Enable domain users to add static route

Topic

New Reply

Hi, I want to enable my domain users to add static route to their computers but I don’t know which GPO can help me on this.
Can some one help me on this?

Reply | Quote

Replies

You can use your Logon scripts.

If you want specific users to have certain static routes configured, you could call a batch or powershell script from within the logon scripts. However, I think this would need local admin privileges for the user account.

If you want specific machines to have static routes, you could configure that on the computer account logon rather than the user account. This would use the System account and not require elevated user permissions.

I general, allowing users to add or modify static routes is a potentially dangerous thing to do for the security and health of your network: if you need static routes, I think it would be preferrable to configure it on the computer account rather than for the user.

Reply | Quote

Users should never need to add routes, your network router should do all the work for them – then when it goes wrong or the route changes there is only one place to look / change.

What route do they need to add and why?

cheers, Paul

Reply | Quote

Paul T & Tinto Tech: Thanks for reply,
Actually I have a VPN dialler that as soon as user log-ins into his/her machine dial a VPN connection for internet access.
I want when VPN connection established, a static route be added to users machine for routing all of it’s internet traffic through this tunnel.
Every this goes find but adding this static route because the user does not have such a permission.
I don’t know which GPO rule can suits my need.

Reply | Quote

Actually I have a VPN dialler that as soon as user log-ins into his/her machine dial a VPN connection for internet access.

You have a somewhat unusual configuration. No doubt there is a very valid reason for this configuration, but it is difficult in this circumstance to answer without understanding the reasons reasons why you need a VPN for internet access for all users.

You do not describe the VPN dialler, but often these tools will have settings to route internet traffic automatically.

Alternatively you could deploy an on-site proxy server which manages all internet traffic: it could even direct this traffic over a VPN if needed. This provides a single point for configuration as Paul T suggested.

Failing that, setting a per computer static route in the AD Computer logon script should meet the requirement, but that may have unwanted implications for the reasons why you need VPN access for internet traffic.

Reply | Quote

It is also difficult to set routes for internet access because the IP address could be almost anything and you effectively have to set a default route to the internet, with specific routes for local traffic. To get around that problem you set the browser to use a proxy, which should be possible with the VPN software.

cheers, Paul

Reply | Quote

Honestly, my customer wants his employees only use VPN connection for accessing to the internet. My dialler can handle everything including finding the assigned IP address by VPN server and adding static route.
But my difficulties is on a windows domain environment. For adding static route to clients, this dailler needs permissions except administrator ones. For tracking user’s internet usage we need them to login by dailer with their domain usernames and for that their account must have required privileges for adding static route.

Reply | Quote

The VPN will have an address / route. Try setting the browser proxy to that address.

cheers, Paul

Reply | Quote

Well then how I can track the user? where does user enter his username and password?

Reply | Quote

I think there is more to your requirement than in your original request and it sounds a bit complicated the way you intend to do it. As Paut T suggested a VPN would not know how to route outgoing connections to hosts over the internet.

If your customer requires to track, monitor, or control his user’s internet access, then a VPN is not the way to do it. A VPN will provide secure point to point communications. This can be made anonymous at the far end and is sometimes used to transit national boundaries where restrictions would otherwise prohibit. But a VPN does not in itself control, log or otherwise monitor traffic. To do that you need a Proxy. In fact, reading between the lines, I think your dialer is in part a Proxy service, but not one that we might describe as normal.

I recommend that you deploy a full proxy server. Have your users authenticate against that Proxy Server using Active Directory – no additional authentication, just the single sign on in AD. The proxy server can be configured to log, monitor or control users actions in pretty much any way you wish. It can then also dial out the http requests over a VPN service if you need that secure point to point or anonymous connection.

The VPN forms part of the network connection operating at Layer 3 while the Proxy implements your control, monitoring and logging at the transport Layer 4.

Reply | Quote

Well, all you say is absolutely right and I agree with that.
My dialler can handle almost every thing and I only have this problem on windows domain environment.
This dialler after establishing VPN connection to the VPN server must have enough privileges to add static route on client machine.
This dialler uses user’s windows credencial as user-name and password for establishing VPN connection.
Unfortunately I can not change network topology and this decision has been taken based on customer’s network data-flow.
Attached file may be helpful.
35449-Screenshot-from-2013-11-12-113709

Reply | Quote

Static routes are not the answer IMHO. You should be using the browser’s proxy settings to route internet requests and this setting will be used by all programs requiring internet access.

cheers, Paul

Reply | Quote