Solved

Force mobile users' internet traffic towards VPN gateway ONLY

Posted on 2004-09-28
6
345 Views
Last Modified: 2013-12-04
I have a client that needs to do the following:

All mobile users who travel or take home their laptops must be forced to connect to their VPN connections before browsing the web or using any service that requires internet connectivity (besides initiating the vpn connection, of course).  Secondly, all outbound traffic is routed through the company network, websense and firewall ONLY - and not their local internet connection.

Their goal is to be able to filter the websites they go to when they are using company equipment - no matter where they are.

How can I make this happen?
0
Comment
Question by:gbusardo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
msice earned 250 total points
ID: 12180964
You won't be able to stop them if they want to browse using their local connection. If you route the VPN connection on the company side to use the dns subnet on the intranet/company side of the websense firewall then whatever the websense firewall is filtering will apply to the vpn connection when it hits the websense firewall on its way out.
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 250 total points
ID: 12240010
You may find your requirements to be partially but not completely possible.

You can enforce proxy settings with domain policy. In group policy; User Configuration, Windows Settings, Internet Explorer Maintenance, Connection section. You would want to disable automatic browser configuration or specify a specific configuration, and in Proxy settings specify your internal private IP for proxy.

Now they can only browse using the specified proxy, and they can only get to the private IP address (like 10.3.5.240) after they start VPN.

This might be circumvented by using an alternate browser that doesn't take the group policy settings. You would have to try to ensure that they can't install an alternate browser. The restrictions you might have to place on the machine for that might be too strict.

The only way around the group policy settings would be to log in as a local user. They wouldn't be able to log in as a local user if they don't know the local admin password and they are not given priviledge to the local machine at highter than user rights. If their domain account is in the local administrators group then they could just change the local admin password that way, or create a new local account. Note that there are utilities to change the local admin password but you can't stop every possibility when someone has physical access to a machine. Heck they could boot up into Knoppix off the CD-ROM and do whatever they wanted to without even running the hard disk's OS.

This also only encompasses proxy, not "all communications". You're going to have to go to a third-party solution to go beyond what you can do with enforcing proxy, and possibly some sort of manditory IPSec policy.
0
 

Author Comment

by:gbusardo
ID: 12255522
Thanks for the good responses.

Gargantubrain: I understand that forcing a proxy by GP might be a good solution for http traffic.  However, in regards to "all communications" - does anyone know of the "third-party solutions" that actually can control these sort of things?  They currently have a VPN concentrator and a Cisco PIX 515 - all VPN traffic is using IPsec and authentication from the concentrator.

thanks in advance!
0
 

Author Comment

by:gbusardo
ID: 14048623
sorry about that. I agree with turn123's recommendations..
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL certificate pack 6 363
Work with App store 7 94
Risks of using Camtasia Studio 9 138
Is attached iPhone screen an IOC 5 34
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question