| >If you're connecting to the internet, route to the internet. If you're connecting to "inside your enterprise network", route through the VPN. Block-lists, traffic-audit/amount, not allowed ports, protocol/packet inspection, mail-scanning and archival (aka have a hint how in-house data leaves your corporation)...enterprise stuff, you can do that on the endpoint, inside your "server-farm", or both, most enterprises distrust endpoints (for good reason), and completely trust the internal infrastructure (for often not so good reasons). I know we are in that HN bubble but ~97% of enterprise don't work in IT but need lots of it. >If you're talking about forced https interception, No i don't, but some company's absolutely want that (sometimes for good reasons) But you can also argue that an endpoint-firewall is just allowed to connect to one external ip (VPN-gateway) is also not a bad thing. If you ever work for something critical (Financial/Defend/Insurance) you see 1000 points for securing/restricting the traffic (especially port 80/443) of endpoints and one for the opposite (that grumpy dev/ceo who wants admin right on his laptop and wants to use it "privately" too...btw even worse with smartphones). |