Results 1 to 12 of 12
  1. #1
    New Lounger
    Join Date
    Nov 2013
    Posts
    5
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Enable domain users to add static route

    Hi, I want to enable my domain users to add static route to their computers but I don't know which GPO can help me on this.
    Can some one help me on this?

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    You can use your Logon scripts.

    If you want specific users to have certain static routes configured, you could call a batch or powershell script from within the logon scripts. However, I think this would need local admin privileges for the user account.

    If you want specific machines to have static routes, you could configure that on the computer account logon rather than the user account. This would use the System account and not require elevated user permissions.

    I general, allowing users to add or modify static routes is a potentially dangerous thing to do for the security and health of your network: if you need static routes, I think it would be preferrable to configure it on the computer account rather than for the user.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  4. #3
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,543
    Thanks
    7
    Thanked 225 Times in 213 Posts
    Users should never need to add routes, your network router should do all the work for them - then when it goes wrong or the route changes there is only one place to look / change.

    What route do they need to add and why?

    cheers, Paul

  5. #4
    New Lounger
    Join Date
    Nov 2013
    Posts
    5
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Paul T & Tinto Tech: Thanks for reply,
    Actually I have a VPN dialler that as soon as user log-ins into his/her machine dial a VPN connection for internet access.
    I want when VPN connection established, a static route be added to users machine for routing all of it's internet traffic through this tunnel.
    Every this goes find but adding this static route because the user does not have such a permission.
    I don't know which GPO rule can suits my need.

  6. #5
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by mahmood_teh View Post
    Actually I have a VPN dialler that as soon as user log-ins into his/her machine dial a VPN connection for internet access.
    You have a somewhat unusual configuration. No doubt there is a very valid reason for this configuration, but it is difficult in this circumstance to answer without understanding the reasons reasons why you need a VPN for internet access for all users.

    You do not describe the VPN dialler, but often these tools will have settings to route internet traffic automatically.

    Alternatively you could deploy an on-site proxy server which manages all internet traffic: it could even direct this traffic over a VPN if needed. This provides a single point for configuration as Paul T suggested.

    Failing that, setting a per computer static route in the AD Computer logon script should meet the requirement, but that may have unwanted implications for the reasons why you need VPN access for internet traffic.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  7. The Following User Says Thank You to Tinto Tech For This Useful Post:

    mahmood_teh (2013-11-11)

  8. #6
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,543
    Thanks
    7
    Thanked 225 Times in 213 Posts
    It is also difficult to set routes for internet access because the IP address could be almost anything and you effectively have to set a default route to the internet, with specific routes for local traffic. To get around that problem you set the browser to use a proxy, which should be possible with the VPN software.

    cheers, Paul

  9. The Following User Says Thank You to Paul T For This Useful Post:

    mahmood_teh (2013-11-11)

  10. #7
    New Lounger
    Join Date
    Nov 2013
    Posts
    5
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Honestly, my customer wants his employees only use VPN connection for accessing to the internet. My dialler can handle everything including finding the assigned IP address by VPN server and adding static route.
    But my difficulties is on a windows domain environment. For adding static route to clients, this dailler needs permissions except administrator ones. For tracking user's internet usage we need them to login by dailer with their domain usernames and for that their account must have required privileges for adding static route.

  11. #8
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,543
    Thanks
    7
    Thanked 225 Times in 213 Posts
    The VPN will have an address / route. Try setting the browser proxy to that address.

    cheers, Paul

  12. #9
    New Lounger
    Join Date
    Nov 2013
    Posts
    5
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Well then how I can track the user? where does user enter his username and password?

  13. #10
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    I think there is more to your requirement than in your original request and it sounds a bit complicated the way you intend to do it. As Paut T suggested a VPN would not know how to route outgoing connections to hosts over the internet.

    If your customer requires to track, monitor, or control his user's internet access, then a VPN is not the way to do it. A VPN will provide secure point to point communications. This can be made anonymous at the far end and is sometimes used to transit national boundaries where restrictions would otherwise prohibit. But a VPN does not in itself control, log or otherwise monitor traffic. To do that you need a Proxy. In fact, reading between the lines, I think your dialer is in part a Proxy service, but not one that we might describe as normal.

    I recommend that you deploy a full proxy server. Have your users authenticate against that Proxy Server using Active Directory - no additional authentication, just the single sign on in AD. The proxy server can be configured to log, monitor or control users actions in pretty much any way you wish. It can then also dial out the http requests over a VPN service if you need that secure point to point or anonymous connection.

    The VPN forms part of the network connection operating at Layer 3 while the Proxy implements your control, monitoring and logging at the transport Layer 4.
    Last edited by Tinto Tech; 2013-11-11 at 15:56.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  14. #11
    New Lounger
    Join Date
    Nov 2013
    Posts
    5
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Well, all you say is absolutely right and I agree with that.
    My dialler can handle almost every thing and I only have this problem on windows domain environment.
    This dialler after establishing VPN connection to the VPN server must have enough privileges to add static route on client machine.
    This dialler uses user's windows credencial as user-name and password for establishing VPN connection.
    Unfortunately I can not change network topology and this decision has been taken based on customer's network data-flow.
    Attached file may be helpful.
    Screenshot from 2013-11-12 11:37:09.png

  15. #12
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,543
    Thanks
    7
    Thanked 225 Times in 213 Posts
    Static routes are not the answer IMHO. You should be using the browser's proxy settings to route internet requests and this setting will be used by all programs requiring internet access.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •