Corporate Wireless policies
Our corporate laptops are restricted to only allow internet access through our proxy (connection profile in Internet Explorer pushed through a GPO). On a remote/3rd party connection this is allowed by creating a VPN back to the corporate network (Cisco VPN Client -> Cisco ASA), at which point the proxy is available and we route all internet traffic through that.
We have recently had the question raised by one of our users who was attempting to use a Wireless connection on a train. The train company requires that the user fills in a form hosted on their own network.
The problem we had was that the user wasn't able to get to the train companies internal page as the proxy wasn't available. They couldn't connect the VPN as they hadn't completed the train companies logon page.
We considered that we could specify this page in the 'bypass proxy for this address...' which would allow a connection to only that page, this was rejected as we would then have to start adding every train company, hotel, public hotspot that works in this way (which must be a list of thousands)
Second suggestion was to allow connections to any local network range (10.* or 192.*) but the implications with regards to security seemed to dangerous. Plus the page offered up by the train company would be http://virginrailwifisignup page and not http://192.168.1.1
At which point we were stumped. The now familiar cry went up in the office "we can't be the only ones who have had this problem" but I haven't been able to find anyone who has mentioned a useful solution.
So I ask you, Server Fault, how have you managed this?
Worth noting, we provide all our mobile users with 3G connections for when they are out and about, they VPN back in over that but its flaky as hell on a train.
Solution 1:
Our corporate laptops are restricted to only allow internet access through our proxy (connection profile in Internet Explorer pushed through a GPO).
Pushing settings to a connection profile in IE, you don't only allow internet access through your proxy. You just make a notion about internet access through your proxy, and increase accessibility.
If I understand correctly what you want is to have users connect to your VPN in order to access the internet thus using your proxy. If that's the case you have to be carefull because now all potential malware/attacks get routed through your network.
By default in most Windows after XP when you connect to a VPN you are using the default gateway on the remote network. Thus you have to ensure that this setting stays like this. You can accomplish that through your GP or CMAK or by a script or by even doing it manually as a leveraged user once for every machine.
But on web-based logins your users have to access some random website (and thus the internet) ! This is where the Network Location Awareness kicks in
The Group Policy client will apply policy settings whenever domain controller availability returns. Examples of connection events that trigger Group Policy processing include establishing VPN sessions, recovering from hibernation or standby, and the docking of a laptop. This benefit can potentially increase the level of security on the workstation by more quickly applying Group Policy changes.
So if your user establishes a connection to a network other than your work network you will trigger your VPN connection and all is good.
I have to admit not an easy job especially when there is client diversification.
The other way of going around it is locking everything down disabling the lot of it and making another user account for usage outside your VPN and forcing other kinds of limitations (e.g. no videos,audio,specific domains,etc.)
Yet another way is to block certain ports from a specific connection or limit the access to your VPN e.g. no access to internal servers