Quote:
It will be a little hard cause i will have to gather all ip's from all computers and build a couple of rules and groups, but that's what they are paying me for, isn't?


There are a couple of ways to simplify your task.

Method 1 (if your firewall allows it)
  1. Set the firewall to block access to your entire subnet.
  2. Add an exception to allow everyone to access the "allowed" sites.
  3. Add an exception to allow specific hosts (managers, servers) unrestricted access


Doing it this way means that there are a lot less hosts to worry about, and when a new computer comes along it is automatically barred.

There are a lot of problems with this method though.
  • It is difficult to manage for sites using DHCP
  • If your managers need to use a machine other than their normal one they will get blocked.
  • If anyone uses your managers machine they will be allowed access.
  • Managing URLs or IPs for allowed sites on a router is difficult, and means that you have to make a change on what is usually a high profile bit of kit. In my organisation such a change hhas to wait until a pre-determined maintenance period.
  • It is very hard to determine if there are any problems, or if anyone is bypassing your restrictions, and if they are, who they are.


Method 2 - The Proxy
Most people go with the proxy method because of the problems detailed above. You can use also use a product like Websense if your firewall supports HTTP authorisation referalls (we use Websense in my organisation) but it is extremely expensive and I get the impression that it would be over-complicated in your scenario. It is also a bit kludgy in various areas.


The proxy method is very simple.
  1. Choose a proxy which will intergrate into Windows authentication (it doesn't need to be a Windows device, LDAP authentication will do)
  2. Even better is if the proxy will take pass-through authentication (aka Windows Integrated Authentication).
  3. On your firewall, deny access to all hardware *except* your servers and your proxy.
  4. On your proxy configure the users and groups who will have access, and define the sites that they will have access to.
  5. On your clients set the connection target to the proxy, either by GPO or by using one of the proxy auto-discovery techniques


Doing it this way gives you many benefits:
  • Because everyone except the firewall computer is blocked there is no way to bypass the security from the client.
  • You can now authorise / authenticate using Windows users and groups.
  • You don't need to worry about machine IP addresses changing (DHCP).
  • You now have the option of tracking Internet usage - useful for things like compliance and capacity planning.
  • The tools for updating authorisation rules are likely to be much more easy to use than changing a firewall configuration
  • You no longer change the firewall config when you need to update authorisation rules

Your firewall may be able to do some of these, but I wasn't able to find any information on an "NG3" to check.