Support Center > Search Results > SecureKnowledge Details
How to limit Hotspot registration to a VPN embedded Browser Technical Level
Solution

Background

Some customers allow their users only basic network services (such as DHCP, DNS, and HTTPS to VPN Gateway only), while disconnected from the Server. When these users want to create a VPN connection via a Hotspot, they should first click the "Register to Hotspot" button.
This action creates an "Allow" rule in the firewall for preconfigured destination ports (by default 80, 8080, 443), for a limited period of time. This rule allows a user to enter credentials in a “Captive Portal” and connect to the VPN Server. Customers complain that their users exploit this bypass and browse the Internet freely, using an external browser.

Solution:

When you create a VPN connection via a Hotspot, the firewall bypasses only VPN related processes. This allows only a VPN embedded browser to display a “Captive Portal”.  All other applications should be handled according to the general Firewall policy. 

Usage instructions:

This feature can be enabled and disabled from the Management UI.

To enable the hotspot limitation feature:
  1. Open the Management UI.
  2. Add the "limithotspot" word to the Firewall policy "Comment" field.
  3. Install policy.
To disable the feature:
  1. Open the Management UI.
  2. Remove the "limithotspot" word from the Firewall policy "Comment" field.
  3. Install policy.
*After enabling this feature the VPN processes will be able to send packets to any destination port, the preconfigured destination ports will not be taken into account.

Note: The best practice is to add  "limithotspot" to connected, disconnected and restricted policies.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment