I have users who have the ability t connect to the offcie network via VPN, where we have all the security in place. However, if they conect their laptops to a home or hotel broadband, they're able to surf the web freely. How can I set it up so that each laptop can only connect to the internet once they have connected via vpn
More about :block internet access connecting secure netwrok vpn
It would slow down their internet connections speeds noticeably, but you can setup the laptops to connect via a proxy on the corporate network. That way almost all of the internet traffic gets routed throgh the VPN.
You can't setup the laptops to only access the internet through the VPN because then how does the VPN connect...?
The problems you'll face are that not all internet software use the proxy settings, and a somewhat knowledgeable user can change the proxy settings of different programs. There will also be a considerable slowdown in internet speed on their end, and internet use on your end.
Computers setup to use this can only access the internet or network using this system (and must have a certificate installed to use L2TP/IPSec, as well as the target machine to connect).
If they aren't connecting to your designated VPN target, they can't connect at all unless they learn how to hack the registry to remove the "AssumeUDPEncapsulationContextOnSendRule" at
after the L2TP/IPSec is installed. Don't look for that entry now, it's not there until L2TP/IPSec VPN is installed.
This new registry entry, part of L2TP/IPSec, affects any network adapter connected to the machine now or in the future (a sneaked-in USB dongle connection is still bound by this).
In other words, no VPN connection to your site, then nothing. You can add more certificates for more VPN sites if needed. If your target VPN site has internet, they can surf from there.
I use this myself. I VPN to a location in the USA most of the time (from Venezuela). If I want to do local internet surfing, I must do a specific restore point that has the L2TP/IPSec VPN not present. I have another restore point to put it all back again. This is faster than removing things and putting them back manually. Just don't tell employees about this method.