Give access based on location

I need to set security based on location and machine.
Scenario:

A user has an account on the Corporate network and his laptop has account
on Corporate network.
While on the local area network, this user can access Information from
folder A,B,C on a server
When the user goes mobile with his laptop the user needs to be constrained
to only seeing info from folder A and B
If the same user goes to a computer that is not apart of the Corporate
network he needs to be constrained to only folder A.

The user, when not on the local network, will be using the Internet to
attaching to the Corporate network.
There are 2 methods to attach to information via the internet; either thru
VPN or a WEB server.
If the user is using his laptop it will most likely be VPN,
If he is on a different p.c. he will need to go to the Corporate WEB site.

At the same time I do not want to give users the ability access information
from a non-company p.c. threw a VPN connection.

Any help in implementing such a security scheme would be greatly appreciated.

"vidro" <(E-Mail Removed)> wrote in message
news:7178DE11-1AB2-437C-A7D0-(E-Mail Removed)...
> A user has an account on the Corporate network and his laptop has account
> on Corporate network.
> While on the local area network, this user can access Information from
> folder A,B,C on a server
> When the user goes mobile with his laptop the user needs to be
constrained
> to only seeing info from folder A and B
> If the same user goes to a computer that is not apart of the Corporate
> network he needs to be constrained to only folder A.

Not possible.
You can restrict to certain network segments by using ACLs on the LAN Router
(if one exists) but you cannot restrict to certain "folders/shares" based on
source IP#.

> If the user is using his laptop it will most likely be VPN,
> If he is on a different p.c. he will need to go to the Corporate WEB
site.
> At the same time I do not want to give users the ability access
information
> from a non-company p.c. threw a VPN connection.

Also not possible. VPN is no different than simply being on a different LAN
Segment,...it is the same principle.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Is there any way to possibly capture the MAC address and try to do some level
of authentication that way.
The next question would be how to do authentication from a MAC address?

"Phillip Windell" wrote:

> "vidro" <(E-Mail Removed)> wrote in message
> news:7178DE11-1AB2-437C-A7D0-(E-Mail Removed)...
> > A user has an account on the Corporate network and his laptop has account
> > on Corporate network.
> > While on the local area network, this user can access Information from
> > folder A,B,C on a server
> > When the user goes mobile with his laptop the user needs to be
> constrained
> > to only seeing info from folder A and B
> > If the same user goes to a computer that is not apart of the Corporate
> > network he needs to be constrained to only folder A.
>
> Not possible.
> You can restrict to certain network segments by using ACLs on the LAN Router
> (if one exists) but you cannot restrict to certain "folders/shares" based on
> source IP#.
>
> > If the user is using his laptop it will most likely be VPN,
> > If he is on a different p.c. he will need to go to the Corporate WEB
> site.
> > At the same time I do not want to give users the ability access
> information
> > from a non-company p.c. threw a VPN connection.
>
> Also not possible. VPN is no different than simply being on a different LAN
> Segment,...it is the same principle.
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>

No. You cannot.

Your solution is to use NTFS File System Permissions and restric based on
*who* the user is,....not what machine they are comming from.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"vidro" <(E-Mail Removed)> wrote in message
news:80BFB834-9E94-4DAD-8D59-(E-Mail Removed)...
> Is there any way to possibly capture the MAC address and try to do some
level
> of authentication that way.
> The next question would be how to do authentication from a MAC address?
>
> "Phillip Windell" wrote:
>
> > "vidro" <(E-Mail Removed)> wrote in message
> > news:7178DE11-1AB2-437C-A7D0-(E-Mail Removed)...
> > > A user has an account on the Corporate network and his laptop has
account
> > > on Corporate network.
> > > While on the local area network, this user can access Information from
> > > folder A,B,C on a server
> > > When the user goes mobile with his laptop the user needs to be
> > constrained
> > > to only seeing info from folder A and B
> > > If the same user goes to a computer that is not apart of the Corporate
> > > network he needs to be constrained to only folder A.
> >
> > Not possible.
> > You can restrict to certain network segments by using ACLs on the LAN
Router
> > (if one exists) but you cannot restrict to certain "folders/shares"
based on
> > source IP#.
> >
> > > If the user is using his laptop it will most likely be VPN,
> > > If he is on a different p.c. he will need to go to the Corporate WEB
> > site.
> > > At the same time I do not want to give users the ability access
> > information
> > > from a non-company p.c. threw a VPN connection.
> >
> > Also not possible. VPN is no different than simply being on a different
LAN
> > Segment,...it is the same principle.
> >
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> > -----------------------------------------------------
> > Understanding the ISA 2004 Access Rule Processing
> > http://www.isaserver.org/articles/IS...cessRules.html
> >
> > Microsoft Internet Security & Acceleration Server: Guidance
> > http://www.microsoft.com/isaserver/t...dance/2004.asp
> > http://www.microsoft.com/isaserver/t...dance/2000.asp
> >
> > Microsoft Internet Security & Acceleration Server: Partners
> > http://www.microsoft.com/isaserver/partners/default.asp
> > -----------------------------------------------------
> >
> >
> >
> >

So regardless of where the user logs on from if he uses the same logon
profile on the LAN and WAN he will be given access to the same info?

"Phillip Windell" wrote:

> No. You cannot.
>
> Your solution is to use NTFS File System Permissions and restric based on
> *who* the user is,....not what machine they are comming from.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
> "vidro" <(E-Mail Removed)> wrote in message
> news:80BFB834-9E94-4DAD-8D59-(E-Mail Removed)...
> > Is there any way to possibly capture the MAC address and try to do some
> level
> > of authentication that way.
> > The next question would be how to do authentication from a MAC address?
> >
> > "Phillip Windell" wrote:
> >
> > > "vidro" <(E-Mail Removed)> wrote in message
> > > news:7178DE11-1AB2-437C-A7D0-(E-Mail Removed)...
> > > > A user has an account on the Corporate network and his laptop has
> account
> > > > on Corporate network.
> > > > While on the local area network, this user can access Information from
> > > > folder A,B,C on a server
> > > > When the user goes mobile with his laptop the user needs to be
> > > constrained
> > > > to only seeing info from folder A and B
> > > > If the same user goes to a computer that is not apart of the Corporate
> > > > network he needs to be constrained to only folder A.
> > >
> > > Not possible.
> > > You can restrict to certain network segments by using ACLs on the LAN
> Router
> > > (if one exists) but you cannot restrict to certain "folders/shares"
> based on
> > > source IP#.
> > >
> > > > If the user is using his laptop it will most likely be VPN,
> > > > If he is on a different p.c. he will need to go to the Corporate WEB
> > > site.
> > > > At the same time I do not want to give users the ability access
> > > information
> > > > from a non-company p.c. threw a VPN connection.
> > >
> > > Also not possible. VPN is no different than simply being on a different
> LAN
> > > Segment,...it is the same principle.
> > >
> > >
> > > --
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > > -----------------------------------------------------
> > > Understanding the ISA 2004 Access Rule Processing
> > > http://www.isaserver.org/articles/IS...cessRules.html
> > >
> > > Microsoft Internet Security & Acceleration Server: Guidance
> > > http://www.microsoft.com/isaserver/t...dance/2004.asp
> > > http://www.microsoft.com/isaserver/t...dance/2000.asp
> > >
> > > Microsoft Internet Security & Acceleration Server: Partners
> > > http://www.microsoft.com/isaserver/partners/default.asp
> > > -----------------------------------------------------
> > >
> > >
> > >
> > >
>
>
>