topic Remote Access VPN with limited acces before VPN tunnel establishment in SASE and Remote Access

Remote Access VPN with limited acces before VPN tunnel establishment

AkosBakos — Tue, 03 May 2022 12:32:22 GMT

Hi All,

I need to implement an RA configuration that fulfill the followings:

Client: Win 10

After connecting to the local network (Wifi or cable) the public internet access must be diabled until the VPN tunnel establishment.

So the user can access his own local network but he will not be able to reach the internet. However after the successful VPN connection he can reach the internet (through full-Tunnel VPN)

All ideas are welcome.

Akos

Re: Remote Access VPN with limited acces before VPN tunnel establishment

G_W_Albrecht — Tue, 03 May 2022 12:37:45 GMT

Use Machine Authentication to connect to VPN before Windows logon and configure Route All Traffic thru GW - that should do it.

Re: Remote Access VPN with limited acces before VPN tunnel establishment

AkosBakos — Tue, 03 May 2022 12:50:17 GMT

Hi,

But in that case when the endpoint does not have network connection at all?
And I forgot an another requirement: VPN login with MFA with RSA....

Akos

Re: Remote Access VPN with limited acces before VPN tunnel establishment

G_W_Albrecht — Tue, 03 May 2022 12:54:16 GMT

Then VPN will not be up, but Internet connection is impossible 8) VPN login with MFA with RSA is not possible with Machine Authentication, so customer should choose if no internet or MFA with RSA is more important. You can also open a TAC ticket for more information or let CP Professional Services do the configuration.

Re: Remote Access VPN with limited acces before VPN tunnel establishment

AkosBakos — Tue, 03 May 2022 13:02:25 GMT

Hi @G_W_Albrecht

Now I am searching for a solution in Harmony Endpoint. Maybe I can define profiles where one point can be if there is no VPN connection the internet access won't work.

Or this is wrong way?

Re: Remote Access VPN with limited acces before VPN tunnel establishment

G_W_Albrecht — Tue, 03 May 2022 13:08:57 GMT

No use, this is impossible - VPN will not connect without internet connection, so Machine Authentication is the solution here. And much better than MFA as the logon is done in the background. You could do MFA with RSA for Windows Logon instead...