server 2003 domain to control internet - Will this work?

I am installing a MS Server 2003 domain for a friend's office. I am having a hard time figuring out how to have control over internet access for different clients.

The hardware we have is a linksys wrt-54g and a westell combo modem/router from bellsouth.
Dell poweredge server with 2003 DC, 2 wireless clients and 2 wired clients.

My idea is to purchase a DSL modem without router, install a second NIC into the dell and setup RRAS and NAT while disabling NAT on the linksys.

dsl modem -> server NIC #1

server NIC #2 with RRAS and NAT-> wrt-54g with NAT disabled -> workstations

Does this sound like it will work? I would use the server's IP for NIC #2 as the default gateway for both the linksys and the workstations right?

I'm still not sure how to control internet access in the active directory yet either, but I can figure that out. I just need to see if my network setup is a viable option. Thanks for any advice!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

TeKniques

By 'control Internet access' do you mean to not allow people to use the Internet? If that is the case there are a few options. You could implement ISA server as one solution. Or you could go with a UNIX/Linux solution such as SQUID, but overall you need some sort of proxy to restrict access on Port 80.

Your RRAS idea sounds as if it will work, however I would ditch the Linksys router since you're planning on using the Dell as your router and go with a switch instead.

You could always use Access Points with the Switch to enable Wireless if that is what you were keeping the WRT54G around for.

Good luck!

strauchr

Your best option is to MS ISA server or if its a small company )which it sounds like) install MS Small Business Server which has ISA server included. This will control access.

RRAS will work for internet connection roughly how your saying and you can control access via IP Filtering. This is not a preferred option but workable.

sprkymrk

I would be careful about using a DC in conjunction with NAT/RRAS. Anytime you use a DC in a dual-homed config you can run into major DNS issues in addition to the security implications. A standard XP Pro box with ICS enabled might be a safer solution if it's a small setup. ISA is awesome, but comes with a $1500 price tag over and above the $700-$800 W2K3 software.
I guess the main question is what, exactly, do you want to control when you say "Internet Access"? You can use GP to specify proxy server information on a per-user basis, thus when they launch IE they hit the proxy you specify. You then control Internet access via whatever proxy (there are free ones) you specify. I actually use this method to configure a proxy of 0.0.0.0 for users that are not allowed any Internet access at all. Works good, as long as they use IE...

pmeka

ISA server would work fine. I used Proxy server before, but it didn't work well with my network. So I changed to using static IP addresses. You need to assign a range of IP addresses in the DHCP server. Then assign manually those addresses in each client. It works fine for me.

xigxag

Thanks for all of the great feedback.

More specifically, i want to control internet usage on a per user basis. By control I simply need it to be on or off so to speak.

One wired machine is only accessed by the owner in the office, it can always be on. Another wired workstation doesn't really need connectivity at all, (except for updates, which I could pull of a local machine also) however, idealy I would have it enable if logged in as Admin or the owner.

The wireless clients are more tricky. I need internet access enabled or disabled depending on which user is logging in.

TeKniques wrote:

use Access Points with the Switch to enable Wireless if that is what you were keeping the WRT54G around for.

By disabling the NAT and DHCP aren't I effectively making the linksys a "wireless switch"?

strauchr wrote:

RRAS will work for internet connection roughly how your saying and you can control access via IP Filtering. This is not a preferred option but workable.

Will it work on a per-user basis?

sprkymrk wrote:

I would be careful about using a DC in conjunction with NAT/RRAS. Anytime you use a DC in a dual-homed config you can run into major DNS issues in addition to the security implications.

Any way you could explain more about the possible DNS issues?

A standard XP Pro box with ICS enabled might be a safer solution if it's a small setup. ISA is awesome, but comes with a $1500 price tag over and above the $700-$800 W2K3 software.

Yes, they are not prepared to make much more of an investment in this LAN for now.

You can use GP to specify proxy server information on a per-user basis, thus when they launch IE they hit the proxy you specify. You then control Internet access via whatever proxy (there are free ones) you specify. I actually use this method to configure a proxy of 0.0.0.0 for users that are not allowed any Internet access at all. Works good, as long as they use IE...

