You're not alone in this philosophy. Many companies want to ensure that laptops never connect directly to the Internet, but instead route all traffic through a centralized firewall. For remote users, the easiest way to do this is by disabling "split tunnels" in the VPN client software. By doing this, you force ALL traffic to pass through the VPN tunnel, not just private corporate traffic. At the other end, your VPN gateway will need to redirect this traffic to the appropriate firewall or network gateway.
The tricky part is what to do when people are sometimes connected from within the head office and other times connected outside the head office. Within the office they don?t need to establish a VPN session; in fact, they don't want to establish a VPN connection. So, the question is: "How do I force a VPN tunnel to be established when I'm not in the head office and stop the VPN tunnel from being established when I am in the head office?"
Some VPN clients are smart and will not establish a tunnel if they recognize that the network they want to connect to virtually is also the network they are connected to physically. However, this is not the case for most. In this case, you will need to automate the initiation of the client software. One neat trick I've seen is to use a .bat file that is run at boot time to enable the VPN client if you are out of the building and disable the VPN client if you are in the building. The .bat file runs an ipconfig command to look at the PC's IP address. If the address is in the IP range of the head-office, the .bat file does not enable the client. However, if the PC's IP address is not in the range of the head office LAN, the VPN client is enabled.
This was first published in October 2002