sunhux
asked on
Windows firewall that permit Tcp80/443 only if connected to corporate VPN or corp LAN (which otherwise blocks if connected to elsewhere)
Is there any possibility / way to configure Win7 firewall (on users' PCs)
such that it blocks users' access to Internet (namely Tcp80 & 443)
unless the user's VPN is connected or the user is connected to
our corporate LAN/Wifi? Ie when user is at home or connects to
outside Wifi, the firewall rules will block the access (& only a single
firewall rule that permits connection to our corporate VPN appliance).
such that it blocks users' access to Internet (namely Tcp80 & 443)
unless the user's VPN is connected or the user is connected to
our corporate LAN/Wifi? Ie when user is at home or connects to
outside Wifi, the firewall rules will block the access (& only a single
firewall rule that permits connection to our corporate VPN appliance).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it sounds as though you want to bkock the user from accessing anything.
1) the user has to be a standard user
2) configure a proxy on the system such that without a VPN the proxy will not be accessible.
1) the user has to be a standard user
2) configure a proxy on the system such that without a VPN the proxy will not be accessible.
ASKER
> it sounds as though you want to bkock the user from accessing anything
No, just block the users such that they have to be connected to corporate
network or connected via VPN to corporate network before they can
access Internet.
hi David
>... so set the firewall rule to block http/https in the private/public location and allow in domain location
Is the above enforced by GPO or even if the PC is not in the corporate domain, the above firewall rules
can be enforced as well?
No, just block the users such that they have to be connected to corporate
network or connected via VPN to corporate network before they can
access Internet.
hi David
>... so set the firewall rule to block http/https in the private/public location and allow in domain location
Is the above enforced by GPO or even if the PC is not in the corporate domain, the above firewall rules
can be enforced as well?
ASKER
Is there a possibility that a user whose laptop connects to his home
Wifi select that Wifi as "Office/domain" environment & thus got past
& able to browse Internet while connected to his home Wifi.
Wifi select that Wifi as "Office/domain" environment & thus got past
& able to browse Internet while connected to his home Wifi.
they only have 2 options private and public
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For David's method, guess we'll need 1 firewall rule in "public" domain
to permit connection to VPN server (on the required VPN ports).
On Arnold's suggestion: yes, we've defined our corporate proxy in IE
& Chrome on tcp8080 & greyed out to users ie users can't remove
proxy in IE/Chrome tho an IT-savvy user knows this can be removed
by using a non-admin account to do regedit to 'unset' 2 reg keys).
What's of concern is Firefox's proxy can't be greyed out ie users can
still remove the proxy in Firefox (& quite a number of users have
Firefox on their laptops)
to permit connection to VPN server (on the required VPN ports).
On Arnold's suggestion: yes, we've defined our corporate proxy in IE
& Chrome on tcp8080 & greyed out to users ie users can't remove
proxy in IE/Chrome tho an IT-savvy user knows this can be removed
by using a non-admin account to do regedit to 'unset' 2 reg keys).
What's of concern is Firefox's proxy can't be greyed out ie users can
still remove the proxy in Firefox (& quite a number of users have
Firefox on their laptops)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1) you want to prevent the user from getting the system infected and then bring it into the office.
2) the way to achieve this you are trying to restrict all user uses of the laptop to effectively only function when the VPN to the office is established.
Yes, the above two plus by VPN'ing back to office, we'll enforce them to use a "secure browser" (which won't work if
they don't VPN back to office) plus they'll have to go through the office "network DLP" (emai will also go through
the office Network DLP)
2) the way to achieve this you are trying to restrict all user uses of the laptop to effectively only function when the VPN to the office is established.
Yes, the above two plus by VPN'ing back to office, we'll enforce them to use a "secure browser" (which won't work if
they don't VPN back to office) plus they'll have to go through the office "network DLP" (emai will also go through
the office Network DLP)
ASKER
Currently, when connected to office, when users launch IE/Chrome, if they're browsing "Intranet or whitelisted sites ie
a few trusted sites that users require to upload files", they'll load in IE/Chrome, otherwise a "secure browser" will
launch (& this browser disallows uploading/downloading of files) for browsing other sites.
So when their laptops are brought outside/home, IE/Chrome/Secure-browser will all not be able to browse anything
till they VPN back to office.
a few trusted sites that users require to upload files", they'll load in IE/Chrome, otherwise a "secure browser" will
launch (& this browser disallows uploading/downloading of files) for browsing other sites.
So when their laptops are brought outside/home, IE/Chrome/Secure-browser will all not be able to browse anything
till they VPN back to office.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER