The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Tie a VPN to one application?
templewulf
The Team ChumpUSARegistered User regular
The Team ChumpUSARegistered User regular
Hey all,
I've been having to work from home a lot lately, which means signing into a VPN and using mstsc to connect to my work computer.
Unfortunately, that means that I can't do anything else on my home computer, since all traffic is routed through the VPN. Is there anyway to set it up so that it only applies to MSTSC, in the same way you can specify domains to use a proxy in browsers and Internet Options.
Any ideas?
I've been having to work from home a lot lately, which means signing into a VPN and using mstsc to connect to my work computer.
Unfortunately, that means that I can't do anything else on my home computer, since all traffic is routed through the VPN. Is there anyway to set it up so that it only applies to MSTSC, in the same way you can specify domains to use a proxy in browsers and Internet Options.
Any ideas?
templewulf on
0
This discussion has been closed.
Posts
In the TCP/IP settings for the VPN, uncheck the "Use default gateway on remote network" box under Advanced settings.
You may need to add a static route into your work IP addresses. If you do, I'd recommend setting up a batch file, since you'll need to do it every time you connect.
http://support.microsoft.com/kb/317025
Oh, what the hell? That's on by default now?
Thanks for the link, I appreciate it.
What you're looking for is refereed to as a Split tunnel configuration. Work related stuff goes down the VPN connection, everything else goes through the normal Internet connection.
Depending on how you connect and how they have the VPN configured, you may or may not be able to do this on your end. I know the VPN systems I configure there is no way for anyone to change the adapter settings. If they do it while connected they get kicked off. If they do it while not connected the settings simply get overwritten when they connect. All settings are controlled and configured by me on the Server side, the only thing the user can control is their user credentials, a couple of basic settings (like local logging and keep alives), and which VPN they are pointing to.
Create an SSH tunnel to map port 4000 to (someip):3389 then just do mstsc -v localhost:4000. SSH should be as secure as a VPN, less overhead, and not lock down your local network. Once you're done just disconnect your SSH session.
Any reason they decided to use VPN? Windows only environment maybe?
Most big companies will lock down SSH from the internet to any of their internal or trusted networks. If his company has any sort of reasonable security posture it just will not be available.
This may have been the case before 2006. I'd be more worried about having a webserver on my network than an SSH server.
Usually you have your Webservers in a separate security zone from the user systems... not always of course, but usually. Regardless, most of the time you don't allow web services in from the internet to the user pool either.
In fact, you almost never allow ANYTHING from the internet to your internal network. That's why you have a boundary device like a VPN in the first place. You could set up an SSH server to do the same thing as well, but in the end it may have the exact same restrictions for the end user as the VPN server. Depends on the company of course. But setting up a random SSH server you create on your own lacks any audit trail. He could be anyone coming in over that tunnel and there's no way of looking into it or inspecting what is going on. And if there's no monitoring going on internally he could be hopping off that box to almost anything and pulling data out.
Point is, many companies, mine included, you will flat out get fired for doing what he's asking or what you are suggesting as you're bypassing (or attempting to) security policies.
I don't think you understand what he's asking. He can already do what he wants, VPN, and terminal service into the computer in question. He wants to be able to use his local computer while VPNed in, in theory, limit it to the single port. Disabling the use remote gateway solves this for the most part. The other possibility is SSH tunneling, which is a similar practice. Having something listening on port 1723 as opposed to 22 does not significantly change your network security.
Now you can disable TCP forwarding in the SSH server, but, if you've already got a VPN tunnel open and accepting connections, it practically makes no difference in your architecture, especially if you're given access internally to the same network.
As far as I know SSH is no less secure than a VPN handshake. Especially a VPN that doesn't encrypt after the handshake has happened.
Actually it does make it less secure, which is the entire reason it's usually not possible by default. Having split tunnel capability, or simply forwarding a single port means that if his machine was exploited by any number of means that give a remote attacker access to it, then all they have to do is sit by and watch him connect in, then ride his connection through to his corporate network. They are then bypassing all the perimeter security and sitting inside the corporate network which is, for good or ill, almost always less protected.
As far as the VPN vs SSH handshake, it is secure on both counts. BUt the way you phrased it made it sound like you wanted him to set up an SSH server on his own. VPN generally uses 2 factor authentication tied to his corporate account via a certificate or token of some type. This provides some level of security that they know who is coming in and that the connection is valid.
If his work has a SSH connection available to use, chances are he would be under the exact same restrictions as VPN due to the above security concerns. And if he's not, then chances are he'd need a much better reason to be approved for use of it than "I want to browse the intertubes".
This is sort of getting off the main topic with this discussion, but suffice it to say that if I were him I'd look at the policy of if he SHOULD be doing this long before trying to do it. Is it worth getting fired for? Since I have seen many a person fired for doing exactly these things and getting caught red handed.
I still think you're confused.
How so? He wants to RDP to his windows system in the office.
In order to do that he needs to use VPN to access his company network.
This VPN connection is configured to route all traffic, not just RDP to his one computer, down the VPN tunnel.
He wants to just use RDP to the office PC and have the rest of his connection free.
That's it. Unfortunately, that is not how his company has it set, and may be exactly as they designed it to be.
By taking steps to do what he wants, he could very easily be bypassing policy that was purposefully put in place and enforced. Taking these actions could get him fired.
There's no confusion here in my telling him why these things are usually set up the way they are and that he should make sure it won't cost him his job bypassing them.
Not sure why you think he's doing this without permission. O_o
EDIT:
To be fair I don't mean that he's trying to be malicious with that, he simply may not know. Which is why I stress he should not try it without asking, and if he asks and says no he should not try it and hope he gets away with it.