none
Centralized control and access to tablets

    Question

  • Dear Friends,

    I am looking for a solution where in around 500(Laptops and Android Tablets) will be distributed to end users and we dont want them to go on public internet ... means we want their access to be controlled. all they can access is a website which is hosted on a public server and the only way they can go to internet is they should make a secure (VPN) connection to the central server and after authentication or may be some other kind of mechanism which only allows connection to these laptops and androids ... they can access the above said web site and the internet traffic which we allow ...

    so in this case i am not sure how wee can accomplish this .. what all technology needs to be used ... servers..services.. guys please share your exp. if someone has came across this kind of setup. and also if posible some info on bandwidth... VPN and central access to website/ Data



    Thanks
    Happiness Always
    Jatin


    • Edited by 'Jatin' Sunday, January 27, 2013 6:14 PM
    Sunday, January 27, 2013 6:13 PM

Answers

  • Hi Jatin,

    In relation to formatting, You could disable the boot from CD/USB option and password protect the BIOS settings. Someone with good knowledge could probably get around this but it will add hinderance to anyone that would not have knowledge. Im not sure if there is an easy way to achieve this apart from using a custom BIOS version.

    As for android. My knowledge is limited on this one as i dont have much experience with them.

    Kind Regards,

    Martin


    If you find my information useful, please rate it. :-)

    Monday, January 28, 2013 2:00 PM

All replies

  • There are some Microsoft solutions for controlling resource access through VPN, but I am not sure about the Android tablets. Microsoft already has a solution for securing mobile access but I think it works only with windows phone devices. http://technet.microsoft.com/en-us/magazine/2008.05.scmdm.aspx

    Other Microsoft solutions that can accomplish secure control over VPN are Foreront TMG 2010 with NAP. (http://technet.microsoft.com/en-us/library/dd182017.aspx) so I thing the easiest solution would be to configure NAP with VPN enforcement and configuring resource access policies and connection access policies. http://technet.microsoft.com/en-us/library/dd182017.aspx


    http://mariusene.wordpress.com/


    Sunday, January 27, 2013 6:54 PM
  • Hi Jatin,

    In my opinion the best way to proceed with this project is as follows:

    1. Set up a VPN server using any preferred VPN software you have in mind (OpenVPN is nice). I personally use PFSense which is linux based and free. It also supports LDAP from Active Directory which is nice in terms of user admin. It is a full blown firewall/dns/dhcp etc but it gets the job done.

    2. Once your VPN server is in place, import your users from active directory or just input manually

    3. On the VPN server, Generate SSL certs for all users (make them unique to each user for extra security)

    4. Install the appropriate VPN client on the laptops (you can do this via GPO on server if you wish)

    5. Deliver the SSL certs to the client laptops also using GPO

    6. Configure the VPN server to force all traffic via the tunnel (This is important, this will ensure while laptop is connected to VPN it will only use the VPN net connection and not the employees home net connection for web access)

    7. Configure your Firewall as appropriate (i.e. block what you want blocked and allow what you would like to allow... note. if you have an internal web server that sits on an IP, you can create a DNS entry such as mywebserver.local which points to 192.168.x.x or whatever the IP is

    8. Save the config and test. Adjust to taste. The good thing about this is any DNS/Firewall changes made in the business will automatically apply to the users on VPN

    9. Additional parameters can be set such as allowed log in times, timeouts etc. this can all be configed as per your company policy.

    As i said in the beginning of this reply. I use PFSense and highly recommend it (http://www.pfsense.org/). To set it up all you need is a reasonable PC (Pentium 4 with 1gb ram is loads) and 2 network cards. You can designate the cards as WAN and LAN (WAN being your Internet connection entry point which PFSense will use PPPoE to authenticate with your ISP, then LAN will feed into your switch environment. 

    You can also add additional cards to control wifi and other connection types.

    If you need any further in-depth information please let me know.

    Martin


    If you find my information useful, please rate it. :-)

    Monday, January 28, 2013 12:49 AM
  • Wow Martin... you are champ .. Thanks for the explanation... I think i am almost close to this ... the only thing i am missing is .. any idea how to do the same on android... not sure how this will work .. and one more thing are you saying we only need a VPN software not a proxy software ... like when i am home internet ... or some other public internet how can i force a laptop which is anywhere in the world not to connect to that internet and innitiate a VPN session first.. and then use my internet for all the traffic now the public internet...

    let me put this way.. how can i force user to create a VPN session first and not able to use internet from any other place...?

    Really appreciate your help...



    Thanks
    Happiness Always
    Jatin


    • Edited by 'Jatin' Monday, January 28, 2013 5:01 AM
    • Proposed as answer by Martin G Evans Monday, January 28, 2013 5:08 AM
    • Unproposed as answer by Martin G Evans Monday, January 28, 2013 5:08 AM
    Monday, January 28, 2013 5:01 AM
  • Hi Jatin,

    In relation to forcing a VPN connection prior to windows logon, you can achieve this with OpenVPN using the following means

    (This is only tested on XP but im sure its similar in 7) - Test it on a virtual machine to be sure so you dont mess up a production machine

    OPEN VPN MODIFICATION

    • Go to START -> CONTROL PANEL -> ADMINISTATIVE TOOLS -> SERVICES
    • Right click on OPENVPN and select PROPERTIES
    • Change STARTUP TYPE to AUTOMATIC
    • Click OK
    • Close the Services window
    • Close the Administrative Tools window
    • Close Control Panel

    REGISTRY MODIFICATION

    • Goto START -> RUN -> REGEDIT
    • Drill down to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Locate the entry for "openvpn-gui"
    • The command reference should say:
    C:\Program Files\OpenVPN\bin\openvpn-gui.exe
    Change it to:
    C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect sitename.ovpn
    ...where sitename is customized for your specific site.

    • Close RegEdit

    (Source: Ninga @untangle.com)

    In relation to Android, there is an OpenVPN app on google play, Im not sure how or if its possible to force connection on boot of the tablet as I have never experimented with android apart from installing the VPN client for mail access.

    Martin


    If you find my information useful, please rate it. :-)


    Monday, January 28, 2013 5:12 AM
  • Thanks Martin... Martin is there any way to stop a user for formatting the device .. as i can see with AD we can restrict the user for any admin changes... but what if someone do a formatting to laptop or android... and then gets the full access to the internet ... without coming to our system...

    Secondly any idea if there is any admin kind of thing in android .. where in a user can log .. like in laptops we can log in with any account.. any idea how this can be done if 5 users use the same android...



    Thanks
    Happiness Always
    Jatin


    • Edited by 'Jatin' Monday, January 28, 2013 6:27 AM
    Monday, January 28, 2013 6:27 AM
  • Hi Jatin,

    In relation to formatting, You could disable the boot from CD/USB option and password protect the BIOS settings. Someone with good knowledge could probably get around this but it will add hinderance to anyone that would not have knowledge. Im not sure if there is an easy way to achieve this apart from using a custom BIOS version.

    As for android. My knowledge is limited on this one as i dont have much experience with them.

    Kind Regards,

    Martin


    If you find my information useful, please rate it. :-)

    Monday, January 28, 2013 2:00 PM