We've set-up a DMZ for guests to our office which allows them direct access to the internet but we've found that some of our users are connecting our PCs to the DMZ for nefarious reasons. Is there a way to restrict our computers (ideally through GPO) to which IP address range they can have? The users don't have admin rights on the PCs so they can't set a static IP or remove DHCP. I've read up on DHCP Class IDs but there doesn't seem to be a way to set a deny/exclude using this method - you can only specify which computers can connect - which we can't do as we don't controll the ClassID of guest computers. We are using Windows 2003 for DHCP but have 2008 GPOs deployed and all our computers are using Windows 7.

You may want to consider disabling the wired ports on the DMZ segment and enable them via some sort of process that requires approval so you know who is connecting prior to enabling the port. Or.. get rid of the wired ports, and replace it with an access point so that your "guest" network is connected via wireless. Most guests that visit you will most likely have a laptop with wireless access. Your computers shouldnt have a wireless card, so your users will not be able to connect. Guides and tutorials, visit ITGeared.com.

You may want to consider disabling the wired ports on the DMZ segment and enable them via some sort of process that requires approval so you know who is connecting prior to enabling the port. Or.. get rid of the wired ports, and replace it with an access point so that your "guest" network is connected via wireless. Most guests that visit you will most likely have a laptop with wireless access. Your computers shouldnt have a wireless card, so your users will not be able to connect. Guides and tutorials, visit ITGeared.com.

You may want to consider disabling the wired ports on the DMZ segment and enable them via some sort of process that requires approval so you know who is connecting prior to enabling the port. Or.. get rid of the wired ports, and replace it with an access point so that your "guest" network is connected via wireless. Most guests that visit you will most likely have a laptop with wireless access. Your computers shouldnt have a wireless card, so your users will not be able to connect. Guides and tutorials, visit ITGeared.com.

Hi, Thanks for posting here. The DMZ, do you mean a VLAN network or the specific area on firewall ? How did we restrict these guest hosts into the DMZ when they connect to network? And are they also automatically obtained address form DHCP server which is same as what the rest managed PC do? Setting dynamical VLAN and 802.1X authentication enforcement is the best way to do the quarantine. > Is there a way to restrict our computers (ideally through GPO) to which IP address range they can have? So far, we may split guests and managed network by setting them into different subnets and deploying DHCP relay. After that we may define firewall rules for managed computers to prevent any incoming or outgoing traffic to guest network. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Our DMZ is a seperate VLAN that has no access to the domain/office servers. The DMZ and our Desktop VLAN both pickup IPs from DHCP using different ranges/scopes. Aproval process may not work so well for us as clients may come in announced for an hour or it's difficult to get their details in advanced/we don't always have the network staff available for an imediate turn around. Wireless is an option although it would require some extra infrastracture/we already have in internal wireless network for our own staff so may cause some confusion and it does require some ongoing support. Firewall rules may be the easiest option for us - let me investigate. Many thanks.

Our DMZ is a seperate VLAN that has no access to the domain/office servers. The DMZ and our Desktop VLAN both pickup IPs from DHCP using different ranges/scopes. Aproval process may not work so well for us as clients may come in announced for an hour or it's difficult to get their details in advanced/we don't always have the network staff available for an imediate turn around. Wireless is an option although it would require some extra infrastracture/we already have in internal wireless network for our own staff so may cause some confusion and it does require some ongoing support. Firewall rules may be the easiest option for us - let me investigate. Many thanks.

Our DMZ is a seperate VLAN that has no access to the domain/office servers. The DMZ and our Desktop VLAN both pickup IPs from DHCP using different ranges/scopes. Aproval process may not work so well for us as clients may come in announced for an hour or it's difficult to get their details in advanced/we don't always have the network staff available for an imediate turn around. Wireless is an option although it would require some extra infrastracture/we already have in internal wireless network for our own staff so may cause some confusion and it does require some ongoing support. Firewall rules may be the easiest option for us - let me investigate. Many thanks.

Hi, Thanks for posting here. The DMZ, do you mean a VLAN network or the specific area on firewall ? How did we restrict these guest hosts into the DMZ when they connect to network? And are they also automatically obtained address form DHCP server which is same as what the rest managed PC do? Setting dynamical VLAN and 802.1X authentication enforcement is the best way to do the quarantine. > Is there a way to restrict our computers (ideally through GPO) to which IP address range they can have? So far, we may split guests and managed network by setting them into different subnets and deploying DHCP relay. After that we may define firewall rules for managed computers to prevent any incoming or outgoing traffic to guest network. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Thanks for update. I’d like to suggest to start form the article below if the solution about setting firewall rule does work for you: Windows Firewall http://technet.microsoft.com/en-us/network/bb545423 Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Thanks for update. I’d like to suggest to start form the article below if the solution about setting firewall rule does work for you: Windows Firewall http://technet.microsoft.com/en-us/network/bb545423 Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Thanks for update. I’d like to suggest to start form the article below if the solution about setting firewall rule does work for you: Windows Firewall http://technet.microsoft.com/en-us/network/bb545423 Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Please feel free to let us know if the information was helpful to you. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Please feel free to let us know if the information was helpful to you. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Please feel free to let us know if the information was helpful to you. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Many thanks. Setting the firewall rules worked perfectly/gives us more options going forwards.

Many thanks. Setting the firewall rules worked perfectly/gives us more options going forwards.

Many thanks. Setting the firewall rules worked perfectly/gives us more options going forwards.