Hm...thanks Gunter. Not sure if customer would be okay with that, but do you think its complicated to do?

Andy

I had customers using it as a special HF from local SE and contacted me for the latest version, and since GA, i have never heard any complaint or trouble with this feature. Test it8). And try to figure out how to disable the GUI.

If I knew how to do it, would not be posting here, trust me LOL...anyway, let me open TAC case for it.

If you can figure out how to disable the GUI, you could leave it with that and Always Connected. I have some experience and would not know how to do it but with an OS hack.Usually, customers want safety for connections first and accept that users disconnect from VPN if they do not use its services. But the idea is valid: all connections from the client go thru company site (and its GW), CP included that a long time ago. But clients can disconnect (to print on their own printer)...

A client always can disconnect from VPN or shutdown the client - any way to make this unavailable ?

Right, thats what this customer is looking for...Personally, I never heard of anyone being able to do so.

Hey D,

Yes, Im very familiar with that setting, but thats not what Im looking for. Customer wants to PREVENT users from being able to manually disconnect the vpn client themselves.

That plus ATM mode (removing the GUI) would make it a little more difficult for users to disable the VPN (without knowing the CLI command).
You could also create a disconnected desktop policy that blocks most everything when not connected to the VPN, thus nudging people to keep the VPN on.

Oh yes, i forgot ATM mode !

This is probably as good as you're going to be able to get. After all, users could just unplug the computer from their network, unplug their Internet connection, or otherwise block the system's ability to talk to the VPN endpoint.

While I'm not sure I understand why anybody would want to prevent users from disconnecting, it sounds like they're trying to solve a human problem with a technological solution. That never works well.

Another possible way would be to create script which will do following:

Check every XY seconds/minutes if VPN is established. If not, establish it.

The main question is if such a solution would be possible. Trac.exe info can be used (find string of "Connected"). Maybe cpvn:// command in order to establish VPN in the background.

Just an idea...

Yea...I was thinking maybe modify some local files on client side, but they are more asking if this can be done globally from the fw side, which I am not so sure it can be done...

Don't believe it's possible to FORCE always on, nor is it a particularly good idea.
In order for things like DHCP or Captive Portal on a public WiFi hotspot to work, you have to allow the device to connect without VPN for a period of time.

My ask back to the client would be: what problem are you trying to solve by forcing always-on VPN?
If it's to prevent access to specific websites (or whatever), there are other solutions to that problem that don't involve an always-on VPN (and add additional protection to boot).

Do you know ATM mode ? sk133174: Enterprise Endpoint Security Windows Client for ATM

I heard about it, but reading up from that link, I dont think that would achieve what customer wants. 

You can use VPN client only, too (sk172325):

E84.60 Standalone Clients

This documentation is valid for both EPS and RA VPN ATM clients: E80.86 and higher Endpoint Security Client for ATMs Deployment Guide

I guess something to think about...

This does not help if you can shutdown the EPS client. ATM would be the way to go...

Hi!

Do you have a detailed instruction how to achieve this behavior?

I was looking at Location-based policies, but it is not clear at all how to configure this

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...