?
Solved

Force mobile users' internet traffic towards VPN gateway ONLY

Posted on 2004-09-28
6
Medium Priority
?
357 Views
Last Modified: 2013-12-04
I have a client that needs to do the following:

All mobile users who travel or take home their laptops must be forced to connect to their VPN connections before browsing the web or using any service that requires internet connectivity (besides initiating the vpn connection, of course).  Secondly, all outbound traffic is routed through the company network, websense and firewall ONLY - and not their local internet connection.

Their goal is to be able to filter the websites they go to when they are using company equipment - no matter where they are.

How can I make this happen?
0
Comment
Question by:gbusardo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
msice earned 1000 total points
ID: 12180964
You won't be able to stop them if they want to browse using their local connection. If you route the VPN connection on the company side to use the dns subnet on the intranet/company side of the websense firewall then whatever the websense firewall is filtering will apply to the vpn connection when it hits the websense firewall on its way out.
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 1000 total points
ID: 12240010
You may find your requirements to be partially but not completely possible.

You can enforce proxy settings with domain policy. In group policy; User Configuration, Windows Settings, Internet Explorer Maintenance, Connection section. You would want to disable automatic browser configuration or specify a specific configuration, and in Proxy settings specify your internal private IP for proxy.

Now they can only browse using the specified proxy, and they can only get to the private IP address (like 10.3.5.240) after they start VPN.

This might be circumvented by using an alternate browser that doesn't take the group policy settings. You would have to try to ensure that they can't install an alternate browser. The restrictions you might have to place on the machine for that might be too strict.

The only way around the group policy settings would be to log in as a local user. They wouldn't be able to log in as a local user if they don't know the local admin password and they are not given priviledge to the local machine at highter than user rights. If their domain account is in the local administrators group then they could just change the local admin password that way, or create a new local account. Note that there are utilities to change the local admin password but you can't stop every possibility when someone has physical access to a machine. Heck they could boot up into Knoppix off the CD-ROM and do whatever they wanted to without even running the hard disk's OS.

This also only encompasses proxy, not "all communications". You're going to have to go to a third-party solution to go beyond what you can do with enforcing proxy, and possibly some sort of manditory IPSec policy.
0
 

Author Comment

by:gbusardo
ID: 12255522
Thanks for the good responses.

Gargantubrain: I understand that forcing a proxy by GP might be a good solution for http traffic.  However, in regards to "all communications" - does anyone know of the "third-party solutions" that actually can control these sort of things?  They currently have a VPN concentrator and a Cisco PIX 515 - all VPN traffic is using IPsec and authentication from the concentrator.

thanks in advance!
0
 

Author Comment

by:gbusardo
ID: 14048623
sorry about that. I agree with turn123's recommendations..
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question