redirecting VPN clients so they do not use VPN to access Internet.

[Frank Smith]

Greetings,

I would like to configure my RRAS server to redirect VPN
clients to use their primary internet connection when
accessing Internet resources. It seems inefficient for
Internet bound packets to transverse our company Internet
connection twice.

Playing with routing and filters I can block access to the
Internet but what I am looking for is the RRAS server to
send the client an ICMP Network Unreachable which will
hopefully encourage the client to use its primary Internet
connection and not the VPN tunnel.

P.S. I am not interested in any solution that would
require client configuration changes.

Thanx Frank

 

[Marc Reynolds [MSFT]]

Hi,

If you don't want the extra traffic from the VPN clients going across your
LAN, the best solution is to block them from accessing the Internet when
connected to your VPN. If you allow them to connect to your VPN and still
access the Internet through their regular Internet connect (split
tunnelling) you are exposing your network to a security risk. If someone
gains control of your VPN client across their regular Internet connection
they will have instant access to your LAN.
IF you still want to allow the VPN clients to to access the Internet will
connected to your VPN, then letting then go out through your LAN is the best
solution provided your LAN is properly secured.
Finally, IF you still want to let the clients use their own Internet
connection while connected to your VPN and are willing to risk compromising
your security, you will need to make a client config change. On the VPN
connection of the client simply uncheck the "Use Dafault Gateway on Remote
Network" checkbox. This will allow them to do "split tunnelling".

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.