locked
Grant user internet access with Group Policy upon the VPN connect RRS feed

  • Question

  • Hey, All

    Here is a request came in but I am not really that windows savvey. So decide to throw it here for some suggestion:

    My customer wants to have corp laptops secured up, which means they only want staff to surf internet after the ipsec VPN built already. I am think that Group Policy might help in this way:

    End-user login to laptop but laptop does not give any internet access even it connects to network. User has to launch VPN client to build IPSec tunnel, then internet activity is resumed.

    As I am not really that savvey on windows, I would need some suggestion on really the howto and whereto parts.

    Thanks,

    /S

    Monday, March 26, 2012 6:52 PM

Answers

  •  
    > I was also thinking about pushing proxy setting via GP but I also want
    > to block other traffic besides HTTP(s) before user build VPN.
    >
     
    There's a quite simple way to achieve that:
     
    combine a "dummy" proxy with a pac file provided through the real proxy.
     
    If the real proxy (and thus the pac file) is reachable, it will be used.
    If not, the dummy proxy will be used.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Proposed as answer by Elytis Cheng Tuesday, March 27, 2012 7:52 AM
    • Marked as answer by Elytis Cheng Tuesday, April 3, 2012 8:58 AM
    Tuesday, March 27, 2012 6:25 AM

All replies

  • If i am understanding what you are trying to correctly group policy is not really what you want as GP does not apply on VPN connection.

    If I am understanding correctly what you would want to do is have an internal proxy server that is only avaliable when the VPN is connected and use group policy to set the address in IE's connection settings.

    Monday, March 26, 2012 7:16 PM
  • Thanks :)

    I was also thinking about pushing proxy setting via GP but I also want to block other traffic besides HTTP(s) before user build VPN.

    Any other possible method(s) within the microsoft range?

    Monday, March 26, 2012 8:07 PM
  • Thanks :)

    I was also thinking about pushing proxy setting via GP but I also want to block other traffic besides HTTP(s) before user build VPN.

    Any other possible method(s) within the microsoft range?

    If you set the proxy settings and the proxy server is unreachable because the VPN is not connected then you wont get any internet explorer traffic.

    As for other traffic, It all depends on what it is you wish to block?

     
    Monday, March 26, 2012 8:27 PM
  •  
    > I was also thinking about pushing proxy setting via GP but I also want
    > to block other traffic besides HTTP(s) before user build VPN.
    >
     
    There's a quite simple way to achieve that:
     
    combine a "dummy" proxy with a pac file provided through the real proxy.
     
    If the real proxy (and thus the pac file) is reachable, it will be used.
    If not, the dummy proxy will be used.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Proposed as answer by Elytis Cheng Tuesday, March 27, 2012 7:52 AM
    • Marked as answer by Elytis Cheng Tuesday, April 3, 2012 8:58 AM
    Tuesday, March 27, 2012 6:25 AM
  • Thanks for the info. I guess it is really obvious for other people, but what is PAC file?
    Tuesday, March 27, 2012 12:14 PM
  • As for other traffic, really just other usual TCP/UDP traffic,  like email, RDP, Citrix etc.
    Tuesday, March 27, 2012 12:15 PM
  •  
    > Thanks for the info. I guess it is really obvious for other people,
    > but what is PAC file?
     
    A short piece of javascript - PAC stands for "Proxy Auto Configuration"
    and was introduced by Netscape many years ago. Point a search engine of
    your choice to "proxy.pac"...
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, March 28, 2012 5:55 AM