RE: Group Policy - Restrict Internet Access by OU?
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Tue, 23 Aug 2005 09:48:15 GMT
HI,
Thanks for updates.
>From your description, I understand that you have SBS premium, as I know if
you could not find ISA on SBS 2003, you can use SBS premium technology disk
to install ISA server.
1. You can check the last disk of your SBS package, you will find a
document that introduce how to install ISA on SBS 2003.
2. After you install ISA, please refer to following section for how to
restrict internet access on special user group.
Open ISA management, create a new protocol Rules at Servers and
arrays\YourServer\AccessPolicy\Protocol Rule with following content.
Action: Deny
Protocol: All IP traffic except selected: HTTP
Apply to: Users and groups specified below: ''limit group''
Then, your user could only access HTTP (TCP 80). Please continue the
following to restrict the site content.
Open ISA management, create a new Destination Set at Servers and
arrays\YourServer\Policy Element\Destination Set with following content.
Destination Set name: you specify
Destination entry: the website that is allowed to access such as XYZ.com
Open ISA management, create a new Site and content Rule at Servers and
arrays\YourServer\AccessPolicy\Site and content Rule with following content.
Destination: All destinations except selected set: choose the destination
set you created above
Action: Denied
Applied to: Users and groups specified below: Limit Group
HTTP content: All content groups.
Hope this helpful, please feel free to let us know. I am glad to help you.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Group Policy - Restrict Internet Access by OU?
| thread-index: AcWnuci7oa0Wsbl0SD6Ipd5k7BfKLg==
| X-WBNR-Posting-Host: 81.138.254.211
| From: =?Utf-8?B?UmlwbGV5?= <Ripley@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <52106E7D-7CFD-4794-817F-D3153751CD6A@xxxxxxxxxxxxx>
<HH5Sjk4pFHA.3976@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: Group Policy - Restrict Internet Access by OU?
| Date: Tue, 23 Aug 2005 01:08:02 -0700
| Lines: 182
| Message-ID: <A2B17812-EE03-4174-B5DB-6D87A6A59967@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:146910
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thank you for your comprehensive answer. I certainly have more options
than I
| first thought.
|
| However, I seem to have omitted the fact that I actually DO have SBS
Premium
| 2003 edition on my server. So I'm guessing the best way would be to
create
| this group you mention in ISA. Problem is that I can't see ISA anywhere
on my
| server. Is it not installed by default or something?
|
| I wonder could you advise on where to find ISA, how to install if it's
not
| done so by default, annd perhaps add more on this theory of adding a
group in
| ISA to then attach to the global policy?
|
| Thanks.
|
| ""Charles Yang [MSFT]"" wrote:
|
| > HI,
| >
| > Nice to hear from you again.
| >
| > Issue description:
| > ===========
| >
| > From your description, I understand that you want to restrict user to
| > access internet through policy.
| >
| > Analyzing and suggestions:
| > ===========
| >
| > Before we go any further, please note that it is not possible to
restrict
| > user to access internet via OU and group policy, we have such option
only
| > on SBS premium edition.
| >
| > Here I would like to give you some suggestions on them:
| >
| > ISA:
| >
| > Create a Protocol Rule
| > =====
| >
| > We need to create a Protocol Rule to allow HTTP, HTTPS and FTP
protocols,
| > and then apply it to the specific user group. You can create special
group
| > to allow only special OU to access internet, by default in SBS only
| > internet user group will be allowed, you can remove this group and add
the
| > OU or group you want.
| >
| > Standard:
| >
| > In SBS 2003 standard, we have no such option to restrict the user to
access
| > internet via group or OU. We can only restrict user to access internet
via
| > IP address, please refer to following section:
| >
| > 1. Assign static IP addresses to the clients, you can use DHCP to
assign
| > the IP address based on Mac then you can assign a static IP to client
| > computer via DHCP.
| > 2. Configure RRAS to filter the IP addresses. (outbound filter on
network
| > connections)
| >
| > For more information, please refer to this Knowledge Base article:
| >
| > 825763 How to configure Internet access in Windows Small Business
Server
| > 2003
| > http://support.microsoft.com/?id=825763
| >
| > In addition, you can use GPO way by creating a restricted OU and
| > restricting IE settings on the Users in the OU. Please refer to the
| > following section:
| >
| > Web Proxy "poisoning", with company intranet site as expectation to use
| > proxy settings, combined with lockdowned IE settings enforced via Group
| > Policy.
| >
| > I'll create a new group called internet access. I'll add users who are
| > eligible for internet access. I'll exempt this group from the new group
| > policy setting that forces an invalid proxy (my choice of IP as long as
it
| > is invalid on the domain)setting into IE, I'll also list in the "Use
these
| > proxy settings except for the following sites:
| >
| > 1. CLient URL for their intranet. <Maybe also *.microsoft.com so
windows
| > updates works on each WKS. Maybe not if I roll out SUS for the LAN>.
| > 2. Make sure that through group policy user cannot alter the IE
connections
| > settings or remove the bogus proxy.
| >
| > This solution should allow internet access for those members of
internet
| > access group (do not get bogus proxy address) and forbid it for those
who
| > do not belong to the internet access group (receive the bogus proxy
address
| > and cannot alter/remove it).
| >
| > It also meets my needs for continued Intranet access for ALL, but
please
| > note that it is only a good solution if the client computer use IE for
| > internet access, if they change the explore the suggestion above is not
| > worked at all, all the user will be allowed to internet.
| >
| > We appreciate your understanding, if you have any further concerns;
please
| > feel free to post here. I am glad to help you.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: Group Policy - Restrict Internet Access by OU?
| > | thread-index: AcWm9ZQHF75RM56HRDKMMf4mRauV/g==
| > | X-WBNR-Posting-Host: 81.138.254.211
| > | From: =?Utf-8?B?UmlwbGV5?= <Ripley@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Group Policy - Restrict Internet Access by OU?
| > | Date: Mon, 22 Aug 2005 01:43:33 -0700
| > | Lines: 12
| > | Message-ID: <52106E7D-7CFD-4794-817F-D3153751CD6A@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:146550
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I have a SBS 2003 and multiple users. I've split some of these users
off
| > into
| > | their own OU so that I can create a new Group Policy for them which
is
| > | different than the standard. I also would like to restrict this
group's
| > | internet access. Easy enough, as I could restrict access to the whole
| > | ieexplore.exe program. BUT - I want them to be able to access our
| > Intranet
| > | ONLY, and nothing else on the Internet.
| > | I can't work out a way to do this and have been unsuccessful in my
| > efforts
| > | up until now. For instance, if I tick the connection settings as
| > | "Automatically detect", their machines are able to go on the internet
as
| > | normal. Is it possible to do what I am trying to do? The SBS 2003
server
| > is
| > | directly connected to the internet, so all machines just have their
| > | "Automatically detect" option ticked to route through onto the
internet.
| > |
| >
| >
|
.
- References:
- Group Policy - Restrict Internet Access by OU?
- From: Ripley
- RE: Group Policy - Restrict Internet Access by OU?
- From: "Charles Yang [MSFT]"
- RE: Group Policy - Restrict Internet Access by OU?
- From: Ripley
- Group Policy - Restrict Internet Access by OU?
- Prev by Date: RE: OWA & PDF
- Next by Date: Really large pagefile usage on SBS2003.
- Previous by thread: RE: Group Policy - Restrict Internet Access by OU?
- Next by thread: re:Group Policy - Restrict Internet Access by OU?
- Index(es):
Relevant Pages
|
