[isalist] Re: Fwd: ISA Server 2006 VPN Question
- From: "Paul Laudenslager" <paul@xxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 21 Aug 2008 14:21:38 -0400
Hi Jerry,
I have a similar issue and I don't believe it's a "problem", it's more of a
result of the way VPN works/configured.
I have users who VPN to our network to access SQL Server and other
resources. When they connect, the IP of the VPN connection is now the
gateway and it seems that all traffic on their machine now gets routed
through the VPN.
In order for VPN clients to a surf with a web browser, I had to open up
those ports for VPN users going out of our network.
What does the mean? All traffic from your VPN client machine is now routed
through the VPN. Whether is it destined for your internet network or not,
the VPN is now the gateway and all traffic flows thru it. As in your
situation, all traffic would have to go back out through corporate. seems
like a wasted round trip as well as a drain on bandwidth.
Thor's reply was.
Yes, there is a way, but it involves "routing tricks" which may or may not
be easy for you to configure -- but I would encourage you to first think
about the dangers of allowing your users to do whatever they want on an
alternate pipe while connected up to your SQL server at the same time. Any
malware, virus, or other nastiness that they may execute would have access
to your SQL data in the context of the logged on user.
It may be far more beneficial for you to control what the user can and can't
do while connected up to your server. Barring that, you would need to
configure the VPN client not to use the remote gateway, and then ensure that
the SQL host was reachable via a route down the VPN.
Thomas Shinder was kind enough to send me this.
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
Good Luck and let us know what you do. as I would prefer NOT to have clients
surfing through our network. I would prefer only the traffic destined for
our network to come through the VPN.
Thanks!
-Paul
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Thursday, August 21, 2008 1:26 PM
To: isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isalist] Fwd: ISA Server 2006 VPN Question
All,
I'm not sure this got through the first time so I thought I'd send it again
and also submit to isapros.
---------- Forwarded message ----------
From: Jerry Young <jerrygyoungii@xxxxxxxxx>
Date: Aug 20, 2008 9:30 AM
Subject: ISA Server 2006 VPN Question
To: isalist@xxxxxxxxxxxxx
All,
I've set up a virtual environment on a workstation at my client's location
and installed an ISA Server 2006 instance in this virtual environment
(Hyper-V for those who are interested).
The basic topology of the environment looks like the following:
Corporate Network (treating as ISA external)
|
.---------.
| ISA | --- Perimeter Network (treating as ISA perimeter)
'---------"
|
Internal Network (treating as ISA internal)
The Corporate Network is the corporate internal network; I'm simply using it
as the "Internet" in this case.
The setup is working fine and I can VPN into the ISA server from the
Corporate Network and access resources on the other two legs. The "problem"
is that doing so locks me out of the Corporate Network and I can no longer
access those resources (Email, LCS, etc.) while connected. I was wondering
if there were a way (aside from allowing traffic from VPN clients to pass
through the ISA server to the Corporate Network again) to be able to
maintain access to the Corporate Network resources. My client uses an SSL
VPN Extender (Cisco) and that seems to work (access to local, home
networking resources remains intact even while connected to the Corporate
SSL VPN).
Thoughts?
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
