I appreciated this may be a strange one...

My org is soon to change which site our VPN clients enter the network from,
thus a different firewall and IP. The VPN client configuration file needs
to point towards the new box on all the VPN clients, no problem there.

What is the issue though, is that (after some vendor software updates to the
firewall security) all Internet routes are lost when the VPN NIC is
installed after the remote user logs on. Thus the user now has no internet
access until the routes are added again. A way we can get around this is to
add the routes back via a batch file, but can only do this AFTER the NIC is
installed by the VPN client software. Does anyone know of a way around
this, we can't push this out via AD due to the users logging on locally at
first, then being authenticated by the firewall so no scripts can be run
from inside the network.

Any ideas/suggestions/comments welcome. If you need more info please ask.

Thanks in advance.

Copy the batch file to the pc before the switch, execute it after the NIC is
installed.

Ed

In article <#eHB8UW2FHA.2816@tk2msftngp13.phx.gbl>, "Andrew Story"
<andrewDOTstoryATjameswalkerDOTbiz> wrote:
>I appreciated this may be a strange one...
>
>My org is soon to change which site our VPN clients enter the network from,
>thus a different firewall and IP. The VPN client configuration file needs
>to point towards the new box on all the VPN clients, no problem there.
>
>What is the issue though, is that (after some vendor software updates to the
>firewall security) all Internet routes are lost when the VPN NIC is
>installed after the remote user logs on. Thus the user now has no internet
>access until the routes are added again. A way we can get around this is to
>add the routes back via a batch file, but can only do this AFTER the NIC is
>installed by the VPN client software. Does anyone know of a way around
>this, we can't push this out via AD due to the users logging on locally at
>first, then being authenticated by the firewall so no scripts can be run
>from inside the network.
>
>Any ideas/suggestions/comments welcome. If you need more info please ask.
>
>Thanks in advance.
>
>

Andrew Story wrote:

> My org is soon to change which site our VPN clients enter the network
> from, thus a different firewall and IP. The VPN client configuration
> file needs to point towards the new box on all the VPN clients, no
> problem there.
>
> What is the issue though, is that (after some vendor software updates
> to the firewall security) all Internet routes are lost when the VPN
> NIC is installed after the remote user logs on. Thus the user now
> has no internet access until the routes are added again. A way we
> can get around this is to add the routes back via a batch file, but
> can only do this AFTER the NIC is installed by the VPN client
> software. Does anyone know of a way around this, we can't push this
> out via AD due to the users logging on locally at first, then being
> authenticated by the firewall so no scripts can be run from inside
> the network.

If I understand your question, you're referring to split tunneling or
client-side routing, which is considered to be a security hole by some.
This is because the VPN client has an established VPN tunnel and can
still access other networks through their default route. (I'm assuming
you mean "after a VPN tunnel is established" when you say "a NIC is
installed.")

Some vendors' VPN client software can be configured to support split
tunneling (I've done this with the Cisco client). On the Microsoft side,
you can create a CMAK connectoid on Windows Server 2003 that configures
route table updates.

For the curious, I wrote a program called vpnroute that you can run on
the client side after the VPN tunnel is established. You can download it
here:

http://www.cybermesa.com/~bstewart/misctools.html

It always worked for me when I used it, but some people have told me
that it didn't work for them. I don't think I'll be updating it, though,
since there's other ways to do it.

--
Bill Stewart

Thanks for the replies guys.

Bill, that is 'exactly' what I meant, is there anyway to have a script like
this run automatic after the VPN tunnel is created?

Ed, I ideally want this to be transparent to the users e.g. no interaction.
Have you came across this before?

