I'm trying to set up fine-grained control of external websites based on our users' and computers' AD group memberships.
Generally, we block sites such as YouTube, Facebook, MySpace et al - but our video department need YouTube access; the Marketing department need access to Facebook, and so on. We also have a number of PCs that should have unrestricted Web access. Currently this is administered using static IPs entered into our firewall configuration - which is time-consuming and error-prone, and it'd be much easier to do it via AD group membership, and it turns out our existing hardware firewall doesn't support this scenario :(
So, our requirements are:
Control USER-LEVEL access to particular websites via Active Directory group membership. Users who are members of the ''Facebook Users'' group in Active Directory can access Facebook during office hours, regardless of which computer they are using, and users who are NOT members of the ''Facebook Users'' should not be able to access this site during office hours. We want to repeat this for 5-6 different websites, and manage access entirely through AD group membership.
Control COMPUTER-LEVEL access to particular websites - i.e. I'd like to be able to make a specific domain computer a member of the ''Facebook Users'' group, so that any user who is using that computer has access to Facebook, regardless of the user's AD group memberships.
Ideally, all this is completely transparent to the end user - they shouldn't need to enter their network credentials again. Also, setting up a local proxy, etc. is fine as long as it's managable via group policy.
Thanks,
Dylan
MIcrosoft ForeFront TMG can do that with locally installed firewall client or transparent proxy. As the client knows the computer identity AND (!) the identity of the user, rules can be defined for them.
We do this with Barracuda Network's Web Filter, which can be integrated with Active Directory. You can also assign certain IP addresses specific permissions - it is easy enough to make sure the same computer always has the same IP address on your network via DHCP or plain old static configuration. We chose this because we liked the reporting it does, and we got a good deal.
There are plenty of competing web filter solutions, hardware, software, open source, and even cloud based Software as a Service solutions, that integrate with Active Directory - if they do that then they almost 100% do what you need.
Take a look at Palo Alto Networks.
We have one of their boxes and it can do pretty much exactly what you've just described, and it'll do it at an application level rather than you having to specify URLs for each website.
Microsoft ISA Server will do all of that for you, and it'll work as a local proxy just fine.
It requires the Microsoft Firewall Client to be configured on the client PCs to work in the most transparent way, but that's easily done using Group Policy.
A word from the open-source crowd: I'll throw a shout out to using Squid Cache to do what you're looking for.
You can see some docs for setting up and older version of Squid here (which are still applicable to recent versions of Squid for Win32): http://www.papercut.com/kb/Main/InstallingAndConfiguringSquidNTProxy
It's actually fairly easy to get Squid setup to authenticate with an AD domain on Windows. After that, it's just setting up a squid.conf file with your desired access controls. It's a little confusing to understand at first, but once you get your mind wrapped around the Squid ACL model you'll find that you can do some really wild things with it. Having ACLs based on source IP address (or DNS name) mixed in with user-based and time-based ACLs is possible. The ACL system is really pretty powerful.
Internet Explorer supports transparent NTLM authentication to Squid (as, I believe, Chrome does as well). I don't believe Firefox or Safari have managed to integrate that functionality yet. For domain-joined Windows clients using IE, though, it "just works" transparently.
I'd use proxy auto configuration scripts rather than trying to push out proxy settings with Group Policy, scripts, etc. Proxy auto configuration scripts are very handy.
If you are going to restrict access based on group membership, you may want to make sure that those groups are updating dynamically. Otherwise you will still end up with help desk tickets and your users without the proper access.