1. Use the SecureClient Packaging Tool on the management station to create a
customized build of SecureClient. Select the options that do not allow them
to unload the policy or shut down SecureClient. Allow DHCP to work even if
the policy does not allow it.
2. Use SCV so they cannot connect to the internal network unless the policy
is loaded.
3. Implement an Outbound desktop rule like so:
Source: AllUsers@any
Destination: any
Service: any
Action: drop
This will cause one big issue. The "AllUsers@any" rules are the desktop
security policy that is in effect when they are NOT VPNed in. Some hotel
broadband systems, notably STSN, require that a browser outbound connection
come from the laptop. They then intercept the call and pop up their own page
that you have to click a button on to get Internet access.
No clicky, no Internet. No browser outbound, no STSN page, no Internet, no
VPN connection. Kind of a chicken-or-egg thing. If you have a forced browser
home page, you could create an outbound rule to allow HTTP to it, even if it
is unreachable from the Internet. This is enough to trip the STSN page.
Ray
From: "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] SecureClient - Blocking web browsing
Date: Wed, 31 Mar 2004 13:07:32 +0100
Dear all
I am implementing secure client for all remote users, but as my test bed
has
highlighted there are concerns over the users connecting to the internet
and
not using the VPN, i.e. for non work related reasons and installing all
types of goodies from the net on their laptops. Does anybody know of a way
I
can set it up so that when connecting to the net, it always and only
connects to the firewall hence not giving them the ability to browse the
web
at all? Unfortunately for me, my users are quite PC literate and as such
this method would have to be put in place with no workaround (well, no
obvious one at least). I am quite willing to look at reg hacks to lock the
OS down, but I don't know if they'll solve my problem
any help would be greatly appreciated
regards
Gary
This electronic message contains information from Halifax Cetelem Credit
Ltd
which may be privileged or confidential. The information is intended to be
for the use of the individual(s) or entity named above. If you are not the
intended recipient be aware that any disclosure, copying, distribution or
use of the contents of this information is prohibited. If you have received
this electronic message in error, please notify us by telephone or email
(to
the numbers or address above) immediately.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE
download! http://toolbar.msn.com/go/onm00200413ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
