How to manage a domain PC behind a (linksys) router?

[tzunamii]

hi there - i have a user on our network domain who has his PC connected to a small linksys hub/router (etherfast 10/100), rather than the network port that is wired to his cubicle.

so obviously, the problem is that i cannot manage that computer. i can't PING it, i can't see when the computer is online, i can't RPC to manage the computer's services or firewall. but this is a hostile user and i need to be able to get to his computer to manage it. I have a windows 2000 network, and his PC is windows XP Pro.

he had windows firewall turned on, but i stopped by his PC and turned off windows firewall; there apparently is no other firewall turned on. and i still cannot get to the PC. his PC DOES get an IP address from our network's DHCP pool, so he does actually have a corporate network address on his PC.

yes, i do know that ripping out the router itself would solve the problem, however the current "political" situation does not allow me to do this. that is why i'm asking if there is another way around removing the equipment.

what can i do to get to his PC?

 

[JesusisLord]

If the user has his XP firewall turned off, it is most likely the firewall of the linksys router which is causing you the problem. Do you have the ip of his router? username and password? you will need to remote and and see if the firewall is turned on, I have two linksys products at home and they usually come shipped with firewall enabled on.

You will either need to turn the firewall on the router, or open the ports that you need access to on his machine.

That would the first place I would troubleshoot.

Regards,

Wayne.

 

[fredweston]

Are you certain he is getting an IP from the network's DHCP server and not the DHCP server on the router? If you are unable to remove the router, then you are not going to be able to connect to his computer at all, since the NAT no the router will block your connection.

One solution would be to connect the network port in his cube to one of the switch ports on the router instead of the WAN port, this would effectively turn the router into a switch, but if you are not able to shut down the DHCP server on the router, then you will be introducing a rogue DHCP server into your network, which will cause all sorts of havoc.

Also, regarding the windows firewall, you can prevent it from being enabled by using the local policy on the computer. You may also be able to do it with group policy.

 

[JesusisLord]

That's a very good point regarding DHCP, he's probably right! which leads to a whole host of problems What I would do, is get a long network cable, and patch it into one of the ethernet ports in his little switch, and then plug it into your laptop or pc, have your IP settings to obtain IP. See what network address you get, if you don't pick up any IPs then you know that the router isn't running DHCP and you can safely patch it into the network.

If you do get an IP at least you will be able to communicate with his pc (providing the windows xp f/w is off)

not an ideal solution, ideal would be to rip out the router

 

[blue68f100]

In most companies I worked for they had policies and was grounds for termination if broken. I would record the mac address of the routers WAN port and block it. So when he goes trouble shooting he will discover that he need to connect to the lan without the router. Then when he call for support, just tell him connect directly to the lan. Then act like something is broken on his router.

 

[fredweston]

In most companies I worked for they had policies and was grounds for termination if broken. I would record the mac address of the routers WAN port and block it. So when he goes trouble shooting he will discover that he need to connect to the lan without the router. Then when he call for support, just tell him connect directly to the lan. Then act like something is broken on his router.

You could do that, or you could do something more insidious like hiding a 100BaseT to 10Base2 media converter up in the ceiling by his cube and tell him you're upgrading his cube to "fiber". He'll have a heck of a time finding a router with a coax port on it, and at the same time will wonder why his new fiber connection is so much slower. You gotta have some fun with guys like that, unless he's smart enough to know what's really going on.

 

[blue68f100]

If they are using managed switches they could restrice it's bandwidth down to lets say dialup speeds (28.8k) . Can be done real easy if he has the router wan mac address.

 

[El0him]

The solution to this is, write a policy which strictly forbids anyone from putting a non coporate supported device into the network. If they do, just go and disconnect and call it a security violation. If they have any problems with it, just go to upper management and say that you cannot guarantee the secure and operational status of the network. Tell them you cannot guarantee the IT infrastructure to support the business goals and strategies with the current exceptions in the network security.

 

[Fox_granit]

Agreed, the problem might also be his remote login may not be turned on. If its not, you will not be able to login period. On XP Pro i have found if the Remote Login function is not turned on, NO ONE can get in.

 

[fredweston]

Agreed, the problem might also be his remote login may not be turned on. If its not, you will not be able to login period. On XP Pro i have found if the Remote Login function is not turned on, NO ONE can get in.

This wouldn't apply since the PC is on the domain.

 

[Fox_granit]

I've seen other Domains where the computer is getting an ip but is not part of the domain, even if it is, i've seen this happen before. But the best thing to do is to block the MAC address from getting any traffic, unless like my netgear router, it can clone the mac off of the PC, which can happen, but you'll still get the same results.... he won't get any traffic.

 

[fredweston]

I've seen other Domains where the computer is getting an ip but is not part of the domain, even if it is, i've seen this happen before. But the best thing to do is to block the MAC address from getting any traffic, unless like my netgear router, it can clone the mac off of the PC, which can happen, but you'll still get the same results.... he won't get any traffic.

Getting an IP is completely unrelated to domain membership (a PC wouldn't be able to join or contact a domain if it didn't have an IP address first). Regarding the WAN MAC address cloning feature, I don't see how you would be able to implement a MAC-based filter on the switch, since you would also be blocking his workstation's MAC address if his router was cloning it. An easier solution would be to shut down his switch port, since he can't easily plug his cube into a different switchport.

 

[Fox_granit]

if were being technical here, the machine is a router as what has been implied in the title of the thread. The access to the network would still be blocked if his router was cloning the MAC, therefore he would still complain about not having access. So he would still comeback and say he needs something repaired on his cube's access. The reply would be to remove the router.

 

[fredweston]

I'm not sure what you mean when you say the machine is a router. The title of the thread indicates a Linksys router is being used between the machine and the network.

If the Linksys router is mirroring the MAC address of the PC behind it, then the network would not be able to differentiate between the PC and the Linksys router, since they would both be presenting the same MAC address to the network.

 

[Fox_granit]

In which case if you block the mac address, it would force all traffic to stop flowing to his pc and then cause him to call in. when he makes his call, tell him the router is at fault and should remove it.

As soon as he does and you've verified it, allow the MAC to get traffic again.

 

[fredweston]

I see what you mean now. He probably doesn't even have MAC cloning enabled so it's most likely a moot point anyway. If the OP had indicated the end user's technical ability then we might have some basis for this debate, but it's probably a disgruntled tech neophyte that decided to bring in his router from home.

 

[Fox_granit]

True, it doesn't matter either way. The main thing is trying to find a way for someone of a lower authority to enforce the rules on someone of a higher authority in the food chain without being eaten. This EU may be a neophyte when it comes to tech. but I doubt he is a sophmore when it comes to office politics. Tread lightly as my father would say.