Non Authenticated domain users are able to access the internet through webmarshal

Unfortunately I am not familiar with Webmarshal and before I head to site would like to pick someones brain as I can't find information through google searches relevant to this issue.

Authenticated domain users get GPOs which force them through Webmarshal and thus applies rules to them, I assume by forcing them to use webmarshal as the proxy server however non authenticated users do not get the GPO and get DHCP and then can access the internet without restriction.

Is there a guide to block non authenticated users or I see suggested change it from using GPO to using a WPAD file?
webdude2000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Just configure authentication on your proxy. Sorry, I don't know web Marshall.
0
webdude2000Author Commented:
It is a multi site client all coming through head office and the webmarshal system, so can't manually configure non domain joined PCs and don't want to complicate systems with NAP as I may then have extra work to keep mobile devices working.

I may have to run the configuration wizard again but was hoping to avoid this.
0
McKnifeCommented:
No need to reconfigure clients. The proxy should ask for authentication (kerberos or NTLM preferrably). If a non-domain client tries to contact the proxy, he cannot authenticate and will fail to get online.

1 So first make sure that no access without the proxy is possible
2 then configure authentication at the proxy
3 then limit user accounts to only authenticate at the known domain clients and not on all machines in the world

There will be other ways for sure, this is ours.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

webdude2000Author Commented:
Thanks, will look into your suggestions.
0
webdude2000Author Commented:
0
McKnifeCommented:
PAC and WPAD tell managed clients what proxy to use. They don't enforce authorization.
0
webdude2000Author Commented:
How do you enforce authorization?
0
McKnifeCommented:
Oh, you are still on this six weeks later? Ok...
I already wrote that I don't know web marshal - it should be configurable there.
0
webdude2000Author Commented:
Yup, the client has delayed the changes...

Perhaps I did not ask the question correctly, my apologies.

If one cannot force a client to point to the proxy as they do not auth to the domain and if I have not implemented the PAC and WPAD changes then there is no way to force authorization as they are not going through the proxy.

If I enforce PAC and WPAD to push through to Webmarshall for access then any user clever enough to set a static IP can still bypass this.

There must be a component or an additional complementary approach that I am missing.
0
McKnifeCommented:
Understood, but: I told you the idea already: "first make sure that no access without the proxy is possible". I cannot tell you how to do that, since I don't know that software. But it is possible, we do it with SQUID. SQUID will not let anyone through if the user is not authenticated.
0
webdude2000Author Commented:
Yes, should be able to do it at the firewall level to only allow proxy authenticated traffic through.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.