Using Network Access Control to limit Internet access on a specific few machines

9860 pts.
Tags:
NAC
Network Access Control
Security in 2010
Windows
Windows Server 2008
Windows Server 2008 R2
Windows Server 2008 R2 Support
How can we use Windows 2008’s Network Access Control to limit intern’s computers from getting to the Internet? Where is this feature setup and do we need a client on the computers or does AD take care of this?

Software/Hardware used:
Windows server 2008 r2, network access control

Answer Wiki

Thanks. We'll let you know when a new response is added.
Windows Server does not implement a way to do exactly that but there are ways to do it, even if their not the best approach for internet access control, specific tools for that may still be very helpful to control internet traffic at your company. But I will show you a way to control who can access internet (or any service in fact), this is how we control internet access at my company.

The structure: 1 DHCP server and 1 RRAS server (both Windows Server 2008 R2).

We’ve divided our IP ranges as follows:
From 172.16.10.1 to 172.16.10.30 is reserved for manual defined IP addresses (yes, we do need that) 172.16.10.1 being the default gateway
From 172.16.10.32 to 172.16.10.254 is the range that our DHCP server handles, but there is a catch here, the IPs ranging from 172.16.10.129 to 172.16.10.254 are marked as exclusion range from DHCP leases, those are used for IP reservations. Notice that those address belong to 172.16.10.128/25.

The RRAS box, is a Windows 2008 Server with the Routing and Remote Access Role with a tweak to the IP routing table. Instead of beeing visible to the whole network (172.16.10.0/24) is only visible to a subnet of that network (172.16.10.128/25) which just happens to be the range for reservations on the DHCP.

So the process for allowing internet access to a client is just reserve an IP address for it’s MAC address on the DHCP server and renew the IP lease.

And that’s it, some users have internet some don’t, but the rest of the network services are available for everyone.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following