dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1883
share rss forum feed


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3

Proper way of determining network location with GPO

2K8 domain. I have in my current GPO the method of determining network location internally by hitting »gateway.domain.com and externally by hitting »www.google.com.

The problem I'm having is that our gateway, Untangle Firewall, blocks outgoing communication from our forensic computers and shows a big nasty message if you try to access the internet from a forensic computer. By blocking this, I'm also indirectly blocking »www.google.com traffic. All of our forensic computers are thinking they are on a public network now and the Winblows firewall, controlled by group policy, is blocking incoming legitimate traffic.

Is there a different method of determining internal/external network location with GPO?
--
"All newspaper editorial writers ever do is come down from the hills after the battle is over and shoot the wounded." - Bruce Anderson
"I have often regretted my speech, never my silence." - Xenocrates
Check out my blog: »www.johndball.com


Modus
I hate smartassery on forums
Premium
join:2005-05-02
us
Off the top of my head the only thing i can think of right now would item-level targeting. With that you can specify ip ranges, thats located in the gpo preferences
--
Think Ahead. Learn More. Solve Now!


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
I know you can do a GPO based on AD site.


IIIBradIII
Comm M-E-L Instr

join:2000-09-28
Greer, SC
reply to exocet_cm
I'm not sure I follow you exactly, but take a look in here:

Computer Configuration > Windows Settings > Security Settings > Network List Manager Policies

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to exocet_cm
Are the forensic computers joined to the domain as well? What OS are they running and do they connect to more than one network? My thought here is that if they are joined to the domain they should be getting the domain network profile as soon as the NLA system can locate the DC (I do have a couple computers here that seem to sit at public for a decent period of time before they realize they are on a domain and switch).

Alternatively, what about a firewall change to fix this? IIRC, all it needs to do is perform a DNS lookup, not actually connect to the web server. Just allow those forensic computers to connect to UDP 53 and nothing else. They still won't be able to go anywhere but they will be on the right profile ideally.


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3
said by JoelC707:

Are the forensic computers joined to the domain as well? What OS are they running and do they connect to more than one network? My thought here is that if they are joined to the domain they should be getting the domain network profile as soon as the NLA system can locate the DC (I do have a couple computers here that seem to sit at public for a decent period of time before they realize they are on a domain and switch).

Alternatively, what about a firewall change to fix this? IIRC, all it needs to do is perform a DNS lookup, not actually connect to the web server. Just allow those forensic computers to connect to UDP 53 and nothing else. They still won't be able to go anywhere but they will be on the right profile ideally.

Yes, they are part of our forensic lab domain. Windows 7 Enterprise.

I looked at the GPO again and made a modification of Comp Config --> Policies --> Admin --> Network --> Network Connectivity Status Indicator --> Domain Location Determination URL. I modified it to hit an internal web server located on the "secure" side of the firewall/gateway and it seems to have done the trick.
--
"All newspaper editorial writers ever do is come down from the hills after the battle is over and shoot the wounded." - Bruce Anderson
"I have often regretted my speech, never my silence." - Xenocrates
Check out my blog: »www.johndball.com