Announcement

Collapse
No announcement yet.

Prevent acces to internet via Server?

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent acces to internet via Server?

    I have the opposite problem to most people - believe me I've searched high and low on this seemingly simple problem - I can't stop people accessing the internet.
    I have an SBS 2003 Standard system with a selection of clients - some domain members others not. All clients can access the internet via the server, simply by specifying the server IP address as the Gateway & DNS which is great.
    However, I want to prevent this (though I still want the clients to access the server) and direct all internet traffic via another proxy server/firewall on the same subnet.
    Setting up the proxy/firewall is no problem, but savvy users can still access the internet via the SBS server so my question basically boils dow to this:
    How can I prevent SBS Server 2003 Standard forwarding requests from clients to the internet, whilst still allowing the server itself to communicate with the internet (via the proxy)? I've tried turning off a variety of likely looking options but to no avail.

  • #2
    Re: Prevent acces to internet via Server?

    I'm not sure what you mean exactly by "direct via another proxy" but I will answer the heading which is about preventing people accessing the Internet:

    You old upgrade to SBS premium and use ISA firewall. Add a 2nd network card tothe server and connect the router to that port, forcing all traffic through the server and configuring ISA to block the LAN other than the server itself.

    Or, you could get a third party (cheaper) proxy server and within that there are going to be rules that can allow or deny access to the web.

    Or, you could use your router's VLAN, (which my favourite, the Vigor Draytek 2800 has available built in) to separate off the ports, so that only the Server has access to the router's ADSL socket and nothing else does.

    I did try this kind of thing once with GPO but as you say, some folk do not logon to the domain, and anyway they only have to download Firefox and they are on, so that didn't work very well. One of my above solutions will do the trick and no doubt other people have their useful tips too!
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: Prevent acces to internet via Server?

      Thanks Paul, but no doubt due to my phrasing of the question, I have this option
      Originally posted by PaulH View Post
      Or, you could get a third party (cheaper) proxy server and within that there are going to be rules that can allow or deny access to the web.
      in place. Clients and SBS Server connect via the third pasrty proxy.
      My problem is that because of the way SBS sets up out of the box, users can set their client PCs (not members of the domain) to use the SBS server as a gateway and they can thus bypass the proxy server.
      I want to prevent SBS forwarding requests from clients to the internet.

      Comment


      • #4
        Re: Prevent acces to internet via Server?

        Why are your users not members of the domain? What is the other proxy for? What are you trying to do here? Give us thw whole picture and maybe we can answer.

        Paul has already told you that if you put or already have a 2nd NIC in the server, then one of the best ways is to upgrade to premium, use ISA and then only members of Internet Users Group ( all by default - but you can select) have access.
        TIA

        Steven Teiger [SBS-MVP(2003-2009)]
        http://www.wintra.co.il/
        sigpic
        Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

        We donít stop playing because we grow old, we grow old because we stop playing.

        Comment


        • #5
          Re: Prevent acces to internet via Server?

          The site has two groups of people - Office staff who are on PCs forming part of the domain - a simple standard SBS install with two NICs in the server. I have another group of users who do NOT log onto the domain - they form their own workgroup and do NOT have access to data on the server but are on the same subnet so that they can access the internet (by specifying the server as the Gateway).

          I want to be able to limit internet access for the members of the workgroup to certain times/sites and I plan to install SmoothWall Express and Censornet as the proxy/firewall combination.

          The server will access the internet via the proxy/firewall, PCs on the domain will access the internet via the proxy/firewall and the workgroup PCs will access the internet through the proxy/firewall.

          I can set this all up and have a similar setup (though all workstations access the internet directly via the proxy) elsewhere with Server 2003 (not SBS)

          My problem in my current situation is that all the workgroup members need to do to bypass the effect of the proxy/firewall is to set their gateway IP to the NIC of the server as the server will then route those requests to the internet. This is what I want to prevent.

