Hi! On Mon, Jul 26, 2010 at 2:01 AM, goody goody <thinkodd@xxxxxxxxx> wrote: > Hi, > > In our organization we have restricted access to only limited IPs as per company > policy, but what some users are doing that they are building their own proxy > servers on any single allowed IP addresses and distribute access to their > locally formed group. Wow, these are good co-workers. Let me guess: the restriction has recently been applied (ie, less than one month ago). I think that, the best to do is: When someone does that, and is "discovered", he/she gets his/her privileges removed (ie: no more navigation for you), also, I would implement a fine too (but this depends on each country's law, in mine: I can't). But, I'm also a little flexible when it comes to navigation privileges, thus: I have a whitelist (with sites that are interesting to most employees, like the bank's page) and I give them full access at certain hours every day. > > In this way our main proxy thinks that it is allowing access to only one IP > whereas in real it is not the case. > > This has become a challenge and if there is any solution / work around to this > please let me know. And even if you find a way to avoid that, they will find a way of doing that again. I, actually, use user authentication instead of per-ip. Why? simple: this makes user responsable for his/her actions with his/her username (IP can be forged), we use the username to apply any administrative sanction that needs to be applied, also, this let us give other users in our network a "full internet access, on certain hours" (in our case: nights, noons, and weekends). I hope this helps, Ildefonso Camargo
