SecureClient will do it easily. Its "hub mode" (if activated) sets a new default route so ALL traffic from the client is forced down the VPN to the gateway. Depending on its destination, the gateway will either send it to the Internet unencrypted or to the internal networks. It does mean that people can't use their wireless printers when connected via VPn anymore, because everything (even the private IP for the wireless printer) is sent to the gateway.
If you don't want hub mode, you can still set a desktop policy. We actually do both. You have two rule bases, one when VPNed in and one when not.
The "[EMAIL PROTECTED]" rules govern what the laptop can do when NOT connected to the VPN. Rather than open it up, we block a number of outbound services, such as SMTP (to stop viruses with their own email engine from propogating), POP2, POP3, IMAP (to block personal email access), the peer-to-peer group, etc. Obviously we block all inbound as well except for DHCP.
When VPNed in, the rulebase simply allows all traffic to your internal network as prudent and drops traffic going elsewhere.
Changes in the policy as set on SmartCenter will get picked up at the next login or sooner if they are already connected when you make the change.
HTH,
Ray
From: [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] Subject: [FW-1] securing vpn Date: Tue, 15 Mar 2005 13:30:27 -0500
Hi All
I am required to implement security for a vpn clients. Does anyone here know what the best way to do this.. I ve seen some posts on Desktop Security Policy and i think it will do the job for me, however what i would like to do is to implement it in this way.. while vpn client connected to vpn the client has to do all the activity via a vpn connection. ( no split tunnel).
if anyone has done this here or knows the best way to hand this please let me know.
thanks
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
