4 configuring internet access control, Overview, Internet access control methods – H3C Technologies H3C Intelligent Management Center User Manual

107

4 Configuring Internet access control

Overview

The Internet access control feature is used when enterprise network users or PCs access the Internet

through a wired or wireless network not provided by the enterprise. This feature is supported only on
Windows PCs.
Depending on the user authentication or authorization status, users' Internet access can be classified into

the following types:

•

Authorized Internet access—Users are authorized to access the Internet through a network other
than the enterprise network. Internet access audit policies are used to monitor and audit the users'

Internet access behaviors.

•

Unauthorized Internet access—Users gain unauthorized access to the Internet through a network
other than the enterprise network. Client ACLs can be configured to prevent unauthorized Internet

access.

•

Authenticated Internet access—Users access the Internet by using multiple NICs at the same time
after they pass the identity authentication on the enterprise network.

•

Unauthenticated Internet access—Users access the Internet without passing the identity
authentication on the enterprise network. Unauthenticated Internet access typically occurs outside

the enterprise network.

EAD's Internet access control feature provides the following functions:

•

Implement ACL-based access control to prevent unauthorized or unauthenticated access to the
Internet.

•

Monitor authenticated Internet access of users.

•

Monitor unauthenticated Internet access of users.

To implement Internet access control, EAD must work with iNode clients that support the Lock Internet

Access Ability feature. When access users are assigned Internet access control services, they can no

longer access the network by using iNode clients that do not support the Lock Internet Access Ability
feature.

Internet access control methods

Internet access control is based on policies that use either or both of the following control methods:

•

State-Based Internet Access Control—When a user comes online, EAD deploys an online ACL and
an offline ACL to the iNode client on the user's PC. The online ACL applies to authenticated Internet

access and controls all NICs on the PC except the NIC that is connected to the enterprise network.

The offline ACL applies to unauthenticated Internet access and controls all NICs on the PC.

•

Ping-Based Internet Access Control—EAD deploys the offline ACLs named Offline Host ACL for
Ping Success and Offline Host ACL for Ping Failure for ping-based Internet access control.

Operators can configure up to two destinations IP addresses to be pinged from the iNode client.
The iNode client selects the offline ACL based on the ping results to apply to the PC's NICs: