Tricky network design, how to force all internet access to be via a VPN.

We have a number of ruggedized tablets used by workers in the field. They are basically Windows 8 machines, with no keyboard, and a tough case.

Each tablet has a SIM card and makes a 4G connection via a local Telco. We have a Cisco AnyConnect VPN set up, which creates a tunnel over the 4G connection, into our head office. It is terminated on a Cisco ASA-5508x firewall, running FDM

Users on the tablet primarily run in-house software, but occasionally need to fire up a web browser. The VPN is configured to route ALL outbound traffic over the VPN to head office, internet access is filtered for "non-business" sites, and malware via the ASA-5508x.

This is mostly working, with one small issue. If users disconnect the VPN, they are free to browse the 'net wherever they like. Under this situation, we do not want web browsing to work at all; we want tablet users to only be able to access the 'net via the VPN and ASA-5508x.

The machines are all domain members, the DC is running server 2008R2.

Any ideas on how to somehow "break" web browsing directly across the 4G connection?
LVL 25
Mal OsborneAlpha GeekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CDRetiredCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
It sounds like they may have a "split VPN" setup.  So, if it's possible, don't have a split VPN which allows direct internet connection.
David Johnson, CDRetiredCommented:
no he doesn't seem to have a split vpn BUT the user is permitted to disconnect from the vpn and surf the web (or whatever) without going through the vpn.

Firewall rules can be enforced by group policy AND the users MUST NOT be local administrators of the device
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Mal OsborneAlpha GeekAuthor Commented:
Thanks, totally makes sense. I feel like an idiot for not figuring that one out.
Thomas AamodtNetwork ArchitectCommented:
Since the 4G is from some other ISP.
You need to do this on the "table/Domain" access.
So its not really a networking issue.

because when they disconnect the VPN it will just go out the "default gateway" which will be the 4G.

So either remove the 4G sim cards from the tablets and have a 4G router as backupline on the ASA firewall. to do the routing there.
What  we do is to have a router in front , then split the traffic there over 4G or mainline. (if we dont manage ther routers our self)

or do this by blocking it on Domain level.
Not sure if you can do the "blocking" when you don't have "corporate" IP adresses or something like that. but some ActiveDirectory people might help you with this.
Mal OsborneAlpha GeekAuthor Commented:
Now just to see if I can push this out via GPOs
Owen RubinConsultantCommented:
Can't you also set the VPN as the default gateway on all the machines?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 8

From novice to tech pro — start learning today.