Force mobile users' internet traffic towards VPN gateway ONLY

Posted on 2004-09-28
Medium Priority
Last Modified: 2013-12-04
I have a client that needs to do the following:

All mobile users who travel or take home their laptops must be forced to connect to their VPN connections before browsing the web or using any service that requires internet connectivity (besides initiating the vpn connection, of course).  Secondly, all outbound traffic is routed through the company network, websense and firewall ONLY - and not their local internet connection.

Their goal is to be able to filter the websites they go to when they are using company equipment - no matter where they are.

How can I make this happen?
Question by:gbusardo
  • 2

Accepted Solution

msice earned 1000 total points
ID: 12180964
You won't be able to stop them if they want to browse using their local connection. If you route the VPN connection on the company side to use the dns subnet on the intranet/company side of the websense firewall then whatever the websense firewall is filtering will apply to the vpn connection when it hits the websense firewall on its way out.

Assisted Solution

Gargantubrain earned 1000 total points
ID: 12240010
You may find your requirements to be partially but not completely possible.

You can enforce proxy settings with domain policy. In group policy; User Configuration, Windows Settings, Internet Explorer Maintenance, Connection section. You would want to disable automatic browser configuration or specify a specific configuration, and in Proxy settings specify your internal private IP for proxy.

Now they can only browse using the specified proxy, and they can only get to the private IP address (like after they start VPN.

This might be circumvented by using an alternate browser that doesn't take the group policy settings. You would have to try to ensure that they can't install an alternate browser. The restrictions you might have to place on the machine for that might be too strict.

The only way around the group policy settings would be to log in as a local user. They wouldn't be able to log in as a local user if they don't know the local admin password and they are not given priviledge to the local machine at highter than user rights. If their domain account is in the local administrators group then they could just change the local admin password that way, or create a new local account. Note that there are utilities to change the local admin password but you can't stop every possibility when someone has physical access to a machine. Heck they could boot up into Knoppix off the CD-ROM and do whatever they wanted to without even running the hard disk's OS.

This also only encompasses proxy, not "all communications". You're going to have to go to a third-party solution to go beyond what you can do with enforcing proxy, and possibly some sort of manditory IPSec policy.

Author Comment

ID: 12255522
Thanks for the good responses.

Gargantubrain: I understand that forcing a proxy by GP might be a good solution for http traffic.  However, in regards to "all communications" - does anyone know of the "third-party solutions" that actually can control these sort of things?  They currently have a VPN concentrator and a Cisco PIX 515 - all VPN traffic is using IPsec and authentication from the concentrator.

thanks in advance!

Author Comment

ID: 14048623
sorry about that. I agree with turn123's recommendations..

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question