Remote Printing via VPN Challenge

[tlheidemann]

I work from home and use VPN to access the company network on my company laptop. I keep my printer connected to my personal desktop since that is where I do most of my limited printing from. I have the printer shared on my LAN, so that when I am not using VPN I can also print from the laptop. The problem is that the company firewall blocks port 139, so I can't print directly over the intarweb with file / print sharing. So if I want to print something work related I have to open it, shut off VPN, print, and reconnect VPN, all of which is a pain. I would love to be able to set something up to where I can just print directly to my printer while still on VPN.
I use DSL, and I have a DynDNS account setup already, and of course, this must be absolutely free, so no USB switches or VPN enabled print servers. Not because money is an issue (I'm sure I could expense it), just because it's cooler that way.
Also, tunneling into VPN with the desktop so that both computers are on the other side of the firewall is cheating since that is of course against company policy (not that I don't do it, but what fun would this be if we could just ignore all of the rules!).

 

[Yoblad]

Use Netmeeting to take control of your work PC and print from that one.

 

[jpochedl]

What VPN client software?

 

[tlheidemann]

Use Netmeeting to take control of your work PC and print from that one.

Won't work. I would need to be able to print directly from the laptop. For example I use SAP, and would need to print from there, using netmeeting would only allow me to print screen shots. Besides, Netmeeting doesn't work through the firewall either.

 

[tlheidemann]

What VPN client software?

Contivity VPN Client V04_60.51

 

[Yoblad]

Talk to your IT department.

 

[tlheidemann]

Talk to your IT department.

I work for IM, but I have no pull in firewall config. This is a global company with a Billion dollar IT spend. I am but a small cog.

 

[SJConsultant]

There is a reason why the VPN is configured the way it is, to ask us to help you circumvent it is against the rules here on the forum and I am sure would also be against your company's policy.

You only have about three choices:

1. Ask your IT department.
2. Swap the printer cable to the laptop when you need to print while connected via VPN.
3. Use a print sharing box between the laptop and desktop.

Else your SOL and need to deal with the company imposed vpn/firewall policies.

 

[Yoblad]

I did a quick google search on print server software. Looks like you may want to throw a unix box on there as a print server otherwise the is a good windows print server for windows for 80 bucks. It sounds like you just want to do this to stick it to the IT department and claim leet gawd status.

 

[tlheidemann]

There is a reason why the VPN is configured the way it is, to ask us to help you circumvent it is against the rules here on the forum and I am sure would also be against your company's policy.

You only have about three choices:

1. Ask your IT department.
2. Swap the printer cable to the laptop when you need to print while connected via VPN.
3. Use a print sharing box between the laptop and desktop.

Else your SOL and need to deal with the company imposed vpn/firewall policies.

I'm not trying to circumvent anything. Do really think I want to get fired so that I can not have to buy a USB switch? I was hoping for some way to change the port for printer sharing, or maybe an application that allows you to share a printer via HTTP. Something like that.

 

[Yoblad]

You're basically talking about running an IIS server. I highly doubt this company would allow that if they're as big as you say.

 

[tlheidemann]

You're basically talking about running an IIS server. I highly doubt this company would allow that if they're as big as you say.

Hmmm... since I would be running the IIS server on my home PC, off the network, and only accessing it from "work", it shouldn't be a problem. I guess it's time to hit the books if that is my only option.

 

[Darthkim]

The company's split tunneling policies are in place to

a) secure communication between only the company asset and company resources
b) mitigate possible security holes introduced by intentional/unintentional end users installation of unauthorized applications.

I understand that it is a pain to switch between printers, and other inconveniences, but in todays IT world, security is paramount.

In our org, since all laptop users get docking station and the printers get expensed, this is a non issue.

 

[SJConsultant]

I'm not trying to circumvent anything. Do really think I want to get fired so that I can not have to buy a USB switch? I was hoping for some way to change the port for printer sharing, or maybe an application that allows you to share a printer via HTTP. Something like that.

Just to make things a bit easier for you to understand, when you connect to your company's VPN typically that does not restrict your local area network so you *should* be able to use your local network *unless* the company has explicity configured the laptop VPN/Firewall to disallow access to anything but VPN resources.

You need to ask the IT department since they are the ones who *know* what needs to be changed and if company policy will allow it. Anything else will be circumventing the currently implemented policies.

 

[tlheidemann]

Just to make things a bit easier for you to understand, when you connect to your company's VPN typically that does not restrict your local area network so you *should* be able to use your local network *unless* the company has explicity configured the laptop VPN/Firewall to disallow access to anything but VPN resources.

You need to ask the IT department since they are the ones who *know* what needs to be changed and if company policy will allow it. Anything else will be circumventing the currently implemented policies.

