Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 10685 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote VPN access on Windows 10 domain login including routes to remote sites

ErikFranzén

I am trying to achieve a roadwarrior VPN Access solution where users on Windows 10 clients can

  1. At the office, log in as usual without any VPN
  2. On the road, via mobile broadband, at windows login perform a windows domain logon via VPN.
  3. When VPN is connected all traffic is going through the tunnel.
  4. UTM should be able to detect windows domain log on and log off => user related rules. (STAS is installed on the DC to solve this for domain log in and domain log off)

I have been testing IPsec over L2TP which solves all requirements despite the third one. It seems that not all traffic is going through the tunnel? Looking at the client routing table, I can only see the local UTM network when connected. If the UTM have site2site tunnels to other UTMs, the traffic to remote UTM:s are obviously not going via the L2TP VPN tunnel.

Can anyone point me to a solution?



This thread was automatically locked due to age.
  • 0

    This thread has information about routes for L2TP which not Sophos UTM supports. So apparently L2TP is not the solution?

    What about Sophos commercial VPN client? Is has not support for connecting VPN at Windows logon screen (as L2TP over IPsec has). But If I log on locally and then connect the VPN, I can rely on the user based rules in UTM? But what happens to all the Windows domain stuff which is normally happening when the client computer is connected to the DC during domain log on?

    There must be people out there which has done this?

  • 0

    Have not used L2TP, and the documentation seems weak.   I infer that all traffic is forwarded, and firewall rules can be used to limit things further.   SSL VPN seems to provide more configuration flexibility and better authentication options for windows-integrated authentication.  In SSL VPN, you prevent split tunneling by setting the local networks to "Any"

    To force the user to always use VPN, you could try setting the DNS addresses for both wired and wireless to use your internal DNS servers.   Unless the remote-site DNS happens to use the same IP as your DNS, the user will not be able to do anything useful until the VPN is enabled.

    I don't think any of the UTM remote access methods can be activated prior to Windows login, so your core objective cannot be achieved.   Another post asked about Microsoft Direct Access, a new add-on feature that was introduced with Server 2016.   Based on his post, I look a little at the product description.   It appears to be targeted at your problem.   The machine keeps a connection to the home office at all times that a network is available, and enforces corporate policies even when remote.  It does not appear to enforce all traffic flowing through the home office.   But in some situations, doing so may produce unacceptable latency.

  • 0 in reply to DouglasFoster

    DouglasFoster said:
    I infer that all traffic is forwarded, and firewall rules can be used to limit things further.

    My finding says that not the case. Only subnets for the UTM are forwarded.

    Downloaded and tested Sophos commercial IPSEC client and it works. However, the user is not registered in the UTM Client Authentication which disqualifies user based rules. :(

Unfiltered HTML