Software602 Home . products . download . support . register . how to buy . . view cart . . . contact us . . . .
Software602 Home . . . . . .
. .
.
.
Software602 Login
E-mail:
Password:
forgot?
.
Support Home .
.
User Forum .
.
Knowledge Base .
.
Submit Ticket .
.
View My Tickets .
.
. .
.
602LAN SUITE 2004 User Forumforum home | rss | search | terms of use
BackBack to 602LAN SUITE 2004 Forum
Add New TopicAdd New Topic
Post ReplyPost Reply
NAT restriction
  Posted by  Jason Mcclellan  on Sunday, March 21, 2004 at 12:30:27 AM (EST)
I was wondering if there is any way to use both proxy and NAT, and restrict the use of NAT somehow. Specifically, I would like to be able to set NAT to work only for a certain range of IP's on the lan, this allows me to have my regular users set up with the proxy, and allow visitors to just plug into the lan and use the NAT services, eliminating the need for visitors to reconfigure their browsers and such. This would prevent my users from using the NAT services but make it convenient for visitors.

on a related note, is there any way to have the proxy auto-discover in IE, again avoiding the need for manual configuration?

Thanks
  Posted by Robert Smith  on Monday, March 22, 2004 at 10:52:16 AM (EST)
NAT: no, there's not any way to restrict this, but you could just not configure these computers to use NAT.. ie, don't use DHCP, manually configure these computers to use SOCKS, don't set up the default gateway.

As far as the auto-discovery, I don't think there's a way to do it. I always set my clients up manually.
  Posted by Jason Mcclellan  on Monday, March 22, 2004 at 11:11:05 AM (EST)
My concern is not my ability to configure it, it is more about the ability of my users to UN-configure proxy and use NAT instead. Without restrictions, it opens a huge hole in outbound security to have NAT enabled. Even the cheapest firewall/router appliances let you restrict access in some fashion..

Regarding the auto-configure of the proxy, I did some online research after posting the first message, and figured out how to do it! Works great, all you have to have is the 'automatically detect settings' in IE checked. You need a DHCP server, DNS server and web server for it to be compliant, but I think you could get away without the DNS server. It's called WPAD and can actually be used for many things including proxy load balancing, fail-over etc! Of course MS intends it for ISA server which does it for you automatically, but with a simple reference guide you can do it yourself too. Here are a couple links I used;

http://www.jsiinc.com/SUBO/tip7300/rh7399.htm

http://www.grape-info.com/doc/win2000srv/internet-gw/wpad/

And an excellent guide to all the many options available within the autoconfiguration file;

http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#isPlainHostName
  Posted by Robert Smith  on Tuesday, March 23, 2004 at 9:59:52 AM (EST)
I was thinking about this last night.. Sure, the user could always set up NAT by themselves and bypass it, but what if you set up a policy on your workstations to prevent them from accessing the Network configuration? They wouldn't be able to do it then. :)

You could also set up a firewall rule to block access to the ports you don't want your users using. The beauty of this is it would block outbound traffic, so if you're worried about trojans and what-not, the packets would be dropped at LAN SUITE. The firewall can block access to everything from a subnet except say, port 80, 25, 110, 138, 139 (filesharing) and any other port they would need to do their work.

I agree that there should be some sort of IP filter or something like that for NAT, but I think Software602's leaning more towards the firewall.
  Posted by Jason Mcclellan  on Tuesday, March 23, 2004 at 11:39:56 AM (EST)
I hesitate to enable the firewall, as this machine performs other functions as well and it might just be a can of worms.. but I know what you're saying, I could find a convoluted way to make it work while maintaining security.. but it's not slick, and it could be so easily.

It appears the intent was that someone would either choose NAT, or proxy. But this is the perfect application for both - proxy for normal use, NAT just for convenience for visitors..
BackBack to 602LAN SUITE 2004 Forum
Add New TopicAdd New Topic
Post ReplyPost Reply
.
. . .
.
  © 2009 Software602, Inc. All rights reserved.