I've never seen a VPN client that works any differently that the one that we use. With ours once you tunnel in you cannot see or connect with any resources on the LAN. It is just like plugging into the network in one of the offices. Share drives, exchange servers, etc. are all there, but my home PC, printer, even my router and DSL modem are all inaccessable. I'm sure there probably are VPN clients that allow access to both networks, but I've never used one.

 

[SJConsultant]

I've never seen a VPN client that works any differently that the one that we use. With ours once you tunnel in you cannot see or connect with any resources on the LAN. It is just like plugging into the network in one of the offices. Share drives, exchange servers, etc. are all there, but my home PC, printer, even my router and DSL modem are all inaccessable. I'm sure there probably are VPN clients that allow access to both networks, but I've never used one.

So essentially you are already aware that the VPN client you are using restricts access to local area networks, yet your asking us to assist with finding a way to circumvent that protection?

Please correct me if I am wrong.

 

[tlheidemann]

So essentially you are already aware that the VPN client you are using restricts access to local area networks, yet your asking us to assist with finding a way to circumvent that protection?

Please correct me if I am wrong.

I'm not interested in circumventing anything. I hoping to be able to do something like share my home printer over the internet and be able to print to it from behind a firewall, I know that it is possible, for example using citrix. However citrix isn't exactly cheap. I'm not interested in breaking the firewall, or bridging the two networks, or slipping through VPN, or doing anything else that will get me in trouble with the IT gods. I can already use VNC to remotely control my home PC (above board by the way), which is great when I'm on the road, and I can print to any of the thousands of printers in the US, except for the one on my desk. Surely there is a legit way share a printer on port 80 (as an example).

 

[SJConsultant]

tlheidemann,

There is probably a legit way, but you should be talking to your Company's IT Department about it. They are most familiar with your VPN setup and how it needs to be setup to work the way you want it to.

Why do you resist the idea of contacting them?

 

[tlheidemann]

tlheidemann,

There is probably a legit way, but you should be talking to your Company's IT Department about it. They are most familiar with your VPN setup and how it needs to be setup to work the way you want it to.

Why do you resist the idea of contacting them?

Because I already know that they won't bother. I am a coach for SAP and help users with SAP issues all of the time, and I get to hear all of the horror stories of calls for help to IM. One woman I know couldn't get her calander in Outlook to archive, the helpless desk told her that our IM can't support the calander, only email and contacts. ??? We give people laptops with wireless networking cards in them and tell them to feel free to use them, but do not call for support, we don't support wireless networking. We give people Lexmark printers, and when it has a problem we tell the user that we can only support HP printers, same for PDAs. I can ask around as a personal favor, but to try to get something one off through the channels is a dead end street.

To be honest this really isn't a huge deal, I turn off VPN and print, and turn VPN back on all of the time, except with SAP since as soon as you turn off VPN you lose the SAP connection and get booted, so I can't currently print from SAP. This is just one of those sitting here goofing off on the computer and thought I see if I could make things a bit easier deals.

 

[Darthkim]

Most vpn servers have the choice to enable/disable split tunneling. I know for a fact that the Nortel Contivity supports both... but the setting is controlled on the vpn endpoint, so there wouldn't be any client side setting you could change to circumvent this.

Vpn clients are able to disable split tunneling buy doing 2 things.

a) raises the current default route/s to a metric of +1
b) changes the arp entry for your default route to that of the vpn endpoint.

trying to manually change the routes, will automatically drop the connection. (with good reason)

i do see your point with SAP. You could possibly cache the jobs to your printer and then when you bump off, could print those SAP reports. This has been the complaint of our users, who do the exact thing, but if the solution is a small usb hub, why even bother.

Plus, i'd like to see someone hack through a usb cable

There is 1 other thing i can think off, but this thread closely teeters the line of circumventing networks, especially corporate networks (such as mine) and i wouldn't allow the 1other thing that i am thinking off... on my network.

Buy the usb hub and enjoy the rest of the evening.

 

[Uraki]

If I understand the problem correctly, here's what I have done in a couple of situations like yours:

Turn off NetBios over TCP/IP
Install your VPN client and get it working
Install IPX protocol and enable NetBios over it instead
(this was fairly easy with Win98, I haven't tried it with Win2k or XP)

That way, your LAN will share printers, etc over IPX and when you connect your TCP/IP VPN tunnel, your local network is still visible and your local shares, printers, etc will still work.

VPN clients (the ones I've seen) can't/won't detect the installation of IPX after they are already installed. If you have IPX installed and then install the VPN client, they may cause problems.

I've done this in a home networking environment with a VPN user and also at at business that had network printers on the LAN but everyone had to login to the corporate VPN to do work.

I suspect this is still possible with 2K/XP but I do know the NetBios protocol has to be installed separately on a XP machine, it's not installed by default and is in some directory on the XP CD.