Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Leader
Leader

Preventing users from disconnecting remote access VPN client

Hey guys,

 

I know this may sound like a silly question, but not sure if its even possible. I know in dashboard, under global properties you can enable always connect for endpoint clients...BUT, is there any way at all, either for endpoint vpn or sandblast, to actually PREVENT people from disconnecting their vpn session once they connect?

 

I know there is trac_client_1.ttm file on the firewall where certain endpoint stuff can be modified, but I dont think there is anything for this specifically. Also, trac_defaults on client side has some settings too, but not sure this is one of them.

 

Thoughts? : )

 

Andy

0 Kudos
22 Replies
G_W_Albrecht
Legend
Legend

A possible workaround could be the use of machine certificate RA VPN, connecting automatically before Domain Logon - but you would have to somehow disable the GUI, as the client otherwise is able to disconnect or shutdown the RA client.

0 Kudos
the_rock
Leader
Leader

Hm...thanks Gunter. Not sure if customer would be okay with that, but do you think its complicated to do?

Andy

0 Kudos
G_W_Albrecht
Legend
Legend

I had customers using it as a special HF from local SE and contacted me for the latest version, and since GA, i have never heard any complaint or trouble with this feature. Test it😎. And try to figure out how to disable the GUI.

0 Kudos
the_rock
Leader
Leader

If I knew how to do it, would not be posting here, trust me LOL...anyway, let me open TAC case for it.

0 Kudos
G_W_Albrecht
Legend
Legend

If you can figure out how to disable the GUI, you could leave it with that and Always Connected. I have some experience and would not know how to do it but with an OS hack.Usually, customers want safety for connections first and accept that users disconnect from VPN if they do not use its services. But the idea is valid: all connections from the client go thru company site (and its GW), CP included that a long time ago. But clients can disconnect (to print on their own printer)...

0 Kudos
PhoneBoy
Admin
Admin

"Always Connected" is a Global Properties setting.

Screen Shot 2021-03-18 at 9.51.45 AM.png

0 Kudos
G_W_Albrecht
Legend
Legend

A client always can disconnect from VPN or shutdown the client - any way to make this unavailable ?

0 Kudos
the_rock
Leader
Leader

Right, thats what this customer is looking for...Personally, I never heard of anyone being able to do so.

0 Kudos
the_rock
Leader
Leader

Hey D,

Yes, Im very familiar with that setting, but thats not what Im looking for. Customer wants to PREVENT users from being able to manually disconnect the vpn client themselves.

0 Kudos
PhoneBoy
Admin
Admin

That plus ATM mode (removing the GUI) would make it a little more difficult for users to disable the VPN (without knowing the CLI command).
You could also create a disconnected desktop policy that blocks most everything when not connected to the VPN, thus nudging people to keep the VPN on.

0 Kudos
G_W_Albrecht
Legend
Legend

Oh yes, i forgot ATM mode !

0 Kudos
Bob_Zimmerman
Advisor

This is probably as good as you're going to be able to get. After all, users could just unplug the computer from their network, unplug their Internet connection, or otherwise block the system's ability to talk to the VPN endpoint.

While I'm not sure I understand why anybody would want to prevent users from disconnecting, it sounds like they're trying to solve a human problem with a technological solution. That never works well.

JozkoMrkvicka
Leader
Leader

Another possible way would be to create script which will do following:

Check every XY seconds/minutes if VPN is established. If not, establish it.

The main question is if such a solution would be possible. Trac.exe info can be used (find string of "Connected"). Maybe cpvn:// command in order to establish VPN in the background.

Just an idea...

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Leader
Leader

Yea...I was thinking maybe modify some local files on client side, but they are more asking if this can be done globally from the fw side, which I am not so sure it can be done...

0 Kudos
PhoneBoy
Admin
Admin

Don't believe it's possible to FORCE always on, nor is it a particularly good idea.
In order for things like DHCP or Captive Portal on a public WiFi hotspot to work, you have to allow the device to connect without VPN for a period of time.

My ask back to the client would be: what problem are you trying to solve by forcing always-on VPN?
If it's to prevent access to specific websites (or whatever), there are other solutions to that problem that don't involve an always-on VPN (and add additional protection to boot).

0 Kudos
G_W_Albrecht
Legend
Legend

0 Kudos
the_rock
Leader
Leader

I heard about it, but reading up from that link, I dont think that would achieve what customer wants. 

0 Kudos
G_W_Albrecht
Legend
Legend

You can use VPN client only, too (sk172325):

E84.60 Standalone Clients

Platform Package Description Link
Windows E84.60 Remote Access VPN Clients for ATM Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface.
 

 

(MSI)
E84.60 Remote Access VPN Clients for ATM - Automatic Upgrade file Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
 

 

(CAB)

 

This documentation is valid for both EPS and RA VPN ATM clients: E80.86 and higher Endpoint Security Client for ATMs Deployment Guide

 

the_rock
Leader
Leader

I guess something to think about...

0 Kudos
Petr_Frydl
Participant

Hi, i have discussed it with local chp gyus and have an answer that you need endpoint protection package with local fw > connected/distonnected status > if you are not connected the FW will not allow any interesting communication so the user will connect to vpn voluntarily..

 

regards

Petr

 

0 Kudos
G_W_Albrecht
Legend
Legend

This does not help if you can shutdown the EPS client. ATM would be the way to go...

0 Kudos
Alex_Shpilman
Collaborator

Hi @the_rock ,

If you have machine certificates, enabling the below in the client's trac.default will disable the connect/disconnect button in the GUI and use machine certificate only.

enable_machine_auth                 true

machine_tunnel_site                   "SITE_NAME"

machine_tunnel_after_logon     true

 

Admins or service desk still can disconnect from CMD.