My Situation: I work from home and use a Cisco IPSec VPN using DHCP from both a Mac and PC to RDP/RDC to my office PC. I want to keep the VPN on the Mac connected all the time because I have to reboot nearly every time I disconnect and want to reconnect - long story.
My Question: Can my employer track activity like email, web surfing, writing the next great American novel, etc. on my home Mac or PC when I am connected to the VPN but not connected to the RDC? I am under the impression that I need to be inside the RDC for them to “see” what I am doing. Conversely, I believe that when I leave the VPN connected, like I want to, they cannot see what I am doing outside of the RDC window.
Not to seem ungrateful that you bothered to even read this thread, but I have found wildly conflicting answers to my Google search on this question. If someone has a pretty firm understanding of my question and confident answer I’d appreciate it a lot. So if you have a IMHO or “Don’t have any real experience with this situation” or “I’m not sure, but…” answer that is going to hijack this thread into another discussion please hold off until we find a guru that can help. Just kinda anxious to get an answer.
So just to be clear, you VPN into your company network and then RDP your company desktop.
And you want to know if your company can track what you do if the VPN is active, but not the RDP.
The answer to that would be - it depends. Certainly they could track where you went that wasn’t local to your machine (company network or Internet), whether they do or not is another question.
However, activities that are entirely local to your home machine (writing the great American novel, saving it on your local hard drive) shouldn’t be trackable to them. That said I wouldn’t do it - the chances of forgetting and going to some site you prefer they didn’t know about your interest in seems too high.
on your Windows machine at the command prompt type " tracert www.yahoo.com ". the results will show you what machines are between you and Yahoo. the first machine will be your local router and the next machine will be your internet service provider IF your traffic is going directly to the Internet. hopefully your responses will include named addresses rather than just IP addresses. if you can’t distinguish those addresses, post your results.
FWIW, the version of tracert that XP uses defaults to showing hostnames if they are available, so that shouldn’t be a problem. If you don’t seem to get any hostnames (just IP addresses), type tracert /? to see if the version you’re using has a switch you can turn on to show them.
I ran the trace from the Mac - same as the PC version, and got IP #s instead of actual names for the first lines. Is it safe to copy and paste the results here?
OK, cranked up the PC (Windows 7 Pro) and ran the trace in CMD there and found the first line, as stated by erpa, is my Local router, second looks like my ISP - located in Baltimore MD - very close to where I live. The next lines are similar. I am trying to cut and paste from the CMD window. Any ideas on how to get the info from there to here?
Typically, connecting to a VPN results in all network traffic from your machine being redirected through the VPN. Basically, you set up a direct tunnel between your machine and your office, so that your machine *virtually *appears on the private (office) network. So, in that case, all network traffic from your computer goers first through the VPN to the network at your workplace, and then to the Internet via your work’s ISP.
So the short answer is: yes, your boss can see your network traffic if he decides to look. He probably *isn’t *actually looking, though it’s quite possible that all the web sites you visit are being logged somewhere “just in case”.
To C&P from the Windows CMD you can use the menu at the top left corner of the CMD window. Choose Edit-Mark and use the shift-arrow keys to select. You can then choose Edit-Copy or just press enter to copy your selection.
So I’m gonna type what seems pertinent to this issue line by line without the ping speeds or actual IP addresses - aargh BTW, this trace was performed with my VPN connected of course.
Of note: No 2 IP addresses are the same and I do not see the IP I entered in Network Setup on the Mac or the Cisco VPN software on the PC. So, am I cool to do my own thing outside of my RDC - either turned off or minimized?
Despite what was said above, it is quite common for VPN clients to be configured so that only company traffic goes via the VPN, and everything else goes via your local router as usual, a set-up known as split tunnelling. That appears to be the case here.
But that doesn’t necessarily mean that your company’s VPN software isn’t logging activity of various sorts. Some VPN products allow the administrator to enforce things such as anti-virus or anti-malware compliance on client devices, for example. Who knows what such software might report back to base?
