J
Jerry
I've run into a problem configuring laptops for my company. We're in the
process of upgrading to Windows XP SP2, and one feature I would like to add
for travelling users is the ability to connect to an internet connection,
say at a hotel, which may not be firewalled, and be able to safely use that
connection for both internet browsing and connecting to our Cisco VPN.
Additionally, I'd prefer it if, when the user is back in the office, and
connects the laptop directly to the LAN, the laptop can still be managed
remotely.
I'm having problems getting firewall protection in all cases. I
configured Group Policy for the laptops so that when the laptop is connected
to the domain, then the Windows XP firewall is off, and when it's connected
to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.
I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions for
managing the laptop while it's on the domain, because those same exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the best
way to test. However, I do get scan results that are consistent with the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.
Thank you,
Jerry
process of upgrading to Windows XP SP2, and one feature I would like to add
for travelling users is the ability to connect to an internet connection,
say at a hotel, which may not be firewalled, and be able to safely use that
connection for both internet browsing and connecting to our Cisco VPN.
Additionally, I'd prefer it if, when the user is back in the office, and
connects the laptop directly to the LAN, the laptop can still be managed
remotely.
I'm having problems getting firewall protection in all cases. I
configured Group Policy for the laptops so that when the laptop is connected
to the domain, then the Windows XP firewall is off, and when it's connected
to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.
I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions for
managing the laptop while it's on the domain, because those same exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the best
way to test. However, I do get scan results that are consistent with the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.
Thank you,
Jerry