000
  • 6
  • 5
2 Solutions
 
McKnifeCommented:
Just configure authentication on your proxy. Sorry, I don't know web Marshall.
0
 
webdude2000Author Commented:
It is a multi site client all coming through head office and the webmarshal system, so can't manually configure non domain joined PCs and don't want to complicate systems with NAP as I may then have extra work to keep mobile devices working.

I may have to run the configuration wizard again but was hoping to avoid this.
0
 
McKnifeCommented:
No need to reconfigure clients. The proxy should ask for authentication (kerberos or NTLM preferrably). If a non-domain client tries to contact the proxy, he cannot authenticate and will fail to get online.

1 So first make sure that no access without the proxy is possible
2 then configure authentication at the proxy
3 then limit user accounts to only authenticate at the known domain clients and not on all machines in the world

There will be other ways for sure, this is ours.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
webdude2000Author Commented:
Thanks, will look into your suggestions.
0
 
webdude2000Author Commented:
0
 
McKnifeCommented:
PAC and WPAD tell managed clients what proxy to use. They don't enforce authorization.
0
 
webdude2000Author Commented:
How do you enforce authorization?
0
 
McKnifeCommented:
Oh, you are still on this six weeks later? Ok...
I already wrote that I don't know web marshal - it should be configurable there.
0
 
webdude2000Author Commented:
Yup, the client has delayed the changes...

Perhaps I did not ask the question correctly, my apologies.

If one cannot force a client to point to the proxy as they do not auth to the domain and if I have not implemented the PAC and WPAD changes then there is no way to force authorization as they are not going through the proxy.

If I enforce PAC and WPAD to push through to Webmarshall for access then any user clever enough to set a static IP can still bypass this.

There must be a component or an additional complementary approach that I am missing.
0
 
McKnifeCommented:
Understood, but: I told you the idea already: "first make sure that no access without the proxy is possible". I cannot tell you how to do that, since I don't know that software. But it is possible, we do it with SQUID. SQUID will not let anyone through if the user is not authenticated.
0
 
webdude2000Author Commented:
Yes, should be able to do it at the firewall level to only allow proxy authenticated traffic through.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now