WINDOWS 2003 AND INTERNET

Dear Experts,

we are using Win2003 R2 server. It is connected to our LAN. We are using DSL
CISCO Router for our internet emails and browsing which is also connected to
the LAN.

We are not allowing any users to browse the internet or send / receive
internet emails on their office terminals. So we configure the client systems
without a gateway ip address (which is our DSL Router). For blocking the
internet emails we are controlling by Exchange server. The problem is only
for internet browsing.

Now, the question is : If any user knows the gateway IP address, he can
simply enter it in the tcp/ip properties and start browsing.

In Win2003 how can I monitor which IP is connected to the gateway and
browsing.

Regards,
--
Athar Sagri

* atharsagri (Mon, 3 Dec 2007 22:46:01 -0800)
> we are using Win2003 R2 server. It is connected to our LAN. We are using DSL
> CISCO Router for our internet emails and browsing which is also connected to
> the LAN.
>
> We are not allowing any users to browse the internet or send / receive
> internet emails on their office terminals. So we configure the client systems
> without a gateway ip address (which is our DSL Router). For blocking the
> internet emails we are controlling by Exchange server. The problem is only
> for internet browsing.
>
> Now, the question is : If any user knows the gateway IP address, he can
> simply enter it in the tcp/ip properties and start browsing.

No, you have to be admin to do that so normal users can't.

Thorsten

All users are administrators on their terminals. If I make them a restricted
user, they are not able to share folders.
--
Athar Sagri


"Thorsten Kampe" wrote:

> * atharsagri (Mon, 3 Dec 2007 22:46:01 -0800)
> > we are using Win2003 R2 server. It is connected to our LAN. We are using DSL
> > CISCO Router for our internet emails and browsing which is also connected to
> > the LAN.
> >
> > We are not allowing any users to browse the internet or send / receive
> > internet emails on their office terminals. So we configure the client systems
> > without a gateway ip address (which is our DSL Router). For blocking the
> > internet emails we are controlling by Exchange server. The problem is only
> > for internet browsing.
> >
> > Now, the question is : If any user knows the gateway IP address, he can
> > simply enter it in the tcp/ip properties and start browsing.
>
> No, you have to be admin to do that so normal users can't.
>
> Thorsten
>

> Dear Experts,
>
> we are using Win2003 R2 server. It is connected to our LAN. We are using
> DSL
> CISCO Router for our internet emails and browsing which is also connected
> to
> the LAN.
>
> We are not allowing any users to browse the internet or send / receive
> internet emails on their office terminals. So we configure the client
> systems
> without a gateway ip address (which is our DSL Router).
Most of DSL Routers have an embed IP filter, so you can control access, from
your LAN, to the internet. Just try to read the router's manual.

> Now, the question is : If any user knows the gateway IP address, he can
> simply enter it in the tcp/ip properties and start browsing.
Like Thorsten Kampe said, with default security settings, simple users can't
change IP configuration.

> In Win2003 how can I monitor which IP is connected to the gateway and
> browsing.
I think, it is possible with your router. Most of modern DSL routers have
possibility to show which hosts are connected. And some of these routers
have the possibility to write a log on a remote host in LAN/WAN. So, all you
need is to read that manual.

Howdie!

atharsagri schrieb:
> We are not allowing any users to browse the internet or send / receive
> internet emails on their office terminals. So we configure the client systems
> without a gateway ip address (which is our DSL Router). For blocking the
> internet emails we are controlling by Exchange server. The problem is only
> for internet browsing.

Implement a proxy server and restrict internet access there. Don't try
to mess around with Windows settings and bogus settings in Windows that
point to nowhere. If people are admins on their boxes, you're lost and
alone as they're able to revert policy changes and network settings as
you make them.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

Which Proxy server / ISA Server version is compatible with windows server
2003 R2?
--
Athar Sagri


"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> atharsagri schrieb:
> > We are not allowing any users to browse the internet or send / receive
> > internet emails on their office terminals. So we configure the client systems
> > without a gateway ip address (which is our DSL Router). For blocking the
> > internet emails we are controlling by Exchange server. The problem is only
> > for internet browsing.
>
> Implement a proxy server and restrict internet access there. Don't try
> to mess around with Windows settings and bogus settings in Windows that
> point to nowhere. If people are admins on their boxes, you're lost and
> alone as they're able to revert policy changes and network settings as
> you make them.
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Windows Server - Group Policy.
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
>

> Which Proxy server / ISA Server version is compatible with windows server
> 2003 R2?
> --
> Athar Sagri

Look, dude, I think, you already have the possibility to control the access
through your router. Can you write here the router's model? You need an
addiditional computer, to deploy a proxy server. And in case of ISA - extra
licence.

We are using Cisco 877W (Firewall Router) for our corporate DSL line. I even
check this:

If i put any ip address in the gateway for eg. 1.1.1.1 in the client PC - It
is browsing. It is really very strange for me.


--
Athar Sagri


"Iuri Cuznetov" wrote:

> > Which Proxy server / ISA Server version is compatible with windows server
> > 2003 R2?
> > --
> > Athar Sagri
>
> Look, dude, I think, you already have the possibility to control the access
> through your router. Can you write here the router's model? You need an
> addiditional computer, to deploy a proxy server. And in case of ISA - extra
> licence.
>
>
>

Howdie!

atharsagri schrieb:
> Which Proxy server / ISA Server version is compatible with windows server
> 2003 R2?

ISA 2004 and 2006 will do well. You could also have a look at Squid
which is freeware - but you'll count some administrative overhead into
that, since the initial configuration might not be that easy.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

> We are using Cisco 877W (Firewall Router) for our corporate DSL line.

Here:
http://www.cisco.com/en/US/products/...d8028a976.html

In "Routing Protocols and General Router Features" there is "Access control
lists (ACLs)". It means you can control the access to the internet
connection.

In your situation, there are 2 solutions:

Solution #1. Contact your Cisco dealer (not Cisco office, couse they support
only there main clients) and try to figure out, how to configure the ACL on
your Cisco router. In fact, it has a web interface, as well as telnet, for
its confoguration.

Solution #2. You can use software router, like ISA. Even Server 2003 has a
feature called "Routing and Remote Access Service". So you can control
internet access for your users. If you decide to use nix-like solutions, you
can use the freesco (www.freesco.org) software router, it is much easy to
deploy then a full nix-like router. And of course, you can deploy a proxy
server. But if you will do this, you'll be needed to configure all kind of
your local clients for using this proxy.

Hope my response was useful for you.