Hi William, It really wasn't meant to be a personal attack and if you took it that way, I'm sorry. What I really wanted to impress on you is that you think about the security implications of this design. It has nothing to do with ISA or the specific technologies being used, but the fact that you will allow a dedicated site to site VPN connection from a unmanaged home network to the company's business without really any thought about access controls the short and long term implications of this design. Did you explain to him the ramafications of this design and impress upon him that this site to site VPN connection is a recipe for disaster? That's what I was really getting into you for -- and if you did this and he said to you "I know that this is a bad idea and could put my business and my employees job (including yours) at risk, but I want you to do this for me regardless", then you carried out your due diligence and took on your professional duty, and that's that. Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes Sent: Sunday, March 16, 2008 9:05 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address. You know Tom, I am fully apprised of the security implications. I am also aware that the user already has an always on connection provided by a Red Creek Ravlin Device. The fact is that the Ravlin has long since passed its end of life and needs to be replaced. I wanted to do this with a solution that is integrated into ISA rather than some other "black box" solution. That way specific policies and monitoring could be applied to the traffic. I guess I could just tell the Chairman to kiss off but ..... While many people may be unaware of security I am not one of those. There is nothing "naïve" about the security setup that current exists nor would there be in the new configuration. The network on the remote site is completely understood. It's hardwired to the person's home office. If there is a physical break I'll know. I actually was asking a technical question. Other systems out there allow IPSEC tunnels with DHCP endpoints (including the Ravlin) I was asking ISA could support such a configuration. A detailed technical response would have been nice. A rant about efficacy of the configuration is a usual unwelcome. It's really ashamed that with the knowledge that you possess on ISA that you had to turn this question into a personal attack. Bill ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, March 16, 2008 12:25 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address. You have to be kidding? Right? Don't you take responsibility for the security of your business? If you can 't provide at least 10 valid security reasons for not honoring this request, you might want to consider Wally Thor's truck driving school as an alternate line of business. You put yourself in harm's why with this type of naïve security configuration and if you have any assets, I'm sure an atty would love to take them from you for allowing this type config. Be responsible and aware. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William T. Holmes Sent: Saturday, March 15, 2008 8:24 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address. The person in question wants an always on connection from their home. Bill From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Saturday, March 15, 2008 5:55 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address. An IPSec tunnel will need to know both end's IP in order to set up the tunnel, match rules, and route properly... What's wrong with an old-fashioned VPN from his/her computer? And can the router not act as a VPN client? t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William T. Holmes Sent: Saturday, March 15, 2008 2:30 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address. Hi, Can anyone give me a pointer on this one? Thanks Bill From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes Sent: Friday, March 14, 2008 12:54 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Endpoint IPSEC with DHCP assinged address. Hi, I would like to deploy a router in one of our Executive's home. The router I have can be configured with IPSEC tunneling. I am only interested in having the IPSEC tunnel startup from the endpoint not from the ISA2004 Server. Is there a document on setting up? I looked at http://www.isaserver.org/articles/2004isadlink.html but that indicates I need a fixed IP address at each end of the tunnel. Can this same thing be accomplished with a dynamic IP address on the endpoint so long as I don't wish to establish the tunnel from the ISA server's side? Thanks Bill