Any way to bind a MAC address statically to an IP? I wish to do this to prevent a user from changing his IP address on the subnet, so if he does he can’t pass traffic. And there are some computers has multi NICs.
BES doesn’t have this ability built-in… Do you know of any way to do this from the commandline or using another tool or configuration setting? If so, we can probably help you write a Fixlet to put this in place.
no, I wonder whether can we use Fixlet to achieve this function, like write the given MAC address and IP pair to a txt file on the client computer, then compare the computer’s MAC address and IP pair with the pair in the txt file, if them is different, create an IPSEC policy to block the computer’s network, or use netsh command to change the IP to it should be.
We have a new Firewall site (part of our AntiThreat package), that could be just what you are looking for. It allows you to set up location aware firewall policies based on any criteria you can query using relevance, as well as a few other types of checks (like a DNS name correctly resolving to a particular IP address).
In your case you could create a policy where all traffic is allowed when the machine has a particular IP and MAC address. If the criteria are not met then you can enforce a different policy. You actually have the ability to ‘cascade’ any number of policies. For example, you might have a policy that allows all traffic over VPN connections, most traffic when connected to the office LAN, and limited traffic when on the public internet.
In the Firewall site there are 2 wizards that make it all really easy to set up. You run through the Firewall Policy wizard to create and deploy specific firewall rule sets, and then you use the Client Compliance Policy Wizard to tie those rule sets to a specific machine state.
Whenever the computer’s network state changes, and/or on a specific interval, and/or when manually triggered, the state of the machine will be evaluated and the appropriate Firewall rules will be loaded.
If you are interested in trying out the new site you should contact your sales rep to setup an evaluation. I will also be hosting a Webinar tomorrow morning at 10:00 am west coast time (August 1st), where we will walk through the AntiThreat package. You’ll have a chance to get a look at AntiThreat, including Firewall, and there will be an opportunity to ask me questions at the end. Here’s the