          I do not want to do this with ISA as I already have all the tools I need and do not see any point in spending out on an upgrade and extra CALs (as well as OS upgrades in some instances)

          All I'm trying to do with regards to SBS is REMOVE some of the functionality. I just can't figure out what I need to switch off.

          Comment


          • #6
            Re: Prevent acces to internet via Server?

            If they aren't allowed to use the Internet or to access any server, why not putting them in a seperate vlan?
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Prevent acces to internet via Server?

              Originally posted by Dumber View Post
              If they aren't allowed to use the Internet or to access any server, why not putting them in a seperate vlan?
              I didn't say they weren't allowed internet access at all

              Originally posted by TimStannard View Post

              I want to be able to limit internet access for the members of the workgroup to certain times/sites and I plan to install SmoothWall Express and Censornet as the proxy/firewall combination.
              I really appreciate people taking the time to look at this and offer suggestions to the bigger problem, but I really believe I've solved that.

              All I want is the small problem answered - how do I prevent an SBS server routing requests from workstations to the internet? That's all I want to do.

              Is this really not possible?

              Comment


              • #8
                Re: Prevent acces to internet via Server?

                This reminds me a little bit of clients who give me a problem, and I give them solutions A, B or C. They say that I am not allowed to say "A", and they do not like "B" for some reason, and "C" is too expensive. Having tied my hands behind my back, they then ask me what the solution is within their self imposed limitations. I certainly mean no disrespect by saying this, I just mean that perhaps when you are given solutions, you may feel your architecture needs polishing so as to implement the "proper" or the best solution, or that indeed there is a cost to be borne. In my view the optimum solution is ISA.

                Having said that, perhaps you could try this:

                Remove the default gateway from all NICs on the server. I thnk this may cause the routing table not to issue a route for the client PCs to access the web, so they would be forced to use the proxy server to get to the web even if they set their default gateway on their NIC to the IP of the server. I have not tried it, and I would be interested if it works, so would appreciate your feedback if you feel it is worthwhile to try that. You may need server and / or PC reboots, I am not sure.

                Also, you can try to remove the forwarders on the server's DNS properties. Right click the server's name in the DNS console then Properties > Forwarders tab.

                Moreover, I recommend that you ensure ALL PCs are joined to the domain, and then you can impose settings by GPO on their NICs and disable their ability to make any changes. You can post a question in the GPO forum if you decide to go down this path and need specific help on that technique.
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment


                • #9
                  Re: Prevent acces to internet via Server?

                  Just thought of a simple method you could use.
                  Remove Default Gateway from all those clients you DON'T want to access the internet. Then take away their local administrator rights. That way they can't change the network settings.
                  If that isn't a possibility, then I have to agree with Paul - you are tying our hands behind our back and we can't help you!
                  TIA

                  Steven Teiger [SBS-MVP(2003-2009)]
                  http://www.wintra.co.il/
                  sigpic
                  Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                  We donít stop playing because we grow old, we grow old because we stop playing.

                  Comment


                  • #10
                    Re: Prevent acces to internet via Server?

                    Hi Again Guys,

                    I don't think your parallel with clients/solutions/hands being tied is entirely fair. I look after a numbers of sites each with a Windows 2003 Server (or more) and a third party proxy. Workstations access the internet via the proxy as does the server. I can control which workstations or users access the internet using management controls on the proxy. The Windows 2003 server is used as the DNS server.

                    All I want to do is set up the same but with SBS instead of WIndows 2003.

                    To put it another way, SBS offers Windows 2003 + loads of other features, A, B, C, D etc. I simply want to disable one of those features. ie I'm NOT looking to do
                    anything "extra" - to do anything SBS wasn't designed to do.

                    Paul - whilst I understand your suggestion (a) on the Win 2003 Server scenarios above the NIC Gateway isset to the proxy ANF forwarders are set. If a workstation's gateway is the server, internet requests aren't serviced. (b) If I remove the gateway from from the server then surely the server itself won't be able to access the internet?

