--- title: "Implementing Network Policies and Managing Restrictions for Lab Environments" slug: "implementing-network-policies-and-managing-restrictions-for-lab-environments" updated: 2025-03-05T21:17:24Z published: 2025-03-05T21:17:24Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.skillable.com/llms.txt > Use this file to discover all available pages before exploring further. # Implementing Network Policies and Managing Restrictions for Lab Environments Lab environments are essential for technical training, but they also pose various challenges in terms of network security and stability. To address these challenges, Skillable offers different network options for labs hosted on Hyper-V or ESX Virtualization Platforms, each with its own policies and restrictions. This document explains how to choose and configure the best network option for your lab needs, and what to consider when using Skillable's environments. ## Overview of Network Types Lab environments hosted on Hyper-V or ESX virtualization platforms utilize Skillable's on-premise environments. As part of standard network management we utilize monitoring and filtering technology to ensure network stability and security. Three separate networks are available for use: - Web Access (NAT) - This is default network when internet access is required. Labs on Web Access (NAT) launch with a unique NAT gateway that provides routing and network isolation. - Web Access (Public IP) - This network is for labs that require direct Public IP access. It is available upon request. ## Network Policies and Restrictions The policies and restrictions below do not apply to Web Access (Public IP) unless otherwise stated Networks utilize industry standard filtering rules provided by our firewall vendor. Application control, Web Filtering, IPS Monitoring, Antivirus and DDoS prevention rules are all utilized. In general, illegal content is prohibited, as are sites that are generally unrelated to the goals of technical training. Antivirus, IPS Monitoring and DDoS prevention rules apply to all networks including Web Access (Public IP). Updates to filtering rules are applied regularly. For information on a specific application, please see Fortigate's documentation: [Application Control](https://fortiguard.com/appcontrol) | [Web Filtering](https://fortiguard.com/webfilter) | [IPS Monitoring](https://fortiguard.com/learnmore#ips) #### Application Control Blocked Categories: - Proxy - Storage and Backup - Google Drive, OneDrive, and Dropbox are allowed on Web Access (NAT) - Games - Remote Access and VPN Any service that establishes a secure tunnel will be blocked. - P2P - Social Media - Audio/Video Streams - Unknown or Anomalous Applications When building a lab, please verify the function of all services needed. If a specific service is required for a lab environment and does not function, or if the lab uses a service classified as a proxy, please [contact support](https://www.skillable.com/customer-support/). ### Web Filtering Blocked Categories: - Potentially Liable - Adult/Mature Content - Bandwidth Consuming - Web Access (NAT) allows the subcategories "Internet Telephony" and "File Sharing and Storage" and "Freeware and Software Downloads" - Security Risk - General Interest - Personal Exceptions to General Interest - Personal are as follows: | | | | | | | --- | --- | --- | --- | --- | | Advertising | Digital Postcards | Entertainment | Restaurant and Dining | Web Based Email (Web Access (NAT) only) | | Arts and Culture | Domain Parking | News and Media | Society and Lifestyles | | | Brokerage and Trading | Dynamic Content | Personal Websites and Blogs | Sports | | | Content Servers | Education | Reference | Travel | | #### Additional Restrictions On all networks, including Web Access (Public IP), the following services are prohibited: - FTP/TFPT inbound - LDAP inbound - RDP inbound - SMB inbound - SMTP outbound - SSH inbound - TELNET inbound On the Web Access (Public IP) network, labs must follow additional configuration restrictions. Any lab not following these restrictions may be updated by Skillable to bring it into compliance or removed from availability until changes are made. - Any DNS server with a public IP must have DNS recursion disabled. For details on how to do this, please refer to the documentation for your virtual machine operating system. - Lab profiles with public IP addresses cannot specify ethernet (MAC) addresses enabled on their network adapters. - For labs without an internal DNS server, all virtual machines should use the NAT gateway for their DNS server (this is automatic if DHCP is enabled for the NAT network) - For labs with an internal DNS server, the internal server should have a forwarder added for the NAT gateway ## Bandwidth Bandwidth on all networks is regulated and monitored, utilizing per-IP and per-network restrictions. This is done to ensure platform stability and provide a minimum baseline to all labs. Due to the shared nature of the platform, it is strongly recommended that any downloads in a lab be pre-staged to prevent issues or delays in a live class. All information in this document is regularly maintained and updated, but does not represent a guarantee. Network policies and restrictions may change at any time due to the constantly evolving nature of network security. If you have any questions, feedback, or concerns, please [contact support](https://www.skillable.com/customer-support/). Microsoft hardware virtualization platform that enables the use of virtual machines. ESX hardware virtualization platform that enables the use of virtual machines. The virtualization platform that a lab profile will use for virtual machines or Containers. A virtualization platform is not needed for labs that do not use virtual machines or Containers. Options include: - Hyper-V - ESX - Azure - AWS - Docker