I like the sound of this, not a ideal solution but it should get the job done.
Are you suggesting I could use the DC as the proxy?

xigxag

TeKniques wrote:

Or you could go with a UNIX/Linux solution such as SQUID, but overall you need some sort of proxy to restrict access on Port 80.

looks like there is a windows port of SQUID

sprkymrk

xigxag wrote:

Thanks for all of the great feedback.

More specifically, i want to control internet usage on a per user basis. By control I simply need it to be on or off so to speak.

sprkymrk wrote:

I would be careful about using a DC in conjunction with NAT/RRAS. Anytime you use a DC in a dual-homed config you can run into major DNS issues in addition to the security implications.

Any way you could explain more about the possible DNS issues?

This link:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
will explain it better than I can. DNS is okay on a DC, it's the dual homed configuration that will cause trouble with DNS and possibly expose inside information to outsiders.

xigxag wrote:

A standard XP Pro box with ICS enabled might be a safer solution if it's a small setup. ISA is awesome, but comes with a $1500 price tag over and above the $700-$800 W2K3 software.

Yes, they are not prepared to make much more of an investment in this LAN for now.

You can use GP to specify proxy server information on a per-user basis, thus when they launch IE they hit the proxy you specify. You then control Internet access via whatever proxy (there are free ones) you specify. I actually use this method to configure a proxy of 0.0.0.0 for users that are not allowed any Internet access at all. Works good, as long as they use IE...

I like the sound of this, not a ideal solution but it should get the job done.
Are you suggesting I could use the DC as the proxy?

Basically what you can do (and what I would do in this situation) is to let the DHCP and network connection be controlled via the Linksys/Westell combo. Configure an AD domain and set up the server as a DC/DNS (using forwarders to your ISP DNS). Leave DHCP to the router, but hard code your server. Install only one NIC. Join all client computers to the domain. Create user accounts on the domain and don't allow local user logons (either via Group Policy or just don't give them the local admin account p/w and don't create any local user accounts). Using Group Policy, under user configuration, set the proxy to 0.0.0.0 for users you don't want to have Internet, and leave the proxy as "Not configured" or "none" on those that need Internet access. If you want to you can try it from the computer config instead of user, and set the "User Group Policy loopback processing mode" to allow any user logged in to to that computer to access the Internet. No real need for a proxy at all, just assigning a fake ip for a non-existant proxy will stop them from being able to acess the Internet. Unless of course you give them admin rights and they install Firefox...

xigxag

sprkymrk wrote:

Basically what you can do (and what I would do in this situation) is to let the DHCP and network connection be controlled via the Linksys/Westell combo. Configure an AD domain and set up the server as a DC/DNS (using forwarders to your ISP DNS). Leave DHCP to the router, but hard code your server. Install only one NIC. Join all client computers to the domain. Create user accounts on the domain and don't allow local user logons (either via Group Policy or just don't give them the local admin account p/w and don't create any local user accounts). Using Group Policy, under user configuration, set the proxy to 0.0.0.0 for users you don't want to have Internet, and leave the proxy as "Not configured" or "none" on those that need Internet access. If you want to you can try it from the computer config instead of user, and set the "User Group Policy loopback processing mode" to allow any user logged in to to that computer to access the Internet. No real need for a proxy at all, just assigning a fake ip for a non-existant proxy will stop them from being able to acess the Internet. Unless of course you give them admin rights and they install Firefox...

a beautifully simple solution, I applaud you! Thanks for explaining it so simply.

Why do you suggest using the router for DHCP? I do worry about configuring the 2 hardware routers hooked together though. Hmmm, now that I think about it, there really isn't a reason to even use the linksys, especially in the setup you described. Also, I could set all static as there are only 4 workstations and the network setup will not be changing in the near future. Is there any benefit for using DHCP besides ease of configuration?

Here's to simple solutions!

sprkymrk

Four workstations? Sure, hard code all of them. Although 4 workstations is kind of small to be using a W2K3 server and/or a domain. If you want to save the cost of the server OS, just configure a workgroup and local users. It can get messy, but 4 computers should be manageble. You would then configure local group policy on each workstation as I described. Just run gpedit.msc on each computer.