Sorry PhoneBoy, I didn't get your question. When you said Desktop firewall, did you mean the windows firewall or the EPS firewall with enforced desktop policy?

Before we implemented EPS, we didn't use OS level firewall on workstations / servers. Only the VPN clients had desktop policy applied which kind of worked as an OS firewall.
Now, we decided to use EPS firewall because we were told it was more functional, more granular and easier to manage comparing to desktop policy.
However, when we enforced Endpoint security policy to EPS firewall, the VPN cannot block accessing Internet via the other interfaces anymore. I guess, the VPN might need the desktop policy to block the Internet. But if we applied the desktop policy, we cannot use Endpoint Security firewall.
The other reason we don't want to use desktop policy for all the workstations is that our desktop policy blocks the multicast traffic. We need to access multicast traffic to view the live video on our surveillance system.

Hope I properly answered your question. We just want to restrict that the Internet only go through VPN tunnel. If you know how to do it through VPN or OS firewall, that would be great.

Many thanks!

I mean the EPS firewall with enforced desktop policy.
You should be able to configure the desktop policy to permit multicast. 

1. Desktop policy will bring gateway rules into local firewall. That's one thing I don't want it to happen.

For example, the rule blocking multicast is actually located in gateway instead of directly in desktop policy.

If I use desktop policy, to allow the multicast traffic to go through OS firewall, I have to change the rule on gateway. But we don't want to multicast traffic cross gateway.

2. The other reason we prefer to Endpoint security policy is that as I said it's easier, more functional and more granular. 

For example, we want to make different rules for different computers. It's very easy in smart endpoint console. Just create virtual groups and sign the different policies to them. Add the computers to different virtual groups.

Not sure how to do it in desktop policy.

Any idea to use Endpoint policy and make the Internet only go through VPN?

Thanks!

Actually, you can configure a Desktop Policy in a completely separate layer on the gateway.
You just have to enable the Policy Server on the relevant gateway and add the Desktop policy to the relevant package.
Also, multicast will never cross a gateway unless you configure PIM, even if there is a rule in the policy that allows it.

But, you should be able to do this on the Endpoint side as well in, like you said, a more granular way.
For multicast, in the relevant policy, create a rule like below:

The multicast-net is a network object I created (network 224.0.0.0 mask 224.0.0.0).
You can add this rule to the relevant policy.

Further, you can create a different firewall policy that is used when the client is disconnected. 
It's just a matter of cloning the relevant Endpoint rule, setting the enforcement state to Disconnected, and modifying the policy as appropriate.

Hi PhoneBoy,

Thanks for your response.

When I using Endpoint policy, I don't worry about multicast. The multicast is only a problem when we using desktop policy.

One the Endpoint side, the issue is that I can't lock down Internet with Endpoint policy.

We tried the disconnected policy, however, we are using cloud Endpoint policy server. Even we disconnect VPN, the client is still connected to policy server.

So we can't use it to lock down Internet.

Any idea?

Thanks!

Yeah, that is an issue, since you will always have connectivity to the Endpoint Management Server.
I suspect the answer will be to use the Desktop policy instead of the one from Endpoint.
A TAC case is probably in order.

Hi PhoneBoy,

Is it possible to combine compliance policy and end point policy to achieve it?

Like using compliance policy to detect if VPN connected. If no, let end point policy block the network.

Thanks!