hq -----> nat router -----> internet <----- nat router <------ home office (x-times)
the home offices are connected through ipsec vpn tunnels to the hq. at this time it is done by vpn router. the employees (at hq) should have restricted access to the internet. at this time we do it by blocking the pc of the employee at the router or grant access to single web-sites for general at the router. some employees should have complete access. because there are now several terminal-servers installed, we have to restrict access to the internet per-user, because one terminalserver is running with some employees logged on (and have internet access because ts has) and the most employees work on other ts (and have no internet-access bcause ts hasnīt). problem is the performance on the crowded server and the idle of the other one. now my questions.
- can i restrict access to the internet on a per-user base with isa server (ad authenticated users)? - where is nat server beeing placed? instead of hq-router or between hq-router and the network?
Why are site to site VPNs being used? It would be preferred that the users establish a remote access VPN client connection. Then you can control where the users can go on the corporate network and the Internet using the ISA Firewalls advanced VPN server. Works great.
hello site-2-site vpn connections are used, because in the ho are networkprinters, where from hq is printed on, so the vpn link has to be up all time. at the ho are thin clients and printers. they work on ts at hq. all traffic is routed through the vpn link to the hq. could i do the following? replace router at hq with the isa server. build steady vpn connections as before from ho to hq. limit internet acces per user (only a few users should have generall internetaccess)? open spezial internet-sites for all (most users need only a few sites)? contend filter for that users who has generall access (they shouldnīt surf through sex, porn or other sites with malicous code)? all users work on terminalserver. only a few have fat clients. most have thin clients.
You could terminate the site to site VPNs on the ISA Firewall, but you would need to create access rules allowing the remote site networks (which you can group into a single Network group) to what you want them to access on the corpnet and the Internet.
So I see it right that i can cover all needs with the ISA Server? - Grant internetaccess to all or single sites per AD authenticated user - Make the ISA Server the VPN server - Take log files of what sites are visited by a user (via extra tools)
Two additional questions: - Could the ISA server log email traffic (NOT exchange), spezialy what attachments are send and when possible store a copy of the attachment? - Could the ISA server log file copys via VPN tunnels? Or could the ISA server restrict the traffic to "RDP" and "print" traffic. Background is to prevent employees from copying data to their hdd at home.
Could the ISA server log email traffic (NOT exchange), spezialy what attachments are send and when possible store a copy of the attachment? TOM: No
- Could the ISA server log file copys via VPN tunnels? Or could the ISA server restrict the traffic to "RDP" and "print" traffic. Background is to prevent employees from copying data to their hdd at home. TOM: No -- This is why I really hate RDP access -- you cannot control any aspect of the protocol and you provide complete desktop access to the users. There are no RDP filters that I'm aware of that will allow you to control the traffic, other than something like controll what app can be used, which can be easily bypassed by a skilled hacker HTH, Tom
Hello Tom, if i do following steps, is that ok for a good security? main purpose is to prevent user from carrying out data! - replace all fat-clients with thin-clients where possible. some clients canīt be changed, because they are cad-workstations. for these clients i will implement a policy which disables access to movable drives. - change the router in hq with a isa server. - disable access to local media in rdp protocol. - search for a solution, which makes copies of email attachments. - implement web monitor on isa server - grant web-access in isa server per user based on active-directory authentication (possible?) - disable posibility from putting data out to an ftp server in isa server (possible?)
or do you prefer another way to secure the data / network ?