Not really a question, but suggestions for improvements or other feedback are certainly encouraged.
I received a requirement to pop up a disclaimer after an endpoint connects to VPN, requiring the user to accept the terms ("unauthorized access prohibited" etc) or else the VPN connection should shut off. TAC helpfully pointed me to sk103117 but understandably, their assistance ended before providing any guidance on how the post-connect script itself should work.
Googling wasn't much help, so DEAR PEOPLE FROM THE FUTURE: Here's what we've figured out so far...*
In a nutshell, the SK instructs you to make a few adjustments via GUIDBEdit and the trac_client_1.ttm file (or your equivalent, if you have multiple ttm's) on the gateway(s), which will point the client to a local script that runs after the VPN connects. TAC's advice was to consider an HTA file, which is a good idea, but they could not assist any further than that.
First, it turns out you cannot run an HTA file directly from this feature. So I created a .bat wrapper. This part is very simple, something as basic as this does the trick:
================= popup.bat =================
echo @off
start C:\scripts\popup.hta
============================================
A couple of important administrative notes before we get into the HTA file:
- Permissions for popup.bat and popup.hta should be restricted such that regular users cannot simply delete or rename them, but they should be able to execute them.
- popup.hta will need to be trusted by your GPO policy or whatever you are using to manage Windows security on your endpoints. Otherwise, you'll get an untrusted app warning upon first connection, which could confuse users.
Borrowing from cobbled-together code that I was able to find on various sites (appropriate credit given in comments where due) I put together a little popup that cannot be closed or edited, and which provides the user a configurable number of seconds to Agree or Disagree to the disclaimer before the VPN disconnects. Conveniently, the VPN will also disconnect if the user tries to kill the task without agreeing.
Here is the code for popup.hta:
================= C:\scripts\popup.hta =================
<html>
<head>
APPLICATIONNAME="disclaimer_popup"
SCROLL="no"
SINGLEINSTANCE="yes"
WINDOWSTATE="Normal"
CAPTION="yes"
MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no"
SYSMENU="no"
BORDER="thin"
BORDERSTYLE="Normal"
CONTEXTMENU="no"
SELECTION="no"
>
<title>Authorized Access Only</title>
<script language="VBScript">
Public accepted
Public alreadyran
Dim pbTimerID
Dim pbHTML
Dim pbWaitTime
Dim pbHeight
Dim pbWidth
Dim pbBorder
Dim pbUnloadedColor
Dim pbLoadedColor
Dim pbStartTime
Sub Window_OnLoad
' Progress Bar Settings, credit to Paul W. Blair:
' https://gallery.technet.microsoft.com/scriptcenter/Accurate-HTA-Countdown-and-3fd670d6
pbWaitTime = 20 ' How many seconds the progress bar lasts
pbHeight = 8 ' Progress bar height
pbWidth= 200 ' Progress bar width
pbUnloadedColor="white" ' Color of unloaded area
pbLoadedColor="blue" ' Color of loaded area
pbBorder="green" ' Color of Progress bar border
' Don't edit these things
pbStartTime = Now
rProgressbar
pbTimerID = window.setInterval("rProgressbar", 200)
'window.resizeTo screen.availWidth/4.5,screen.availHeight/3
window.resizeTo 427,360
window.moveTo screen.availWidth/3,screen.availHeight/3
' Fake modal window
window.setInterval "putontop()", 200
accepted = False
alreadyran = False
End Sub
Function putontop
window.focus()
End Function
Sub rProgressbar
pbHTML = ""
pbSecsPassed = DateDiff("s",pbStartTime,Now)
pbMinsToGo = Int((pbWaitTime - pbSecsPassed) / 60)
pbSecsToGo = Int((pbWaitTime - pbSecsPassed) - (pbMinsToGo * 60))
if pbSecsToGo < 10 then
pbSecsToGo = "0" & pbSecsToGo
end if
pbLoadedWidth = (pbSecsPassed / pbWaittime) * pbWidth
pbUnloadedWidth = pbWidth - pbLoadedWidth
pbHTML = pbHTML & "<table border=1 bordercolor=" & pbBorder & " cellpadding=0 cellspacing=0 width=" & pbWidth & "><tr>"
pbHTML = pbHTML & "<th width=" & pbLoadedWidth & " height=" & pbHeight & "align=left bgcolor=" & pbLoadedColor & "></th>"
pbHTML = pbHTML & "<th width=" & pbUnloadedWidth & " height=" & pbHeight & "align=left bgcolor=" & pbUnLoadedColor & "></th>"
pbHTML = pbHTML & "</tr></table><br>"
pbHTML = pbHTML & "<table border=0 cellpadding=0 cellspacing=0 width=" & pbWidth & "><tr>"
pbHTML = pbHTML & "" & pbMinsToGo & ":" & pbSecsToGo & " remaining"
pbHTML = pbHTML & "</tr></table>"
progressbar.InnerHTML = pbHTML
if DateDiff("s",pbStartTime,Now) >= pbWaitTime then
StopTimer
DoAction
end if
End Sub
Sub StopTimer
window.clearInterval(PBTimerID)
End Sub
Sub DoAction
DisableVPNAdapter
End Sub
Sub DisableVPNAdapter
If accepted = True Then
Window = Nothing
Else
If alreadyran = False Then
Set ObjShell = CreateObject("Shell.Application")
ObjShell.ShellExecute "trac.exe", "disconnect", "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\", "", 0
alreadyran = True
End If
Window.Close
End If
End Sub
Sub Proceed
accepted = True
Window.Close
End Sub
Sub Window_onUnload
DisableVPNAdapter
End Sub
</script>
</head>
<body><div align="center">
<p>Unauthorized access is prohibited. By clicking 'Agree' you assert that you are an authorized employee, will abide by all usage policies, and consent to monitoring of all network traffic.</p>
<p><button onclick="Proceed">Agree</button>
<button onclick="DisableVPNAdapter">Disagree</button></p> <p>
</div>
<div align="center">
<p>VPN will disconnect if you do not agree before the counter reaches 0.</p>
<span id = "progressbar"></span>
</body>
</html>
===================================================
If all goes well, then upon connection you should see a window like this:
Hopefully this helps someone in the same situation at some point down the road.
-MAB
* - https://xkcd.com/979/