Tricky network design, how to force all internet access to be via a VPN.

Mal Osborne
Mal Osborne used Ask the Experts™
on
We have a number of ruggedized tablets used by workers in the field. They are basically Windows 8 machines, with no keyboard, and a tough case.

Each tablet has a SIM card and makes a 4G connection via a local Telco. We have a Cisco AnyConnect VPN set up, which creates a tunnel over the 4G connection, into our head office. It is terminated on a Cisco ASA-5508x firewall, running FDM 6.2.2.1.

Users on the tablet primarily run in-house software, but occasionally need to fire up a web browser. The VPN is configured to route ALL outbound traffic over the VPN to head office, internet access is filtered for "non-business" sites, and malware via the ASA-5508x.

This is mostly working, with one small issue. If users disconnect the VPN, they are free to browse the 'net wherever they like. Under this situation, we do not want web browsing to work at all; we want tablet users to only be able to access the 'net via the VPN and ASA-5508x.

The machines are all domain members, the DC is running server 2008R2.

Any ideas on how to somehow "break" web browsing directly across the 4G connection?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016
Commented:
It sounds like they may have a "split VPN" setup.  So, if it's possible, don't have a split VPN which allows direct internet connection.
Top Expert 2016

Commented:
no he doesn't seem to have a split vpn BUT the user is permitted to disconnect from the vpn and surf the web (or whatever) without going through the vpn.

Firewall rules can be enforced by group policy AND the users MUST NOT be local administrators of the device
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks, totally makes sense. I feel like an idiot for not figuring that one out.
Thomas AamodtNetwork Architect

Commented:
Since the 4G is from some other ISP.
You need to do this on the "table/Domain" access.
So its not really a networking issue.

because when they disconnect the VPN it will just go out the "default gateway" which will be the 4G.

So either remove the 4G sim cards from the tablets and have a 4G router as backupline on the ASA firewall. to do the routing there.
What  we do is to have a router in front , then split the traffic there over 4G or mainline. (if we dont manage ther routers our self)

or do this by blocking it on Domain level.
Not sure if you can do the "blocking" when you don't have "corporate" IP adresses or something like that. but some ActiveDirectory people might help you with this.

Author

Commented:
Now just to see if I can push this out via GPOs

Commented:
Can't you also set the VPN as the default gateway on all the machines?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial