Announcement

Collapse
No announcement yet.

Gateway on remote network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Gateway on remote network

    We're having a problem.

    Company policy stands that users cannot use the internet unless the site is on a whitelist, so we're using a ipcop proxy on the network en set al the browsers to that proxy.

    Great, the users have restricted internet! But....

    Some user's made a VPN tunnel to customers, and guess what, the option "Use gateway on remote network" is on! So they can use the internet without the proxy!

    How and where can I disable that option's for all users on the domain?!

    Thanks in advance!

    (btw, I am a flying dutchman... sorry for my english grammar)

  • #2
    Re: Gateway on remote network

    I think the only way is to set the proxy server in IE by GPO without allowing to change it.
    Otherwise, this cannot be done afaik.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Gateway on remote network

      Originally posted by Dumber View Post
      I think the only way is to set the proxy server in IE by GPO without allowing to change it.
      Otherwise, this cannot be done afaik.
      But that is what we have already done

      But the microsoft vpn just overide's it!

      Comment


      • #4
        Re: Gateway on remote network

        I think i know what the problem is.
        You've configured the Proxy within the LAN settings.

        However i'm sure you need to configure a bit more advanced and configure the Proxy settings for the VPN connection within IE.
        I think there is no gpo for that but i'm not sure (I can't check it right now cause currently i'm on a mac)

        In that case you cannot manage it you need to instruct the users and setup a company security policy.
        In this document you need to tell everything what isn't allowed by the company.
        Any violation of this policy should be some way to be punished.

        But just for my curiosity, why are you so afraid for the internet?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Gateway on remote network

          You can manually configure the VPN to not use the gateway on the remote network and then set a GPO to not allow users to modify the properties of the VPN connection.

          Comment


          • #6
            Re: Gateway on remote network

            I thought that the option most of the time was greyed out?
            And not using the gateway can give nasty problems eg routing...
            I've quite a lot of customers who uses other different subnets for the VPN connections
            Last edited by Dumber; 9th November 2007, 00:01.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Gateway on remote network

              Well I'm sure the customer doesn't appreciate your users using their internet connection, so I would definitely find a way to resolve this.

              Comment


              • #8
                Re: Gateway on remote network

                If your using windows Routing and remote access. Assign your company PPTP_VPN user account(s) with static ip address's. Configure the clients firewall / router either ISA if they are running it or the actual gateway itself to block all external traffic from that source ip. That way unless they go into AD on the clients server and change it they cannot get internet access.

                Cheers,

                Andrew

                Comment


                • #9
                  Re: Gateway on remote network

                  This query had me looking into this a little further as i thought its a possible solution that users could be doing at my workplace. One way i can see to fix this problem is by Putting out a default VPN RAS Phonebook.
                  C:\Documents and settings\all users\application data\microsoft\network\connections\pbk\rasphone.pb k

                  If you need different files for different people then that is fine just modify as needed and copy the file to the pc on logon using group policy. Then also create another group policy that disables modifying or adding network connections. I havent played with it yet so im not sure if you can lock out modifications with ras connections aswell as LAN connections. But another solution if group policy doesnt work. use CACL to remove Everyone User account permissions on the rasphone.pbk file and only give domain users read access and give domain admins write access. Then they cannot modify or delete the file.

                  the line that needs to be changed for each connection is IpPrioritizeRemote=1 change to IpPrioritizeRemote=0 for each connection in the pbk file.

                  Hope that helps.

                  Cheers,

                  Andrew

                  Comment

                  Working...
                  X