This is specifically about running the SSL VPN on a Vista or Win7 system and the client not being able to modify the routing table without either 1) Being added to the Network Configuration Operators Group and UAC being turned off or 2) Providing Admin credentials to the user in order to start the SSL VPN software using runas. Both of these workarounds do reduce security posture.
There is good news though. I've been in communication with the OpenVPN folks, and here's what they have to say:
[FONT=Calibri]Scott,[/FONT]
[FONT=Calibri] [/FONT]
[FONT=Calibri]This is the answer I got from our developers. You will be soon releasing a new client for the access server..[/FONT]
[FONT=Calibri] [/FONT]
[SIZE=3][FONT=Consolas]This is addressed by the new Access Server client which utilizes a split-privilege model, so an unprivileged user can connect to an Access Server and receive routes, even though the user wouldn't ordinarily have the privilege to add them to the routing table. The split-privilege model is implemented by having the OpenVPN core run as a privileged service, while the client UI components run as an unprivileged user that communicates with the privileged components via an API.[/FONT][/SIZE]
This thread was automatically locked due to age.
