365techca
asked on
Restrict internet access to domain-joined pcs
We need to lock down internet browsing on 3 Windows 10 machines (do not require access to an intranet or extranet site) in a domain environment.
They have a Sonicwall firewall, Active Directory through Windows Server 2008 R2 and we also have Open DNS on these machines.
Our antivirus platform communicates to these computers through https and we need to be able to connect to them during the odd time for support using Screenconnect and we have Labtech Automate.
How would you go about doing this?
Method 1 I believe is using firewall, assign static IP, restrict inbound HTTP/S (port 80,443) and somehow allow communication from our servers?
Method 2 I think is there likely is a way to prevent any internet access for browsing through openDNS
Method 3 Block access to external by having no default gateway, but adding a default route
WHat do you guys think would be the least complicated or contrived method, how would you implement this?
They have a Sonicwall firewall, Active Directory through Windows Server 2008 R2 and we also have Open DNS on these machines.
Our antivirus platform communicates to these computers through https and we need to be able to connect to them during the odd time for support using Screenconnect and we have Labtech Automate.
How would you go about doing this?
Method 1 I believe is using firewall, assign static IP, restrict inbound HTTP/S (port 80,443) and somehow allow communication from our servers?
Method 2 I think is there likely is a way to prevent any internet access for browsing through openDNS
Method 3 Block access to external by having no default gateway, but adding a default route
WHat do you guys think would be the least complicated or contrived method, how would you implement this?
ASKER
I was looking at this guide here: https://blogs.msdn.microsoft.com/askie/2015/10/12/how-to-configure-proxy-settings-for-ie10-and-ie11-as-iem-is-not-available/
I'm looking into the GPO method at the moment and using registry to
However was unable to find the settings for ProxyServer value name under HKEY_CurrentUser\Software\ Microsoft\ Windows\In ternet Settings
I did enable ProxyEnable
I tried IE 11 Administration toolkit however it only employs ability to handle installations for win 7 and 8.1, not 10 (likely due to DC's age)... of course IE Settings on registry is also missing due to this as well.
Any Sonicwall method for this?
I'm looking into the GPO method at the moment and using registry to
However was unable to find the settings for ProxyServer value name under HKEY_CurrentUser\Software\
I did enable ProxyEnable
I tried IE 11 Administration toolkit however it only employs ability to handle installations for win 7 and 8.1, not 10 (likely due to DC's age)... of course IE Settings on registry is also missing due to this as well.
Any Sonicwall method for this?
ASKER
In addition, we'd also be okay with preventing access entirely to the internet browsing apps and having users and non domain admins.
I don't know anything about SonicWall routers in general, and you don't mention which model you're using so I have no idea if it will function as a proxy or not. Unless it's a corporate-level device, it seems unlikely, but I don't really know.
Stopping people from getting to the Internet is as easy as not giving them a default gateway. This is dead easy if you're running DHCP.
Stopping people from getting to the Internet is as easy as not giving them a default gateway. This is dead easy if you're running DHCP.
ASKER
Sonicwall Tz300
And the Server 2008 R2 does function as the DHCP server for the network.
Thanks for your input so far.
And the Server 2008 R2 does function as the DHCP server for the network.
Thanks for your input so far.
I can't find anything regarding that model that indicates it will operate as an Internet proxy. You might want to contact SonicWall themselves.
ASKER
You mentioned if we are running DHCP there's something you can do?
Well, there's something you can do. I'd expect your network admin to know this already: Simply remove the default gateway from the configuration you send to the client. Without a default gateway, the client can't get off the local network, thus, no Internet.
You'll have to accommodate those users who can/should be able to access the Internet by configuring them manually, or creating DHCP exceptions for them.
You'll have to accommodate those users who can/should be able to access the Internet by configuring them manually, or creating DHCP exceptions for them.
I miss ISA and dual-homed SBS ;-)
If you only have three machines on the network, then Paul's suggestion above would be practical, simple, and free.
You could always try that first, and if it doesn't work for you in some way, look at other alternatives then.
Alan.
If you only have three machines on the network, then Paul's suggestion above would be practical, simple, and free.
You could always try that first, and if it doesn't work for you in some way, look at other alternatives then.
Alan.
put t he 3 computers in OU, assign custom group policy, that gives them proxy settings any IP and any port (i.e. proxy 99.99.99.99 port 99). this will deny them from reaching the internet.
ASKER
@Sam Simon Nasser I looked into enabling that option however under the Add-registry settings in GPMC, there is no ProxyServer key; only Autoconfigurl, autodetect, proxyoverride, and proxyEnable..
I of course do not have the option to select Internet Settings or IE Maintainance due to it being Server 2008 as the DC in this environment.
I of course do not have the option to select Internet Settings or IE Maintainance due to it being Server 2008 as the DC in this environment.
these options are under internet explorer options
https://campus.barracuda.com/product/websecurityservice/doc/6553606/how-to-configure-proxy-settings-using-group-policy-management/
https://campus.barracuda.com/product/websecurityservice/doc/6553606/how-to-configure-proxy-settings-using-group-policy-management/
ASKER
@Sam SImon, Server 2008 R2 is only able to get Internet explorer options up to WIndows 8.1 not 10.
We do not have an instance or license of 2012 we can spin up either.
I wish it was that easy.
We do not have an instance or license of 2012 we can spin up either.
I wish it was that easy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
then check here https://blogs.msdn.microsoft.com/askie/2015/10/12/how-to-configure-proxy-settings-for-ie10-and-ie11-as-iem-is-not-available/ for implementing registry keys to proxy, work in 2008.
although i would prefer, as alan mentioned, since they are 3 computers only, to do it manually in sake of time.
although i would prefer, as alan mentioned, since they are 3 computers only, to do it manually in sake of time.
ASKER
@sam Simon Nasser, in my second response i also mentioned I was following that guide exactly.
https://www.experts-exchange.com/questions/29103160/Restrict-internet-access-to-domain-joined-pcs.html?anchorAnswerId=42586482#a42586482
I will just do it manually in this case.
Thank you all for your input.
https://www.experts-exchange.com/questions/29103160/Restrict-internet-access-to-domain-joined-pcs.html?anchorAnswerId=42586482#a42586482
I will just do it manually in this case.
Thank you all for your input.
ASKER
Thank you all for your time, i will do it manually.
Microsoft used to offer ISA server as a proxy solution, but they've dropped that. There are probably dozens of commercial solutions that will meet your need, so I would encourage you to shop around for something you think will work for you.