LAN access, Limited WAN access

[Fenton]

I have a client (far away), who wants to limit WAN access to the hosted files, to only a couple of top-level privilege sets. He is not using Active Directory, though he is on Windows, using Server 9 (I believe). I am not much experienced with this kind of Server management.

He especially wants to block LAN users from going home and accessing the files from home. I don't particularly see this as a big problem myself, as the users have fairly limited access; no Export, Editing only menu set, etc..

Anyway, if Active Directory is the only viable option, then perhaps we should use it; but I'd rather not, because I cannot go there to set up or fix it, and he may not be able to, not to mention I'm on a Mac and may have trouble with it (though I believe it works fine now).

Another possibility would be doing something with the Firewall or Router (though we need some WAN access, so we can't just block it).

Every user has their own account, with which they log in, and they are assigned appropriate privilege sets. There are about 20 users.

A scheme I came up with for a work-around using plain FileMaker routines would be to set the various work-station NIC addresses into a table, and include a relational test against them during a startup script. It would be easy enough for him to walk around the various computers, hit a button (hidden from users) to set the local NIC address into the field.

What do you think?

[mr_vodka]

A scheme I came up with for a work-around using plain FileMaker routines would be to set the various work-station NIC addresses into a table, and include a relational test against them during a startup script. It would be easy enough for him to walk around the various computers, hit a button (hidden from users) to set the local NIC address into the field.

What do you think?

This wouldnt stop any people with laptops that bring them home though I would presume.

[Fenton]

Yes, that is true. I think everyone is using desktop machines. I thought of another idea, which would be to also check the time. There is no reason for this class of users to log in other than during business hours, which would be pretty easy to test in a script; if tested against the host timestamp they couldn't fiddle it.

It is too bad that FileMaker doesn't have a status function which can tell the difference between LAN and WAN, though I guess it's all just TCP-IP to FileMaker.

[Steven H. Blackwell]

Fenton:

Let me think about this a little. I think there are a couple of ways to manage this.

Steven

[mr_vodka]

:qwery:

Fenton how about this...

Since most LAN address will be an internal IP all starting with almost the same digits, i.e 192.xxx.xxx.xxx couldnt that be a part of your test?

IOW, for those that have the SuperUser Priv set, allow full functionality. However, for those with lower level priv sets, if the IP address does not start with the internal LAN IP digits, then they cant access. Most of those trying to connect from outside the LAN will have the IP of the ISP.

Just some food for thought.

[Fenton]

Well, my IP address, as evaluated by Get (SystemIPAddress), in a calculation on the hosted files, accessed via WAN, is my locally assigned IP address (192.168.0.100, though there's a couple of others also, likely created by Parallels Desktop); it's not my "external" IP address.

So, unless someone changed all the LAN computers to have something unusual, they could very well be near the same as the home computers. Also, anyone with any knowledge at all (like me -) could change their local IP address to match what they see on their work computer. They'd only need to create a new FileMaker file, with that calculation, to see what was required; then go home and reconfigure theirs. It's just a user-editable IP.

That's why I thought the NIC Address was better. I imagine someone could reset that also, but (very) much less likely. Unfortunately, I don't know enough about any of this to make a good decision. I seldom ask questions, but in this case...

[mr_vodka]

Hmmmm... well how about if you some how grab the DNS from a ipconfig command piped out to temp file and grabbed by FileMaker on the opening script? The LAN boxes should have the same DNS, no?

[mr_vodka]

Sorry Fenton, just trying to throw some ideas at you to see if it triggers something for you...

If you cant use the DNS to seperate out the two, then perhaps you can use a site like:

http://whatismyip.com/ to grab the ISP IP address verses the LAN IP address as I suggested earlier.

This one is for automated processes such as yours. It seems as though a lot of people use it for that.

http://whatismyip.com/automation/n09230945.asp

[Steven H. Blackwell]

How about closing Ports 5003, 5353, 50003, and 50006 on the external firewall? This will block external WAN access.

Then, for authorized users, require them to connect and to authenticate through a high bandwidth VPN connection. Unauthorized users will not be able to connect. Once authorized suers have connected, they are nodes on the LAN. They can then access the database as if they were ohysically in the office.

Steven

[mcyrulik]

Fenton,

Don't know if you came up with a solution to this, but:

could you check the host IP address using Get ( HostIPAddress )?

Internally on our FM server, I get a 192.x.x.x, but from home on the same DB, I get 209.x.x.x

Just a thought.