                    It is not always reasonable to remove administrative rights from users' workstations or make them members of the domain. The workstations do not necessarily belong to the company (imagine schools/colleges). As stated before they only need access to each other and to the proxy server.

                    If you still think what I'm trying to do is unreasonable, please let me know exactly what is unreasonable and/or why. I'm not looking for a fight and I'm certainly not into bashing SBS or Microsoft, I genuinely want to know why.

                    Thanks all for your time.

                    Comment


                    • #11
                      Re: Prevent acces to internet via Server?

                      Originally posted by TimStannard View Post
                      Paul - whilst I understand your suggestion (a) on the Win 2003 Server scenarios above the NIC Gateway isset to the proxy ANF forwarders are set. If a workstation's gateway is the server, internet requests aren't serviced. (b) If I remove the gateway from from the server then surely the server itself won't be able to access the internet?
                      If you remove the forwarder, the server will not be able to resolve requests for domains other than itself, because it has nowhere to "ask" for DNS resolution for, say, google.com. So, one would think the server could not then access the web except via a proxy server, which is fine in thsi scenario. If you remove the gateway, the server just gets his web traffic via the proxy server.

                      The server does not need a Gateway on any of its NICs if it is accessing the web via a proxy server.

                      When I setup any computers which access the web via a proxy server, I give them no Gateway. Lucky for me, the PCs are all on the domain and so I can set proxy details via GPO so that IE works fine. I can also set "fake" proxy details if I want to - oh the joys of having all that GPO power available!

                      HTH.
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment


                      • #12
                        Re: Prevent acces to internet via Server?

                        Thanks, Paul. This doesn't match the scenario I have with the Win2003 Server acting as the DNS (WITH forwarders) which does work OK, but I understand your suggestion. I'll give it a go next week.

                        I'd still like to know what component in SBS takes a request from a workstation and forwards it to the internet though (and hence how to disable it)

                        Comment


                        • #13
                          Re: Prevent acces to internet via Server?

                          Let me explain things another way then.... because I have already answered those points. Hmmmm.

                          I told you that the forwarders are only needed for outside domains, so why do you say "it does not match my scenario"? It DOES match your scenario to take off the forwarders and therefore to have all trafic access other domains via the proxy server. Also I told you to remove the Gateway - this is the "component" that you are looking for, I believe, but of course I must add the rider that I have not tried this before and I am only thinking in theory - it should work in practice so do try it and let us know.

                          I'm getting exhausted here. SBS Standard Edition tries it's best to provide services and web connectivity to the client workstations. There is no control panel applet or dialog box with a tick on it that says "Disable traffic from client PCs being routed to the web, even if they are not joined to the domain". If you find such a tickbox, publish it's location here. if you want to do what you really asked for in the first place, SBS premium offers an ISA firewall which is great, but no, you don't want that so you are making me think up other, imaginative solutions.

                          Oh and by the way, we in Petriland never make fights - we are all absolute gentlemen and ladies of fine distinction who go out of our way to provide the best, free, technical expertise to whoever is courteous enough not to get banned. We love our little Petri-world, with its little Perti-people running about helping each other, and everyone is always very nice, kind, patient and thoughtful. It is a truly wonderful world.
                          Best wishes,
                          PaulH.
                          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                          Comment


                          • #14
                            Re: Prevent acces to internet via Server?

                            A point of clarification regarding DNS: If you remove the forwarders, your DNS server would still be able to resolve external DNS records by way of the root hints. You would need to remove those as well as any forwarders to stop external DNS resolution.

                            I don't use forwarders in my DNS and rely solely on the root hints. IMHO, forwarders just add another potential point of failure and an extra step in the resolution process. Why rely on my ISP DNS when I can go right to the root hints. My ISP DNS would have to go to the root hints for any DNS it's not authorative for anyway, so why add another "link" in the process?

                            Comment


                            • #15
                              Re: Prevent acces to internet via Server?

                              That, Joe, is a darn good point. My hat off to you sir!
                              Best wishes,
                              PaulH.
                              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                              Comment

                              Working...
                              X