i sort of need more info. are you running the firewall on the local machine or between your machine and the internet? if it's on the perimeter, then is the sql database you're connecting to out on the internet somewhere? is there a remote storage device out on the internet somewhere? seems like probably not. what exactly is going out to the internet if "no internet access" is needed?
These are laptops. At first, they had their own network, and would use citrix to get their files two and from our file servers. We'll...between them bitching about how hard it is, and getting them to bring them in for a check up, we want to put them back on the regular network.
For the filewall, we locked down access when they were out of the office and we were going to leave it wide open when they were in the office. But we changed our mides after the last round of check ups because of all the viruses we found. We are hoping that if one plugs into our network with a virus, the blocked ports will slow it down. (yes we do have av on every computer.)
The reason for no internet access is, we can force them to use their thin terminals if we only allow internet on them and not the fat clients. Nothing will be going out to the internet from these computers (at least not directly). I guess basically what it comes down to is, what ports do you need to leave open so that windows will function on a network.
Thanks for you help and let me know if you need anymore info
All the laptops have av. But if a guy is out of the office for a month, then he would be pretty far behind (all clients are managed). I know the firewall wont stop them, I just want to slow them down enough to get it taken care of before it tries to spread.
i have laptops here and do not manage them through my AV client-server structure solely due to the reason you are discussing here. they should never have out of date defs. set them up to check for updates on their own at least once or twice a day. set up the retries appropriately and educate your users about the liveupdate process. whenever they are on the net they should get updates if available that way with little to no effort on their part.
Party2go9820 is right. while there are ways to mitigate a virus attack using a firewall, that is not what it was designed for. and it will have absolutely no effect on keeping the laptops clean.
thats a good piont. The laptops are going to get norton firewall put on them anyways just so that they have every protection possible while on the road. I'll have to pick and choose who gets managed and who doesnt. Some guys are in the office most of the time, some arent, and some are 50/50. I also cant count on them to do anything.....though I might set up a batch file to switch them form managed to unmanaged depending on where they are at. I've done this in the past to have them change their host files and it works pretty good (as far as them using it).
that's interesting- the batch file idea. if you don't want to count on them to do anything then i usually set norton to run liveupdate automatically every day . . at least once. you can ask them when they are usually online the most so you can be sure you schedule it for their online time. even having liveupdate run every 30 minutes isn't excessive as long as it solves the problem you're having. if you arrange it well they should get updates pretty much every time they go back online.
I havent watched a schedualed (sp??) update in a while. Does it let the user know if its doing anything?
EDIT: The batch file thing is great. With out it, they cant nfuse (use citirx) from out side the office. So we toss all kinds of things in there that we need them to turn on outside the office. The biggest thing is to make sure they have to use it, or think they have to...