Our corporate laptops are restricted to only allow internet access through our proxy (connection profile in Internet Explorer pushed through a GPO). On a remote/3rd party connection this is allowed by creating a VPN back to the corporate network (Cisco VPN Client -> Cisco ASA), at which point the proxy is available and we route all internet traffic through that.
We have recently had the question raised by one of our users who was attempting to use a Wireless connection on a train. The train company requires that the user fills in a form hosted on their own network.
The problem we had was that the user wasn't able to get to the train companies internal page as the proxy wasn't available. They couldn't connect the VPN as they hadn't completed the train companies logon page.
We considered that we could specify this page in the 'bypass proxy for this address...' which would allow a connection to only that page, this was rejected as we would then have to start adding every train company, hotel, public hotspot that works in this way (which must be a list of thousands)
Second suggestion was to allow connections to any local network range (10.* or 192.*) but the implications with regards to security seemed to dangerous. Plus the page offered up by the train company would be http://virginrailwifisignup page and not http://192.168.1.1
At which point we were stumped. The now familiar cry went up in the office "we can't be the only ones who have had this problem" but I haven't been able to find anyone who has mentioned a useful solution.
So I ask you, Server Fault, how have you managed this?
Worth noting, we provide all our mobile users with 3G connections for when they are out and about, they VPN back in over that but its flaky as hell on a train.
Pushing settings to a connection profile in IE, you don't only allow internet access through your proxy. You just make a notion about internet access through your proxy, and increase accessibility.
If I understand correctly what you want is to have users connect to your VPN in order to access the internet thus using your proxy. If that's the case you have to be carefull because now all potential malware/attacks get routed through your network.
By default in most Windows after XP when you connect to a VPN you are using the default gateway on the remote network. Thus you have to ensure that this setting stays like this. You can accomplish that through your GP or CMAK or by a script or by even doing it manually as a leveraged user once for every machine.
But on web-based logins your users have to access some random website (and thus the internet) ! This is where the Network Location Awareness kicks in
So if your user establishes a connection to a network other than your work network you will trigger your VPN connection and all is good.
I have to admit not an easy job especially when there is client diversification.
The other way of going around it is locking everything down disabling the lot of it and making another user account for usage outside your VPN and forcing other kinds of limitations (e.g. no videos,audio,specific domains,etc.)
Yet another way is to block certain ports from a specific connection or limit the access to your VPN e.g. no access to internal servers
I guess I'm a little confused but why must all of your clients, when outside of your brick and mortar, be forced to connect to the internet only to get routed back through your own network?
I get having a VPN client to be able to call home and access resources on the network but why do you want all of their browsing traffic sent back to you just to be routed back out again? Is it for content filtering purposes or simply so they may also be able to access corporate resources.
Regardless, I guess I'm just a little confused on why the setup needs to be like this in the first place. If they aren't on your network why bother with proxying them back to the office if in fact they also have a VPN client? I guess I'm curious if the whole thing may be a little over complicated, over engineered if you will.
Use a real firewall to restrict access - not just the MSIE connection profile.