Totally blocking Internet Access though Group Policy on Windows Server 2008 R2 The Next CEO of Stack OverflowSquid and Active Directory authenticationRestricting Internet Access with Group PolicyWindows 2008 Group Policy Setting? - Migration HeadacheGroup Policy Preferences in Server 2008 R2Publish Bookmarks in FireFox with Active Directory (AD)Windows Server 2008 group policyPrevent Internet Explorer from saving files with the “T” attribute setOn a terminal services server windows 2008 how can you lower the security settings of usersWindows 8.1 - Group Policy Settings set, but not executet when offlineUse Script To Query Local Group Policy Windows Server 2008how to prevent access to \127.0.0.1c$ or \localhostc$
What is the purpose of the Evocation wizard's Potent Cantrip feature?
Why did we only see the N-1 starfighters in one film?
Is the concept of a "numerable" fiber bundle really useful or an empty generalization?
How to count occurrences of text in a file?
Why do remote companies require working in the US?
Fastest way to shutdown Ubuntu Mate 18.10
What does "Its cash flow is deeply negative" mean?
Customer Requests (Sometimes) Drive Me Bonkers!
Why doesn't a table tennis ball float on the surface? How do we calculate buoyancy here?
How should I support this large drywall patch?
What is meant by a M next to a roman numeral?
Text adventure game code
Are there languages with no euphemisms?
Why were Madagascar and New Zealand discovered so late?
Increase performance creating Mandelbrot set in python
When did Lisp start using symbols for arithmetic?
Is it okay to store user locations?
Only print output after finding pattern
How do spells that require an ability check vs. the caster's spell save DC work?
What does this shorthand mean?
% symbol leads to superlong (forever?) compilations
Why is there a PLL in CPU?
How can I quit an app using Terminal?
Rotate a column
Totally blocking Internet Access though Group Policy on Windows Server 2008 R2
The Next CEO of Stack OverflowSquid and Active Directory authenticationRestricting Internet Access with Group PolicyWindows 2008 Group Policy Setting? - Migration HeadacheGroup Policy Preferences in Server 2008 R2Publish Bookmarks in FireFox with Active Directory (AD)Windows Server 2008 group policyPrevent Internet Explorer from saving files with the “T” attribute setOn a terminal services server windows 2008 how can you lower the security settings of usersWindows 8.1 - Group Policy Settings set, but not executet when offlineUse Script To Query Local Group Policy Windows Server 2008how to prevent access to \127.0.0.1c$ or \localhostc$
I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.
Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.
Thanks for your help!
Update for clarification: I would like to block internet access only for some users, not or all on this server.
windows-server-2008 windows-server-2008-r2 group-policy
edited 17 hours ago
ewwhite
174k76370725
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
add a comment |
I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.
Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.
Thanks for your help!
Update for clarification: I would like to block internet access only for some users, not or all on this server.
windows-server-2008 windows-server-2008-r2 group-policy
edited 17 hours ago
ewwhite
174k76370725
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
add a comment |
I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.
Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.
Thanks for your help!
Update for clarification: I would like to block internet access only for some users, not or all on this server.
windows-server-2008 windows-server-2008-r2 group-policy
edited 17 hours ago
ewwhite
174k76370725
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.
Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.
Thanks for your help!
Update for clarification: I would like to block internet access only for some users, not or all on this server.
windows-server-2008 windows-server-2008-r2 group-policy
windows-server-2008 windows-server-2008-r2 group-policy
edited 17 hours ago
ewwhite
174k76370725
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
edited 17 hours ago
ewwhite
174k76370725
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
edited 17 hours ago
ewwhite
174k76370725
edited 17 hours ago
ewwhite
174k76370725
edited 17 hours ago
ewwhite
174k76370725
174k76370725
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
asked Dec 7 '11 at 12:37
HeinrichHeinrich
48531634
48531634
add a comment |
add a comment |
5 Answers
5
active
oldest
votes
The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
add a comment |
...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.
Otherwise proxy it, log it, and then fire them if this is a business discipline problem.
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
add a comment |
You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
add a comment |
I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
add a comment |
The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.
Disadvantages:
- If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.
- If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.
- It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)
I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.
edited Apr 13 '17 at 12:14
Community♦
1
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f338522%2ftotally-blocking-internet-access-though-group-policy-on-windows-server-2008-r2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
add a comment |
The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
add a comment |
The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
edited Dec 7 '11 at 12:53
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
answered Dec 7 '11 at 12:48
Paul AckermanPaul Ackerman
2,6141222
2,6141222
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
add a comment |
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
Thanks for the answer. Just to clarify, I would like to block the internet only for some users.
– Heinrich
Dec 7 '11 at 13:41
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich something like TMG can do group-based rules.
– MDMarra
Dec 7 '11 at 13:43
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
@Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.
– Paul Ackerman
Dec 9 '11 at 1:21
add a comment |
...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.
Otherwise proxy it, log it, and then fire them if this is a business discipline problem.
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
add a comment |
...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.
Otherwise proxy it, log it, and then fire them if this is a business discipline problem.
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
add a comment |
...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.
Otherwise proxy it, log it, and then fire them if this is a business discipline problem.
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.
Otherwise proxy it, log it, and then fire them if this is a business discipline problem.
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
answered Dec 7 '11 at 13:41
Bart SilverstrimBart Silverstrim
29.5k95684
29.5k95684
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
add a comment |
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.
– Driftpeasant
Dec 7 '11 at 13:47
add a comment |
You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
add a comment |
You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
add a comment |
You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
answered Dec 7 '11 at 13:57
joeqwertyjoeqwerty
96.4k464149
96.4k464149
add a comment |
add a comment |
I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
add a comment |
I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
add a comment |
I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
answered Dec 7 '11 at 14:30
ewwhiteewwhite
174k76370725
174k76370725
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
add a comment |
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
This seems to be a great device, but is there an option of having this as Software?
– Heinrich
Dec 18 '11 at 22:54
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.
– ewwhite
Dec 18 '11 at 22:56
add a comment |
The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.
Disadvantages:
- If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.
- If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.
- It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)
I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.
edited Apr 13 '17 at 12:14
Community♦
1
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
add a comment |
The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.
Disadvantages:
- If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.
- If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.
- It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)
I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.
edited Apr 13 '17 at 12:14
Community♦
1
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
add a comment |
The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.
Disadvantages:
- If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.
- If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.
- It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)
I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.
edited Apr 13 '17 at 12:14
Community♦
1
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.
Disadvantages:
- If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.
- If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.
- It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)
I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.
edited Apr 13 '17 at 12:14
Community♦
1
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
1
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
answered Dec 14 '11 at 9:15
sleskesleske
8,43232440
8,43232440
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f338522%2ftotally-blocking-internet-access-though-group-policy-on-windows-server-2008-r2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
