 | ||
 SecuRemote office mode/split tunneling and desktop policy | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-08-11 | |||
| |||
 SecuRemote office mode/split tunneling and desktop policy If i'm using using office mode VPN tunnel for my desktop clients, when they authenticate and download the desktop policy to their computers, I've restricted them to certain sites. But when not connected to the VPN, should they still be able to browse any sites they like? Or does the desktop policy still enforce on their desktop even though not connected to the VPN? I just want to clarify the default behaviour. It seems when they disconnect from the VPN, the policy still enforces on their computer, so they are unable to browse sites unless services are stopped.  |
| 2007-08-11 | |||
| |||
| Re: SecuRemote office mode/split tunneling and desktop policy Whilst the VPN client is active then the policy is running wether the VPN tunnel is active or not. You need to allow the policy to allow outbound if you want Internet Access. |
| 2007-08-11 | |||
| |||
| Re: SecuRemote office mode/split tunneling and desktop policy Thanks for the reply! So by design, whether connected to the VPN or not, the desktop policy is enforced. How do you de-activate the VPN client then? Is it just purely stopping the services securemote and watchdog services? Is it not enough just to exist the client? |
| 2007-08-11 | |||
| |||
| Re: SecuRemote office mode/split tunneling and desktop policy In the system tray icon, just right click on the icon and select stop VPN-1 Secure Client. Alternatively allow the policy to access the resources anyway, so you don't need to stop the client |
| 2007-08-11 | |||
| |||
| Re: SecuRemote office mode/split tunneling and desktop policy Ah but you see that's the problem. When users stop from the trayicon, the policy is _still_ in effect. They must manually go to the services and stop the associated service to disable the active policy. Any thoughts? |
| 2007-08-11 | |||
| |||
| Re: SecuRemote office mode/split tunneling and desktop policy Yes, the policy is still in effect. That is a good thing. Otherwise they would not have a personal firewall running at all. That would be a bad thing. :-) After your existing Outbound Accept/Encrypt rules but before the Outbound "drop" rules, add a rule something like this (column names are from memory): Source: All Users@Any Destination: Any Service: What you want to allow Action: Accept The group "All Users@Any" is a built-in group, not one you have to create, and it means "When not connected by VPN". When they are connected by the VPN, its rule is skipped automatically. It's a little different with SecureClient. You effectively build both a "when connected" and a "when not connected" desktop policy into one rule base. Individual rules are automatically used or not used depending on which group is specified and whether they are connected by VPN or not. HTH, Ray |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
