topic Re: Preventing users from disconnecting remote access VPN client in SASE and Remote Access

Preventing users from disconnecting remote access VPN client

the_rock — Thu, 18 Mar 2021 14:57:28 GMT

Hey guys,

I know this may sound like a silly question, but not sure if its even possible. I know in dashboard, under global properties you can enable always connect for endpoint clients...BUT, is there any way at all, either for endpoint vpn or sandblast, to actually PREVENT people from disconnecting their vpn session once they connect?

I know there is trac_client_1.ttm file on the firewall where certain endpoint stuff can be modified, but I dont think there is anything for this specifically. Also, trac_defaults on client side has some settings too, but not sure this is one of them.

Thoughts? : )

Andy

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Thu, 18 Mar 2021 16:01:19 GMT

A possible workaround could be the use of machine certificate RA VPN, connecting automatically before Domain Logon - but you would have to somehow disable the GUI, as the client otherwise is able to disconnect or shutdown the RA client.

Re: Preventing users from disconnecting remote access VPN client

the_rock — Thu, 18 Mar 2021 16:21:50 GMT

Hm...thanks Gunter. Not sure if customer would be okay with that, but do you think its complicated to do?

Andy

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Thu, 18 Mar 2021 16:47:44 GMT

I had customers using it as a special HF from local SE and contacted me for the latest version, and since GA, i have never heard any complaint or trouble with this feature. Test it8). And try to figure out how to disable the GUI.

Re: Preventing users from disconnecting remote access VPN client

the_rock — Thu, 18 Mar 2021 16:48:19 GMT

If I knew how to do it, would not be posting here, trust me LOL...anyway, let me open TAC case for it.

Re: Preventing users from disconnecting remote access VPN client

PhoneBoy — Thu, 18 Mar 2021 16:52:24 GMT

"Always Connected" is a Global Properties setting.

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Thu, 18 Mar 2021 17:00:11 GMT

If you can figure out how to disable the GUI, you could leave it with that and Always Connected. I have some experience and would not know how to do it but with an OS hack.Usually, customers want safety for connections first and accept that users disconnect from VPN if they do not use its services. But the idea is valid: all connections from the client go thru company site (and its GW), CP included that a long time ago. But clients can disconnect (to print on their own printer)...

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Thu, 18 Mar 2021 16:59:35 GMT

A client always can disconnect from VPN or shutdown the client - any way to make this unavailable ?

Re: Preventing users from disconnecting remote access VPN client

the_rock — Thu, 18 Mar 2021 17:03:06 GMT

Hey D,

Yes, Im very familiar with that setting, but thats not what Im looking for. Customer wants to PREVENT users from being able to manually disconnect the vpn client themselves.

Re: Preventing users from disconnecting remote access VPN client

the_rock — Thu, 18 Mar 2021 17:03:45 GMT

Right, thats what this customer is looking for...Personally, I never heard of anyone being able to do so.

Re: Preventing users from disconnecting remote access VPN client

PhoneBoy — Thu, 18 Mar 2021 17:07:13 GMT

That plus ATM mode (removing the GUI) would make it a little more difficult for users to disable the VPN (without knowing the CLI command).
You could also create a disconnected desktop policy that blocks most everything when not connected to the VPN, thus nudging people to keep the VPN on.

Re: Preventing users from disconnecting remote access VPN client

JozkoMrkvicka — Thu, 18 Mar 2021 19:42:40 GMT

Another possible way would be to create script which will do following:

Check every XY seconds/minutes if VPN is established. If not, establish it.

The main question is if such a solution would be possible. Trac.exe info can be used (find string of "Connected"). Maybe cpvn:// command in order to establish VPN in the background.

Just an idea...

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Thu, 18 Mar 2021 20:54:30 GMT

Oh yes, i forgot ATM mode !

Re: Preventing users from disconnecting remote access VPN client

Bob_Zimmerman — Thu, 18 Mar 2021 22:10:35 GMT

This is probably as good as you're going to be able to get. After all, users could just unplug the computer from their network, unplug their Internet connection, or otherwise block the system's ability to talk to the VPN endpoint.

While I'm not sure I understand why anybody would want to prevent users from disconnecting, it sounds like they're trying to solve a human problem with a technological solution. That never works well.

Re: Preventing users from disconnecting remote access VPN client

the_rock — Thu, 18 Mar 2021 22:52:36 GMT

Yea...I was thinking maybe modify some local files on client side, but they are more asking if this can be done globally from the fw side, which I am not so sure it can be done...

Re: Preventing users from disconnecting remote access VPN client

PhoneBoy — Thu, 18 Mar 2021 23:23:02 GMT

Don't believe it's possible to FORCE always on, nor is it a particularly good idea.
In order for things like DHCP or Captive Portal on a public WiFi hotspot to work, you have to allow the device to connect without VPN for a period of time.

My ask back to the client would be: what problem are you trying to solve by forcing always-on VPN?
If it's to prevent access to specific websites (or whatever), there are other solutions to that problem that don't involve an always-on VPN (and add additional protection to boot).

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Fri, 19 Mar 2021 08:03:45 GMT

Do you know ATM mode ? sk133174: Enterprise Endpoint Security Windows Client for ATM

Re: Preventing users from disconnecting remote access VPN client

the_rock — Fri, 19 Mar 2021 11:09:32 GMT

I heard about it, but reading up from that link, I dont think that would achieve what customer wants.

Re: Preventing users from disconnecting remote access VPN client

G_W_Albrecht — Fri, 19 Mar 2021 11:43:05 GMT

You can use VPN client only, too (sk172325):

E84.60 Standalone Clients

Platform	Package	Description	Link
Windows	E84.60 Remote Access VPN Clients for ATM	Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface.	(MSI)
Windows	E84.60 Remote Access VPN Clients for ATM - Automatic Upgrade file	Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.	(CAB)

This documentation is valid for both EPS and RA VPN ATM clients: E80.86 and higher Endpoint Security Client for ATMs Deployment Guide

Re: Preventing users from disconnecting remote access VPN client

the_rock — Fri, 19 Mar 2021 17:14:21 GMT

I guess something to think about...