Unable To Print While Connected Via VPN

[Michael Hough]

I'm having a problem printing when I have an active VPN connection. Any
jobs that I request to print while my VPN connection is active are not
printed until after I break my VPN connection. Once the VPN connection is
shut down, I can print without a problem.

Here is my setup: I have a home network with an HP LaserJet 4600dn printer
connected directly to a Linksys router. The printer is configured to use
TCP/IP, and acquires it's IP address from the router. I also have a work
owned laptop (running Windows 2000 SP4) which I use to access my companies
corporate network from home. To connect to work via the laptop, I use a VPN
connection. The printer definition on my laptop references my printer by IP
address.

It's very annoying to have to break my VPN connection to print a document I
receive while connected to my work environment. Is there a way I can print
from my work laptop even while my VPN connection is online? Thanks for your
help...

Mike

 

[Dave]

that is normal. the vpn creates a tunnel between your machine and work
which essentially cuts you off from the local network. I have heard there
may be a way to manually create routes to local network resources but i
don't have to print enough to bother figuring it out.

 

[Phillip Windell]

It is supposed to work like that. If your printer is in the same subnet that
your laptop is then is should print, but the laptop will not cross any
routers (except the VPN Router) while the VPN is up.

In the Dialup TCP/IP Settings you can disable the "Use Gateway on Remote
Network" to avoid this, but it is considered a security risk to do so.

 

[Danny Sanders]

In the Dialup TCP/IP Settings you can disable the "Use Gateway on Remote

Network" to avoid this, but it is considered a security risk to do so.

Phillip,

I have a Dr. here that needs to VPN to another network from his laptop
through our firewall to his hospitals Pix.
Their "security" policy prohibits split tunneling on their Pix. When we open
the VPN, all he can access is basically the remote hospital network.

Would disabling the above setting make any difference here? What are the
security risks associated with disabling this setting?

Thanks
DDS

It is supposed to work like that. If your printer is in the same subnet
that
your laptop is then is should print, but the laptop will not cross any
routers (except the VPN Router) while the VPN is up.

In the Dialup TCP/IP Settings you can disable the "Use Gateway on Remote
Network" to avoid this, but it is considered a security risk to do so.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I'm having a problem printing when I have an active VPN connection. Any
jobs that I request to print while my VPN connection is active are not
printed until after I break my VPN connection. Once the VPN connection
is
shut down, I can print without a problem.

Here is my setup: I have a home network with an HP LaserJet 4600dn
printer
connected directly to a Linksys router. The printer is configured to use
TCP/IP, and acquires it's IP address from the router. I also have a work
owned laptop (running Windows 2000 SP4) which I use to access my
companies
corporate network from home. To connect to work via the laptop, I use a VPN
connection. The printer definition on my laptop references my printer by IP
address.

It's very annoying to have to break my VPN connection to print a document I
receive while connected to my work environment. Is there a way I can print
from my work laptop even while my VPN connection is online? Thanks for your
help...

Mike

 

[Phillip Windell]

I have a Dr. here that needs to VPN to another network from his laptop
through our firewall to his hospitals Pix.
Their "security" policy prohibits split tunneling on their Pix. When we open
the VPN, all he can access is basically the remote hospital network.

Would disabling the above setting make any difference here? What are the
security risks associated with disabling this setting?

What I was describing is, in fact, Split-Tunneling,..I just didn't call it
that. As you said, their security policy prevents you from doing that. If he
is using the Cisco VPN Client to initiate the connection the option I
described probably doesn't even exist and it may be something to configure
on the PIX,...I really don't know, I have never used nor ever seen a PIX.

Unfortunately I don't work for (or as) a consultant so I don't get the
variety of experience they do. I sit and stare at the same unchanging
network all day and I do not get any experience with things that we do not
own and use here. I have to hear everything "second-hand" sort of speak.

 

[Danny Sanders]

If he

is using the Cisco VPN Client to initiate the connection the option I
described probably doesn't even exist and it may be something to configure
on the PIX,...I really don't know, I have never used nor ever seen a PIX.

Yes he is using the client.

I kind of figured changing a setting on our end wouldn't do much. For now he
is using Citrix.

Thanks
DDS

 

[Ryan Hanisco]

Yes, this is something that you would have to configure on the PIX and would
affect all users, not just him. To do something specific to him you'd need
a Cisco VPN Concentrator (big $$) to handle individual VPN policies.

Besides, its forbidden by the organization's policy.

The better solution might be to consider moving the local printer so that it
is in the same subnet as the workstation so that it never hits the gateway
router to address it -- or to continue to use Citrix. in the end, it may
just be cheaper to get him a cheap printer he can keep locally attached.
(Just remember that the cheap printers are not generally supported by
Citrix, even with the UPD/UPDII -- its a Catch/22)

 

[Danny Sanders]

Yes, this is something that you would have to configure on the PIX and

would affect all users, not just him.

Could they set up a group just for him and turn on split tunneling for that
group?

I am in the process of trying to formalize our relationship with them. Maybe
if we meet certain criteria they will allow this ( The number 2 guy at the
hospital is in the same boat.). We would have to put measures in place to
minimize the risk associated with using split tunneling.

Which leads me to what are the security risks associated with split
tunneling?

TIA

DDS