Terminal Services to VPN and Non-VPN Simultaneously.

  • Thread starter Thread starter louis sorbera
  • Start date Start date
L

louis sorbera

Is it possible to configure a PC to connect to a VPN without losing open
connections?

I'm finding more and more of my clients who are switching to VPN and
whenever I need to connect to them, all my existing connections are dropped.
When I reconnect, I'm assuming the connections are re-established (routed)
through the VPN connection because they slow down to the speed of the
connection on the VPN, which has often been much slower than my connection
was prior. Not to mention the fact I am forcing all my other connections
through their network which is probably not ideal for them.

Is it possible to configure 2 NICs by chance as a resolution? I realize this
will only allow you to connect to one VPN at a time, but this would at least
be better than dropping all your other connections and routing through the
VPN while you need to work with that system.

The only problem with this is that I don't see anwhere in my VPN connections
setting where I can specify which NIC to use.

Unless I'm missing something fundamental, this all is kind of a throw back
to the old days when if you had to connect to a server via dialup RAS, your
web connection became as slow as the speed of the RAS. UGGGH!!

Thank you,
Louis Sorbera
 
Unfortunately, having two connections open at the same
time, one VPN, and one non-VPN, will result in the
behavior you are seeing. See, when you establish a VPN,
that VPN sets a default route for all your packets to go
through the VPN. Trying to route packets around the VPN
kinda if defeats the purpose of the VPN, and thus, is
disallowed.

-M
 
Louis,

This is typically caused by the use remote gateway option which is enabled
by default (for secuirty reasons, which would have to be a first for MS).

Disabling it turns your computer into a bridge between the internet and the
remote network (split tunneling i believe it is called), opening the network
to anyone with the knowledge to get through it, even more so if you have 2
vpns open at once, you bridge those together making it easy to get from one
network to another. Unless you have adequate firewall and antivirus
protection it is very unwise to disable it. So only do it if you have to.

I used to used to disable the use of the remote gateway until i learnt of
the security issues. But you can block access to the net through the VPN via
rules in RRAS or whatever VPN server you are using (what i did when we had a
3gig data cap at the office)

Hope that helps a bit.

Tim
 
VPN (Virtual Private Network) is a means of locking down the access between
two points on the internet. Normal connections *can* be intercepted and/or
spoofed. Data sent between the two computers is not secure. VPN basically
creates a tunnel between two points and locks it down so that transmissions
are secure. It usually involves userid and password verification and also
encryption.

Whether you need it or not depends on the situation. At the Hospice I
support, we have several dozen laptops that run a healthcare app we use. It
has a local copy of the database on the laptop. The nurses enter their daily
patient information and assessments during (or shortly after) their visits.
They then have to sync their database with the one at Hospice, uploading
their information and downloading any new patient information. This is
extremely sensitive patient information and regulations (like HIPPA) require
that we send it in a secure manner. VPN provides us that security.
 
Tim Hall said:
This is typically caused by the use remote gateway option which is enabled
by default (for secuirty reasons, which would have to be a first for MS).

Disabling it turns your computer into a bridge between the internet and the
remote network (split tunneling i believe it is called), opening the network
to anyone with the knowledge to get through it, even more so if you have 2
vpns open at once, you bridge those together making it easy to get from one
network to another. Unless you have adequate firewall and antivirus
protection it is very unwise to disable it. So only do it if you have to.

I used to used to disable the use of the remote gateway until i learnt of
the security issues. But you can block access to the net through the VPN via
rules in RRAS or whatever VPN server you are using (what i did when we had a
3gig data cap at the office)

Hope that helps a bit.

Tim

It definitely helps, but I find it a unbelievable.

If it is true, that all it takes is one user to flip this switch (use remote
gateway option) - AT THE CLIENT END, in many/most cases unknowingly, and the
VPN is meaningless.

Anyone who sets up a VPN and thinks it is secure is simply fooling
his/herself, and corporate America (world) has the wool pulled over their
eyes by IT assurances of security. How can this be?

Is there no way to disable this client capability "feature" at the VPN end?
If not, is there no way to monitor and detect that the client has done this,
and ask them to set it back, or disable their logon?
Louis
 
yeah it is hard to believe there is no server opntion for disallowing split
tunneling, there may be on some VPN server systems but doesnt appear to be
on RRAS, surely it wouldnt be too hard for someone who has the skill to
write a VPN server to add that kind of checking.

One option wodul be if its possible to diconnect a VPN user thorugh APIs,
you coudl have a client app that they have to run which can get the local
routing table and see what path it takes, and then send it to a server
program which will kill the session if it doesnt go though the VPN link, and
if the server program doesnt receieve a response within a few min it will
kill the session anyway (to stop them from not running the app). I might
have to have a look around and see if there are any RRAS APIs

I believe there is a MS utility that creates the VPN settings and possibly
locks them down, the isaserver.org site says its called Connection Manager
Administration Kit.


have a look at
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
In particular

Smack Down Non-Compliant Users who Disable the Default Gateway Setting

and

Improve VPN Client Security with Off-Subnet Addresses


Tim
 
Back
Top