Restricting internet access.

New Contributor

We are going through some heavy security changes here, and one of the requests is to limit internet access when outside the company (not on VPN)

I would like to be able to do this via casper instead of using an application like Mcafee.

Has anyone had any experience of this?

Cheers, Neil



Are you looking to have some kind of reduced access, or no access when off the VPN?

You may be able to use a configuration profile to turn off the Airport, or force it to a specific SSID.

Or maybe something with certificate authentication? (I'd have to think on this one a little more)

New Contributor

Hi Jennifer, thank you for your response.

The scenario we are aiming for is:
User takes machine off site, internet access is blocked for all NICs, until the user connects to VPN and gets an internal IP address.

I guess the closest Application would be a host checker.

This might not be possible, or a very clean way of doing this, but I thought it was worth asking.

Thank you!

Contributor II

@Boughen I would look at a "always on" vpn solution like direct connect. This will cause the machine to automatically connect to vpn when it get a network connection.


@Boughen Actually, I'm looking to do the same thing with a VPN project (though we're still quite far away from that point).

We're planning on using the AnyConnect client from Cisco, as it offers an 'always-on' VPN option.

This is an old review, but it lays out the feature pretty well:

Anyconnect will always send back network traffic to corporate for inspection and control. This helps to protect the endpoint from internet threats. The always-on setting cannot be disabled by normal end users, only ASA administrators. However, the administrator can choose to provide the user with a disconnect button in the client which will drop the session. The ASA administrator determines what happens if Anyconnect fails to re-establish the VPN connection for whatever reason. The two choices are Fail-open and Fail-closed. Fail-open allows the user to use the network while fail-closed disabled all user network access until the VPN session re-establishes. Administrators can enable/disable always-on VPN based on ASA group policies or Dynamic Access Policies (DAP). Anyconnect will detect when users much authenticate through a captive portal, like at Starbucks. The administrator determines how long the user has to authenticate to the portal before network access is restricted.

Contributor III

I didn't realize AnyConnect had an always on option. We are investigating Direct Access for our off site windows clients and I have been mulling about how to replicate for OS X. I have had some discussions with the security team about the VPN (We use AnyConnect) but they never mentioned AnyConnect could be configured with always on functionality from the point of login. I'm going to have to get with them again to investigate if we are licensed for that functionality or if we need to purchase something else, and get a test going.