Thanks agan, Andrew


"Bill Stewart" <llib.trawets@yrautromhcnerf.moc> wrote in message
news:OR5d55Z2FHA.3156@TK2MSFTNGP10.phx.gbl...
> Andrew Story wrote:
>
> > My org is soon to change which site our VPN clients enter the network
> > from, thus a different firewall and IP. The VPN client configuration
> > file needs to point towards the new box on all the VPN clients, no
> > problem there.
> >
> > What is the issue though, is that (after some vendor software updates
> > to the firewall security) all Internet routes are lost when the VPN
> > NIC is installed after the remote user logs on. Thus the user now
> > has no internet access until the routes are added again. A way we
> > can get around this is to add the routes back via a batch file, but
> > can only do this AFTER the NIC is installed by the VPN client
> > software. Does anyone know of a way around this, we can't push this
> > out via AD due to the users logging on locally at first, then being
> > authenticated by the firewall so no scripts can be run from inside
> > the network.
>
> If I understand your question, you're referring to split tunneling or
> client-side routing, which is considered to be a security hole by some.
> This is because the VPN client has an established VPN tunnel and can
> still access other networks through their default route. (I'm assuming
> you mean "after a VPN tunnel is established" when you say "a NIC is
> installed.")
>
> Some vendors' VPN client software can be configured to support split
> tunneling (I've done this with the Cisco client). On the Microsoft side,
> you can create a CMAK connectoid on Windows Server 2003 that configures
> route table updates.
>
> For the curious, I wrote a program called vpnroute that you can run on
> the client side after the VPN tunnel is established. You can download it
> here:
>
> http://www.cybermesa.com/~bstewart/misctools.html
>
> It always worked for me when I used it, but some people have told me
> that it didn't work for them. I don't think I'll be updating it, though,
> since there's other ways to do it.
>
> --
> Bill Stewart

No worries, sorted.

The firewall and vpn software supplier has issued us with a new client
security policy that works a treat for what we want to do.

Thanks for all your help.

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:uxzO$$f2FHA.3092@TK2MSFTNGP10.phx.gbl...
> Thanks for the replies guys.
>
> Bill, that is 'exactly' what I meant, is there anyway to have a script
like
> this run automatic after the VPN tunnel is created?
>
> Ed, I ideally want this to be transparent to the users e.g. no
interaction.
> Have you came across this before?
>
> Thanks agan, Andrew
>
>
> "Bill Stewart" <llib.trawets@yrautromhcnerf.moc> wrote in message
> news:OR5d55Z2FHA.3156@TK2MSFTNGP10.phx.gbl...
> > Andrew Story wrote:
> >
> > > My org is soon to change which site our VPN clients enter the network
> > > from, thus a different firewall and IP. The VPN client configuration
> > > file needs to point towards the new box on all the VPN clients, no
> > > problem there.
> > >
> > > What is the issue though, is that (after some vendor software updates
> > > to the firewall security) all Internet routes are lost when the VPN
> > > NIC is installed after the remote user logs on. Thus the user now
> > > has no internet access until the routes are added again. A way we
> > > can get around this is to add the routes back via a batch file, but
> > > can only do this AFTER the NIC is installed by the VPN client
> > > software. Does anyone know of a way around this, we can't push this
> > > out via AD due to the users logging on locally at first, then being
> > > authenticated by the firewall so no scripts can be run from inside
> > > the network.
> >
> > If I understand your question, you're referring to split tunneling or
> > client-side routing, which is considered to be a security hole by some.
> > This is because the VPN client has an established VPN tunnel and can
> > still access other networks through their default route. (I'm assuming
> > you mean "after a VPN tunnel is established" when you say "a NIC is
> > installed.")
> >
> > Some vendors' VPN client software can be configured to support split
> > tunneling (I've done this with the Cisco client). On the Microsoft side,
> > you can create a CMAK connectoid on Windows Server 2003 that configures
> > route table updates.
> >
> > For the curious, I wrote a program called vpnroute that you can run on
> > the client side after the VPN tunnel is established. You can download it
> > here:
> >
> > http://www.cybermesa.com/~bstewart/misctools.html
> >
> > It always worked for me when I used it, but some people have told me
> > that it didn't work for them. I don't think I'll be updating it, though,
> > since there's other ways to do it.
> >
> > --
> > Bill Stewart
>
>