VPN: Force remote gateway on clients 1

[mst3k]

Hello,

Can anyone inform me how I can force a windows VPN client to use the default gateway on the remote network from the server side?

All I can find via google is how to change the setting on the client, and that's not what I want. I also see terms related to multilink but I don't think that's what I want either.

The goal is to force anyone connecting to our VPN that they must use our gateway, and if they uncheck that option in the vpn client they can't connect (or more accurately can't send any data)

Reasoning is that we use a webfilter with business rules, and if someone connects to the vpn without using our gateway they can circumvent these rules.

Server: 2003
Clients: XP

Thank you!

 

[58sniper]

That's known as a full tunnel, as opposed to a split tunnel. For clarification, are you using the VPN client built into Windows, or a Windows based VPN client like that from Cisco?

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[mst3k]

Thank you for the reply,

We use the built-in windows VPN client. I can't rely on pushing a group policy to the device since it could be a user's home machine and not a member of our domain.

Thanks again,

 

[w33mhz]

Well on the other end of the VPN, what is that device i.e. Firebox, Cisco PIX/ASA ? You should be able to route the vpn traffic to the appropriate gateway.

 

[mst3k]

We have a Cisco ASA, but that just forwards pptp & gre to a Windows 2003 Server running RRAS.

 

[w33mhz]

ok so you can set a route on the RRAS server. Also what you can do is just have the clients put the web filter in the proxy server setting, then on the ASA make an ACL to deny all web traffic not destined for the webfilter (or any other internal webservers). That way it they don't put the proxy server in they will not be able to surf the web unchecked.