12-07-2009 04:52 PM
I would like to have some guidance and advice regarding best practices for controling access to the Internet. I have a Windows domain environment (trust), an SSG-140-SH as a border firewall, Two-different-ISP internet conections connected to the firewall as Untrust.
Right now I am controlling access via IP addresses, so I configure a policy that allows a certain group of addresses to initiates connections trust/untrust. But I find it hard to maintain when you have more than 300 users (IPs) to control.
Is there a way to control access by username/password and MAC address??
Well I hope you guys can help me out!
12-11-2009 12:12 AM
Yes,you can authenticate based on username password. This can be enable thru an Option called Web or Firewall authentication.
Users can be locally created on the firewall and grouped as per your need.Enable web authentication on the trust interface and specify an IP address. Create an allow access policy and enable the authentication on the that policy along with specifying the users or groups whom you wish to allow access to services.
I gues you can also integrate LDAP for authentication..Not to sure though..
Hope this helps.
12-16-2009 06:21 AM
Greetings & thanks all of you for feedbacking this thread.
link2ali: is there a way of controlling access based of MAC address plus username & password?
I mean, that only allowed MACs can get web-authenticated.
I hope you guys can feedbackme on that.
12-16-2009 09:43 AM
it's my opinion, i manage and controlling 4000 usrs to internet acces, i think the best practice you can put proxy servers btween users and firewall, you have windows domain right you can do that . but your users should be set thier internet browser, your admin can create policy rul on AD for setting your IE explorer.
after that on your proxy you can create rull to allow only one group " Internet access Group" you put only user have allowed internet access.
on your firewall you allow DNS, HTTPS,HTTP..., only from trust to untrsut with NAT egrees from proxy server to internet and after that you can allow some protocole like MSN yahoo ......etc.
you change your trust interface to Route mode and you controle NAT by policy it's better
i hope this help you
07-22-2010 05:30 PM
Hi mehdi, sorry for getting along this thread too late, and thanks for your professional post.
I think my situation best fits your comment because I have a AD server. I dont have a proxy already setup, but that shouldnot be a problem.
Would you mind helping more on this. Is there a way we can share more about this matter?
Best Regards, SZ