Solved

Force mobile users' internet traffic towards VPN gateway ONLY

Posted on 2004-09-28
6
342 Views
Last Modified: 2013-12-04
I have a client that needs to do the following:

All mobile users who travel or take home their laptops must be forced to connect to their VPN connections before browsing the web or using any service that requires internet connectivity (besides initiating the vpn connection, of course).  Secondly, all outbound traffic is routed through the company network, websense and firewall ONLY - and not their local internet connection.

Their goal is to be able to filter the websites they go to when they are using company equipment - no matter where they are.

How can I make this happen?
0
Comment
Question by:gbusardo
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
msice earned 250 total points
ID: 12180964
You won't be able to stop them if they want to browse using their local connection. If you route the VPN connection on the company side to use the dns subnet on the intranet/company side of the websense firewall then whatever the websense firewall is filtering will apply to the vpn connection when it hits the websense firewall on its way out.
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 250 total points
ID: 12240010
You may find your requirements to be partially but not completely possible.

You can enforce proxy settings with domain policy. In group policy; User Configuration, Windows Settings, Internet Explorer Maintenance, Connection section. You would want to disable automatic browser configuration or specify a specific configuration, and in Proxy settings specify your internal private IP for proxy.

Now they can only browse using the specified proxy, and they can only get to the private IP address (like 10.3.5.240) after they start VPN.

This might be circumvented by using an alternate browser that doesn't take the group policy settings. You would have to try to ensure that they can't install an alternate browser. The restrictions you might have to place on the machine for that might be too strict.

The only way around the group policy settings would be to log in as a local user. They wouldn't be able to log in as a local user if they don't know the local admin password and they are not given priviledge to the local machine at highter than user rights. If their domain account is in the local administrators group then they could just change the local admin password that way, or create a new local account. Note that there are utilities to change the local admin password but you can't stop every possibility when someone has physical access to a machine. Heck they could boot up into Knoppix off the CD-ROM and do whatever they wanted to without even running the hard disk's OS.

This also only encompasses proxy, not "all communications". You're going to have to go to a third-party solution to go beyond what you can do with enforcing proxy, and possibly some sort of manditory IPSec policy.
0
 

Author Comment

by:gbusardo
ID: 12255522
Thanks for the good responses.

Gargantubrain: I understand that forcing a proxy by GP might be a good solution for http traffic.  However, in regards to "all communications" - does anyone know of the "third-party solutions" that actually can control these sort of things?  They currently have a VPN concentrator and a Cisco PIX 515 - all VPN traffic is using IPsec and authentication from the concentrator.

thanks in advance!
0
 

Author Comment

by:gbusardo
ID: 14048623
sorry about that. I agree with turn123's recommendations..
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now