Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
littlewood
Explorer

Block Internet when disconnecting VPN

Hello,

We try to block Internet when user are not connecting to VPN from external network. It works fine with standalone VPN client. However, when we recently deployed Endpoint Security client, things got messed up. We tried to use Endpoint Security policy for the OS firewall in EPS. With this EPS policy being used, we cannot block Internet when user not connecting VPN. In order to block Internet, we have to enforce desktop policy to OS firewall.

Is there a way to use EPS policy but still be able to block Internet access when VPN not being connected?

Many Thanks!

Labels (1)
0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Curious why you don't want to use the Desktop Firewall to do this?

0 Kudos
littlewood
Explorer

Sorry PhoneBoy, I didn't get your question. When you said Desktop firewall, did you mean the windows firewall or the EPS firewall with enforced desktop policy?

Before we implemented EPS, we didn't use OS level firewall on workstations / servers. Only the VPN clients had desktop policy applied which kind of worked as an OS firewall.
Now, we decided to use EPS firewall because we were told it was more functional, more granular and easier to manage comparing to desktop policy.
However, when we enforced Endpoint security policy to EPS firewall, the VPN cannot block accessing Internet via the other interfaces anymore. I guess, the VPN might need the desktop policy to block the Internet. But if we applied the desktop policy, we cannot use Endpoint Security firewall.
The other reason we don't want to use desktop policy for all the workstations is that our desktop policy blocks the multicast traffic. We need to access multicast traffic to view the live video on our surveillance system.

Hope I properly answered your question. We just want to restrict that the Internet only go through VPN tunnel. If you know how to do it through VPN or OS firewall, that would be great.

Many thanks!

0 Kudos
PhoneBoy
Admin
Admin

I mean the EPS firewall with enforced desktop policy.
You should be able to configure the desktop policy to permit multicast. 

0 Kudos
littlewood
Explorer

1. Desktop policy will bring gateway rules into local firewall. That's one thing I don't want it to happen.

For example, the rule blocking multicast is actually located in gateway instead of directly in desktop policy.

If I use desktop policy, to allow the multicast traffic to go through OS firewall, I have to change the rule on gateway. But we don't want to multicast traffic cross gateway.

2. The other reason we prefer to Endpoint security policy is that as I said it's easier, more functional and more granular. 

For example, we want to make different rules for different computers. It's very easy in smart endpoint console. Just create virtual groups and sign the different policies to them. Add the computers to different virtual groups.

Not sure how to do it in desktop policy.

 

Any idea to use Endpoint policy and make the Internet only go through VPN?

Thanks!

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

Actually, you can configure a Desktop Policy in a completely separate layer on the gateway.
You just have to enable the Policy Server on the relevant gateway and add the Desktop policy to the relevant package.
Also, multicast will never cross a gateway unless you configure PIM, even if there is a rule in the policy that allows it.

But, you should be able to do this on the Endpoint side as well in, like you said, a more granular way.
For multicast, in the relevant policy, create a rule like below:

Screen Shot 2020-10-29 at 6.11.41 PM.png

The multicast-net is a network object I created (network 224.0.0.0 mask 224.0.0.0).
You can add this rule to the relevant policy.

Further, you can create a different firewall policy that is used when the client is disconnected. 
It's just a matter of cloning the relevant Endpoint rule, setting the enforcement state to Disconnected, and modifying the policy as appropriate.

Screen Shot 2020-10-29 at 6.19.02 PM.png

0 Kudos
littlewood
Explorer

Hi PhoneBoy,

Thanks for your response.

When I using Endpoint policy, I don't worry about multicast. The multicast is only a problem when we using desktop policy.

One the Endpoint side, the issue is that I can't lock down Internet with Endpoint policy.

We tried the disconnected policy, however, we are using cloud Endpoint policy server. Even we disconnect VPN, the client is still connected to policy server.

So we can't use it to lock down Internet.

Any idea?

 

Thanks!

 

0 Kudos
PhoneBoy
Admin
Admin

Yeah, that is an issue, since you will always have connectivity to the Endpoint Management Server.
I suspect the answer will be to use the Desktop policy instead of the one from Endpoint.
A TAC case is probably in order.

0 Kudos
littlewood
Explorer

Hi PhoneBoy,

Is it possible to combine compliance policy and end point policy to achieve it?

Like using compliance policy to detect if VPN connected. If no, let end point policy block the network.

Thanks!

0 Kudos