It’s possible for the VPN to allow the company to put an activity tracker on your PC or Mac - but the legality of that would be questionable especially without notification. It’s your computer, you did not agree to have you personal activity tracked, it’s not a common function, (I haven’t heard of it being a usual activity to put a bug on someone’s home PC) etc.
However, it might happen that smething gets pushed out to yuor PC by accident, but usually this is a group policy from the domain, and your PC is not in the domain.
As mentioned above - it does not appear that ALL traffic goes through the VPN while you are connected. If it did, they could track your internet action since it would go out their firewall/proxy. But, since your yahoo traffic simply goes out your router to your ISP, you are still private.
As others have said, it depends. If you have split tunnel VPN set up on your network (most likely you do, though it’s not the default on a CISCO ASA or PIX firewalls, IIRC), as ximenean said, then your web traffic will go out your local ISP connection and so your boss wouldn’t be able to see that…it would be exactly the same as if you just used your home connection without establishing the VPN tunnel. If you don’t have split tunneling set up though, then yeah…they would be able to see what your web traffic was, assuming they wanted to and have some capability to do so.
Well, like has been said, the real answer is ‘it depends’, because only your IT guys know how they have it set up. That’s part of why you get conflicting answers on Google (and here too), because there isn’t a definitive answer. The other reason, of course, is that a lot of people think they know how things like VPN work, but actually they don’t.
I know I don’t. Well not the really technical details. I guess I could ask the IT department about it, but that might raise some suspicions. Unwarranted of course - just in case they CAN see this.
My employer is pretty cool to begin with. In the 21 years I’ve worked there we get a notice about every 9 months saying something like “Look people, we know you like YouTube, but stop downloading entire movies because it’s killing our bandwidth.” Since I am working on my own paid for computers on my own paid for FIOS connection using a lot of my own paid for software in my own private home, I’m gonna take my chances. I always make it a point to do personal stuff on my home PCs and not the one in the office connected through the RDC.
Thanks for all your help. And of course if anyone else has more advice, I’m listening.
You could phrase the question in terms of saying you stream Pandora constantly or stream lots of Netflicks in your off hours, and would hate to inadvertently waste the company’s bandwidth, so does non-RDC traffic go through their network or is it private. That wouldn’t guarantee a useful answer to whether it’s possible for them to see it, but I think it would avoid raising suspicions.
It’s a good approach. I thought about it and figure they’d just tell me to get off of the VPN. Then I’d say, “Well I have to reboot the Mac every time I want to log back on, and it’s a real pain.” Then they’d say, “We don’t support Mac so use your PC and get a haircut you hippie.” Well, I added that last part. I do graphic design, so I prefer the Mac for that. Although I also like my PC just as well. Just not so much for artsy-fartsy design stuff.
I’ve no idea about how Cisco VPNs work by default, but if anyone is wondering about Windows, it will route traffic via VPNs by default; you can stop it by going to the VPN IPV4/6 Properties, selecting “Advanced”, and unchecking “Use default gateway on remote network”.
SOLVED: I stopped using the Mac OS X built in VPN and installed Cisco’s VPN for Mac and it seems to be more stable (Not a surprise). I even found a more “Mac-like” icon to use.
IIRC if you have a split tunnel, then you can get to other machines on the home network (including the home router management web page).
In my experience, when the more secure dedicated tunnel VPN is activated, you cannot even access your home network. This is logical security - they don’t want a computer that is talking both on the corporate network and on a network they have no control or security set up for. It’s basically like leaving the side door to their business unlocked.
Isn’t DavidPeab connecting to the VPN through his internet connection with his local ISP? If that’s the case, what’s telling the browser on his home computer to use his work gateway instead of his ISP? His internet browsing would be much slower if it was going through the VPN.
David, for a definitive answer, you need to compare the traceroute when you’re not connected to the VPN, with a traceroute when you ARE connected. If the two are roughly identical, with no stop at your office Gateway, you have nothing to worry about. I hope you post the result, I’m very curious.
