Having a batch file run after a NIC is installed.

  • Thread starter Thread starter Andrew Story
  • Start date Start date
A

Andrew Story

I appreciated this may be a strange one...

My org is soon to change which site our VPN clients enter the network from,
thus a different firewall and IP. The VPN client configuration file needs
to point towards the new box on all the VPN clients, no problem there.

What is the issue though, is that (after some vendor software updates to the
firewall security) all Internet routes are lost when the VPN NIC is
installed after the remote user logs on. Thus the user now has no internet
access until the routes are added again. A way we can get around this is to
add the routes back via a batch file, but can only do this AFTER the NIC is
installed by the VPN client software. Does anyone know of a way around
this, we can't push this out via AD due to the users logging on locally at
first, then being authenticated by the firewall so no scripts can be run
from inside the network.

Any ideas/suggestions/comments welcome. If you need more info please ask.

Thanks in advance.
 
Copy the batch file to the pc before the switch, execute it after the NIC is
installed.

Ed
 
Andrew said:
My org is soon to change which site our VPN clients enter the network
from, thus a different firewall and IP. The VPN client configuration
file needs to point towards the new box on all the VPN clients, no
problem there.

What is the issue though, is that (after some vendor software updates
to the firewall security) all Internet routes are lost when the VPN
NIC is installed after the remote user logs on. Thus the user now
has no internet access until the routes are added again. A way we
can get around this is to add the routes back via a batch file, but
can only do this AFTER the NIC is installed by the VPN client
software. Does anyone know of a way around this, we can't push this
out via AD due to the users logging on locally at first, then being
authenticated by the firewall so no scripts can be run from inside
the network.
Click to expand...

If I understand your question, you're referring to split tunneling or
client-side routing, which is considered to be a security hole by some.
This is because the VPN client has an established VPN tunnel and can
still access other networks through their default route. (I'm assuming
you mean "after a VPN tunnel is established" when you say "a NIC is
installed.")

Some vendors' VPN client software can be configured to support split
tunneling (I've done this with the Cisco client). On the Microsoft side,
you can create a CMAK connectoid on Windows Server 2003 that configures
route table updates.

For the curious, I wrote a program called vpnroute that you can run on
the client side after the VPN tunnel is established. You can download it
here:

http://www.cybermesa.com/~bstewart/misctools.html

It always worked for me when I used it, but some people have told me
that it didn't work for them. I don't think I'll be updating it, though,
since there's other ways to do it.
 
Thanks for the replies guys.

Bill, that is 'exactly' what I meant, is there anyway to have a script like
this run automatic after the VPN tunnel is created?

Ed, I ideally want this to be transparent to the users e.g. no interaction.
Have you came across this before?

Thanks agan, Andrew
 
No worries, sorted.

The firewall and vpn software supplier has issued us with a new client
security policy that works a treat for what we want to do.

Thanks for all your help.
 
Back
Top