Home / server / Questions / 116929
Accepted
Hemal
Asked: 2010-02-26 12:57:57 +0800 CST

HTTP access & Cisco router 1841

  • 772

I have w2k3 network with around 50+ users, DSL internet and Cisco 1841 with SDM. Everything works fine but I would like to block HTTP access for some staff members but they require access to POP3/SMTP emails. I would like to know what are the best practices for this? In our old Nexland Internet sharing box, we used to allow/block MAC addresses for access to HTTP/EMAIL etc.

Anyone want to share the expertise in this matter?

Thank you in advace, Hemal

http

1 Answers

  1. Best Answer

    I'm not a Cisco expert, but usually the configuration is flexible enough so that you could block common HTTP ports (80, 443, 808x, etc) by MAC or IP address if you like. That's not really a flexible method though.

    What I would do is:

    1. Set up a proxy server somewhere (Squid, Nginx, ISA Server, etc).
    2. Enable proxy authentication and set up some ACLs based on user authentication and/or IP address. Test this to make sure it behaves as expected, depending on the username used.
    3. Once satisfied, apply a GPO that points your client computers at the proxy. Test that to be sure it really is blocking users.
    4. On the router, block outbound HTTP-related ports from your network, except from the proxy server.

    Now you have fine-grained control on who is allowed access to HTTP, and you don't have to play with router config every time you add users, computers, etc. I suggest also that you always allow access to sites that provide automatic updates (like Windows Updates, updates from your AV vendor, etc).

    • 0