Prevent non-VPN connected Internet access for external users?

[Barkley Bees]

We have users who work outside the office and as such have notebooks so they
can access our network. The not so good part about this is that they can
then browse and access the unfiltered web while not connected via remote
access (PPTP/VPN). We have Websense and firewalls in place to prevent this
for internal users. As it is, the outside user's systems then become a
potential security risk as they are left wide open.

What I would like to do is restrict internet access on the external client
notebooks so that they can only only access the Internet via VPN which
guarantees they go out via our Firewall and Websense. Has anyone here
implemented something along these lines that might be able to offer some
advice on how to best accomplish this? Appreciate any support. Thanks.

*note: our VPN server is Windows 2003 SP2 using RRAS and the clients are
currently Windows XP SP2 (will be rolling out SP3 soon).

 

[Phillip Windell]

(This doesn't appear to have anything to do with ISA Server, which is what
this group is about)

Anyway,...
It...is...just...not...possible

They have to have an Internet connection before they can have the subsequent
VPN connection,...therefore they can simply *not* connect to the VPN and
use the Internet all they want and there is nothing you can do about it.

If you want the laptops to have any sense of security at all then you have
to make sure that the users are not Local Administrators on their
machine,...this prevent them from installing anything,...and willl,...to a
point,...prevent other things from automatically installing themselves
without the users knowledge.

When they are on the VPN you want to make sure that in the config of their
DUN connectiod you have "User gateway on remote network" enabled. This
forces them to loop through your LAN and Firewall to get to the Internet.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Thomas K.H. Bittner]

Hello Barkley,

yes, you can close the notebooks, so they only can go outside the notebook
via VPN. But this would break the newsgroup here. If you like to implement
such you need to hire a consultant for implementation.

Regards,
Tom

 

[Phillip Windell]

Hello Barkley,

yes, you can close the notebooks, so they only can go outside the notebook
via VPN. But this would break the newsgroup here. If you like to implement
such you need to hire a consultant for implementation.

It's that complex?

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Rick Merrill]

We have users who work outside the office and as such have notebooks so they
can access our network. The not so good part about this is that they can
then browse and access the unfiltered web while not connected via remote
access (PPTP/VPN). We have Websense and firewalls in place to prevent this
for internal users. As it is, the outside user's systems then become a
potential security risk as they are left wide open.

What I would like to do is restrict internet access on the external client
notebooks so that they can only only access the Internet via VPN which
guarantees they go out via our Firewall and Websense. Has anyone here
implemented something along these lines that might be able to offer some
advice on how to best accomplish this? Appreciate any support. Thanks.

*note: our VPN server is Windows 2003 SP2 using RRAS and the clients are
currently Windows XP SP2 (will be rolling out SP3 soon).

That needs "dual session" and is (warning) slow.

 

[Thomas K.H. Bittner]

Yes, it is very complex and not for free ;-)

It's that complex?

--
Phillip Windell

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.

 

[Phillip Windell]

Yes, it is very complex and not for free ;-)

That would be one reason I wouldn't know about it. We have to choose
between pencils and toilet paper unless we bring our own from home


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Asher_N]

(This doesn't appear to have anything to do with ISA Server, which is
what this group is about)

Anyway,...
It...is...just...not...possible

They have to have an Internet connection before they can have the
subsequent VPN connection,...therefore they can simply *not* connect
to the VPN and use the Internet all they want and there is nothing you
can do about it.

If you want the laptops to have any sense of security at all then you
have to make sure that the users are not Local Administrators on their
machine,...this prevent them from installing anything,...and
willl,...to a point,...prevent other things from automatically
installing themselves without the users knowledge.

When they are on the VPN you want to make sure that in the config of
their DUN connectiod you have "User gateway on remote network"
enabled. This forces them to loop through your LAN and Firewall to
get to the Internet.

I have yet to be able to have non-admins have full contro over wireless
network connections.