Not really a question, but suggestions for improvements or other feedback are certainly encouraged.
I received a requirement to pop up a disclaimer after an endpoint connects to VPN, requiring the user to accept the terms ("unauthorized access prohibited" etc) or else the VPN connection should shut off. TAC helpfully pointed me to sk103117 but understandably, their assistance ended before providing any guidance on how the post-connect script itself should work.
Googling wasn't much help, so DEAR PEOPLE FROM THE FUTURE: Here's what we've figured out so far...*
In a nutshell, the SK instructs you to make a few adjustments via GUIDBEdit and the trac_client_1.ttm file (or your equivalent, if you have multiple ttm's) on the gateway(s), which will point the client to a local script that runs after the VPN connects. TAC's advice was to consider an HTA file, which is a good idea, but they could not assist any further than that.
First, it turns out you cannot run an HTA file directly from this feature. So I created a .bat wrapper. This part is very simple, something as basic as this does the trick:
================= popup.bat =================
A couple of important administrative notes before we get into the HTA file:
- Permissions for popup.bat and popup.hta should be restricted such that regular users cannot simply delete or rename them, but they should be able to execute them.
- popup.hta will need to be trusted by your GPO policy or whatever you are using to manage Windows security on your endpoints. Otherwise, you'll get an untrusted app warning upon first connection, which could confuse users.
Borrowing from cobbled-together code that I was able to find on various sites (appropriate credit given in comments where due) I put together a little popup that cannot be closed or edited, and which provides the user a configurable number of seconds to Agree or Disagree to the disclaimer before the VPN disconnects. Conveniently, the VPN will also disconnect if the user tries to kill the task without agreeing.
Here is the code for popup.hta:
================= C:\scripts\popup.hta =================
<title>Authorized Access Only</title>
' Progress Bar Settings, credit to Paul W. Blair:
pbWaitTime = 20 ' How many seconds the progress bar lasts
pbHeight = 8 ' Progress bar height
pbWidth= 200 ' Progress bar width
pbUnloadedColor="white" ' Color of unloaded area
pbLoadedColor="blue" ' Color of loaded area
pbBorder="green" ' Color of Progress bar border
' Don't edit these things
pbStartTime = Now
pbTimerID = window.setInterval("rProgressbar", 200)
' Fake modal window
window.setInterval "putontop()", 200
accepted = False
alreadyran = False
pbHTML = ""
pbSecsPassed = DateDiff("s",pbStartTime,Now)
pbMinsToGo = Int((pbWaitTime - pbSecsPassed) / 60)
pbSecsToGo = Int((pbWaitTime - pbSecsPassed) - (pbMinsToGo * 60))
if pbSecsToGo < 10 then
pbSecsToGo = "0" & pbSecsToGo
pbLoadedWidth = (pbSecsPassed / pbWaittime) * pbWidth
pbUnloadedWidth = pbWidth - pbLoadedWidth
pbHTML = pbHTML & "<table border=1 bordercolor=" & pbBorder & " cellpadding=0 cellspacing=0 width=" & pbWidth & "><tr>"
pbHTML = pbHTML & "<th width=" & pbLoadedWidth & " height=" & pbHeight & "align=left bgcolor=" & pbLoadedColor & "></th>"
pbHTML = pbHTML & "<th width=" & pbUnloadedWidth & " height=" & pbHeight & "align=left bgcolor=" & pbUnLoadedColor & "></th>"
pbHTML = pbHTML & "</tr></table><br>"
pbHTML = pbHTML & "<table border=0 cellpadding=0 cellspacing=0 width=" & pbWidth & "><tr>"
pbHTML = pbHTML & "" & pbMinsToGo & ":" & pbSecsToGo & " remaining"
pbHTML = pbHTML & "</tr></table>"
progressbar.InnerHTML = pbHTML
if DateDiff("s",pbStartTime,Now) >= pbWaitTime then
If accepted = True Then
Window = Nothing
If alreadyran = False Then
Set ObjShell = CreateObject("Shell.Application")
ObjShell.ShellExecute "trac.exe", "disconnect", "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\", "", 0
alreadyran = True
accepted = True
<p>Unauthorized access is prohibited. By clicking 'Agree' you assert that you are an authorized employee, will abide by all usage policies, and consent to monitoring of all network traffic.</p>
<button onclick="DisableVPNAdapter">Disagree</button></p> <p>
<p>VPN will disconnect if you do not agree before the counter reaches 0.</p>
<span id = "progressbar"></span>
If all goes well, then upon connection you should see a window like this:
Hopefully this helps someone in the same situation at some point down the road.
* - https://xkcd.com/979/