My company wants to allow remote cable users to connect to our network through a VPN, but does not want them to...
be able to connect to the Internet without going through the VPN on the company owned PC or laptop. This is so they don't pick up viruses and browse unprofessional sites. When they connect through the VPN they are assured of getting the latest virus pattern and going through our restrictions. The laptop users, who use VPN, must also be able to connect when in the head office connected to the network and be able to browse the web. Shawn Shawn, You're not alone in this philosophy. Many companies want to ensure that laptops never connect directly to the Internet, but instead route all traffic through a centralized firewall. For remote users, the easiest way to do this is by disabling "split tunnels" in the VPN client software. By doing this, you force ALL traffic to pass through the VPN tunnel, not just private corporate traffic. At the other end, your VPN gateway will need to redirect this traffic to the appropriate firewall or network gateway.
The tricky part is what to do when people are sometimes connected from within the head office and other times connected outside the head office. Within the office they don?t need to establish a VPN session; in fact, they don't want to establish a VPN connection. So, the question is: "How do I force a VPN tunnel to be established when I'm not in the head office and stop the VPN tunnel from being established when I am in the head office?"
Some VPN clients are smart and will not establish a tunnel if they recognize that the network they want to connect to virtually is also the network they are connected to physically. However, this is not the case for most. In this case, you will need to automate the initiation of the client software. One neat trick I've seen is to use a .bat file that is run at boot time to enable the VPN client if you are out of the building and disable the VPN client if you are in the building. The .bat file runs an ipconfig command to look at the PC's IP address. If the address is in the IP range of the head-office, the .bat file does not enable the client. However, if the PC's IP address is not in the range of the head office LAN, the VPN client is enabled.
Dig Deeper on Network Access Control
Related Q&A from Mark Tuomenoksa
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.