Solved

Force mobile users' internet traffic towards VPN gateway ONLY

Posted on 2004-09-28
6
339 Views
Last Modified: 2013-12-04
I have a client that needs to do the following:

All mobile users who travel or take home their laptops must be forced to connect to their VPN connections before browsing the web or using any service that requires internet connectivity (besides initiating the vpn connection, of course).  Secondly, all outbound traffic is routed through the company network, websense and firewall ONLY - and not their local internet connection.

Their goal is to be able to filter the websites they go to when they are using company equipment - no matter where they are.

How can I make this happen?
0
Comment
Question by:gbusardo
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
msice earned 250 total points
Comment Utility
You won't be able to stop them if they want to browse using their local connection. If you route the VPN connection on the company side to use the dns subnet on the intranet/company side of the websense firewall then whatever the websense firewall is filtering will apply to the vpn connection when it hits the websense firewall on its way out.
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 250 total points
Comment Utility
You may find your requirements to be partially but not completely possible.

You can enforce proxy settings with domain policy. In group policy; User Configuration, Windows Settings, Internet Explorer Maintenance, Connection section. You would want to disable automatic browser configuration or specify a specific configuration, and in Proxy settings specify your internal private IP for proxy.

Now they can only browse using the specified proxy, and they can only get to the private IP address (like 10.3.5.240) after they start VPN.

This might be circumvented by using an alternate browser that doesn't take the group policy settings. You would have to try to ensure that they can't install an alternate browser. The restrictions you might have to place on the machine for that might be too strict.

The only way around the group policy settings would be to log in as a local user. They wouldn't be able to log in as a local user if they don't know the local admin password and they are not given priviledge to the local machine at highter than user rights. If their domain account is in the local administrators group then they could just change the local admin password that way, or create a new local account. Note that there are utilities to change the local admin password but you can't stop every possibility when someone has physical access to a machine. Heck they could boot up into Knoppix off the CD-ROM and do whatever they wanted to without even running the hard disk's OS.

This also only encompasses proxy, not "all communications". You're going to have to go to a third-party solution to go beyond what you can do with enforcing proxy, and possibly some sort of manditory IPSec policy.
0
 

Author Comment

by:gbusardo
Comment Utility
Thanks for the good responses.

Gargantubrain: I understand that forcing a proxy by GP might be a good solution for http traffic.  However, in regards to "all communications" - does anyone know of the "third-party solutions" that actually can control these sort of things?  They currently have a VPN concentrator and a Cisco PIX 515 - all VPN traffic is using IPsec and authentication from the concentrator.

thanks in advance!
0
 

Author Comment

by:gbusardo
Comment Utility
sorry about that. I agree with turn123's recommendations..
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now