Proxy settings on Network

I am a new Network Admin and have a setup where by our Domain users access
the internet in the head office via a Linux proxy-Squid. The proxy settings
are handed out by Group Policy. This is where the problem starts.....
When a user who is a domain user in the head office OU either logs on from
home to the network via a hardware based VPN or goes to one of the interstate
branches, the head office proxy settings are picked up by GP's. This of
course causes internet connection problems.
What I am asking is, is there a way or is it possible with MS software
solutions to have the user log onto the network in the head office and get
the proxy settings but if they log on from home or another location not get
the head office proxy.
I would like the change to be transparent to the user. I do not want the
user to need to change connection settings.

Is this an ISA server solution issue? Or perhaps another piece of software?
Do I do away with Squid and put in ISA's proxy? Is ISA and GP's smart enough
to see that if a user comes from one IP apply one set of policies and if from
another IP apply this set of policies?

Like I mentioned I am new to System Admin problems so any support would be
great.

Jason

bassjace пишет:
> I am a new Network Admin and have a setup where by our Domain users access
> the internet in the head office via a Linux proxy-Squid. The proxy settings
> are handed out by Group Policy. This is where the problem starts.....
> When a user who is a domain user in the head office OU either logs on from
> home to the network via a hardware based VPN or goes to one of the interstate
> branches, the head office proxy settings are picked up by GP's. This of
> course causes internet connection problems.
> What I am asking is, is there a way or is it possible with MS software
> solutions to have the user log onto the network in the head office and get
> the proxy settings but if they log on from home or another location notget
> the head office proxy.
> I would like the change to be transparent to the user. I do not want the
> user to need to change connection settings.
>
> Is this an ISA server solution issue? Or perhaps another piece of software?
> Do I do away with Squid and put in ISA's proxy? Is ISA and GP's smart enough
> to see that if a user comes from one IP apply one set of policies and if from
> another IP apply this set of policies?
>
> Like I mentioned I am new to System Admin problems so any support wouldbe
> great.
>
> Jason
You can do the following: divide your AD structure in two sites - main
site, which will include all local networks of your company and remote
site, which will include network range, reserved for remote clients.
Then assign different GPOs to each site - GPO for internal site will set
proxy settings and GPO for remote site wouldn't.


For site manipulation you can use Active Directory Sites and Services
snap in. It has very simple interface, but nevertheless I recommend you
to read help for this snap in.


--
With best regards
Nickolay Domukhovsky, MCSA

"bassjace" <(E-Mail Removed)> wrote in message
news:9A5F234B-1A63-4B86-A4D5-(E-Mail Removed)...
> Is this an ISA server solution issue? Or perhaps another piece of software?
> Do I do away with Squid and put in ISA's proxy? Is ISA and GP's smart
> enough to see that if a user comes from one IP apply one set of policies and
> if from another IP apply this set of policies?

ISA would be an excellent choice.
But with or without ISA, you can use proxy "autodetection". Investigate WPAD
for details on that. I am assuming Squid can do that,...I don't know. WPAD can
be deployed via DNS or DHCP, but is best to do both at the same time to keep all
bases covered. With autodetection the client can be "smart" enough to not use a
proxy and go "direct" when no proxy is available.

Are far as GPO,..you should stop doing that with GPO,...it is not flexable
enough for roaming users. It is fine for machines that never leave the desk,
but not so good for machines that may move from time to time.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

So as far as the GPO's are concerned, I should apply them at the computer
level and not at the user level? Is that what you are saying?

thanks
jas

"Phillip Windell" wrote:

> "bassjace" <(E-Mail Removed)> wrote in message
> news:9A5F234B-1A63-4B86-A4D5-(E-Mail Removed)...
> > Is this an ISA server solution issue? Or perhaps another piece of software?
> > Do I do away with Squid and put in ISA's proxy? Is ISA and GP's smart
> > enough to see that if a user comes from one IP apply one set of policies and
> > if from another IP apply this set of policies?
>
> ISA would be an excellent choice.
> But with or without ISA, you can use proxy "autodetection". Investigate WPAD
> for details on that. I am assuming Squid can do that,...I don't know. WPAD can
> be deployed via DNS or DHCP, but is best to do both at the same time to keep all
> bases covered. With autodetection the client can be "smart" enough to not use a
> proxy and go "direct" when no proxy is available.
>
> Are far as GPO,..you should stop doing that with GPO,...it is not flexable
> enough for roaming users. It is fine for machines that never leave the desk,
> but not so good for machines that may move from time to time.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they sound), are
> my own and not those of my employer, or Microsoft, or anyone else associated
> with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
>

"bassjace" <(E-Mail Removed)> wrote in message
news:A6937363-B5AA-4982-9BD0-(E-Mail Removed)...
> So as far as the GPO's are concerned, I should apply them at the computer
> level and not at the user level? Is that what you are saying?

No.
I am saying don't use GPO at all.

Use WPAD (proxy autodetection)


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Thanks for your help phillip. I will look into your suggestions and post back
here my results if you areinterested.
jason

"Phillip Windell" wrote:

> "bassjace" <(E-Mail Removed)> wrote in message
> news:A6937363-B5AA-4982-9BD0-(E-Mail Removed)...
> > So as far as the GPO's are concerned, I should apply them at the computer
> > level and not at the user level? Is that what you are saying?
>
> No.
> I am saying don't use GPO at all.
>
> Use WPAD (proxy autodetection)
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they sound), are
> my own and not those of my employer, or Microsoft, or anyone else associated
> with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>