[isalist] Re: Fwd: ISA Server 2006 VPN Question
- From: "Jerry Young" <jerrygyoungii@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 21 Aug 2008 16:18:49 -0400
Paul,
Thanks. The link from Tom did the trick.
In my case, though, since this is all internal and I am simply using my
corporate internal network to simulate the "Internet" in relation to my
virtual environment, I can get away with removing the "Use default gateway
on remote network" checkbox in the Advanced TCP/IP Settings in the
properties of the VPN connection without any real fear.
In general, though, it is a considerable risk you run if you don't lock down
non-VPN traffic since that VPN client can become a proxy between the
Internet and the Corporate network. At the end of the day, though, it comes
down to 1) your requirements, 2) acceptibility of identified risks, and 3)
any mitigation strategies that you might have in place for the risks that
are accepted.
On 8/21/08, Paul Laudenslager <paul@xxxxxxxxxxxxxxxx> wrote:
>
> Hi Jerry,
>
>
>
> I have a similar issue and I don't believe it's a "problem", it's more of a
> result of the way VPN works/configured.
>
>
>
> I have users who VPN to our network to access SQL Server and other
> resources. When they connect, the IP of the VPN connection is now the
> gateway and it seems that all traffic on their machine now gets routed
> through the VPN.
>
>
>
> In order for VPN clients to a surf with a web browser, I had to open up
> those ports for VPN users going out of our network.
>
>
>
> What does the mean? All traffic from your VPN client machine is now routed
> through the VPN. Whether is it destined for your internet network or not,
> the VPN is now the gateway and all traffic flows thru it. As in your
> situation, all traffic would have to go back out through corporate… seems
> like a wasted round trip as well as a drain on bandwidth.
>
>
>
> Thor's reply was…
>
>
>
> Yes, there is a way, but it involves "routing tricks" which may or may not
> be easy for you to configure -- but I would encourage you to first think
> about the dangers of allowing your users to do whatever they want on an
> alternate pipe while connected up to your SQL server at the same time. Any
> malware, virus, or other nastiness that they may execute would have access
> to your SQL data in the context of the logged on user.
>
>
>
> It may be far more beneficial for you to control what the user can and
> can't do while connected up to your server. Barring that, you would need
> to configure the VPN client not to use the remote gateway, and then ensure
> that the SQL host was reachable via a route down the VPN.
>
>
>
>
>
> Thomas Shinder was kind enough to send me this…
>
>
>
>
> http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
>
>
>
>
>
> Good Luck and let us know what you do… as I would prefer NOT to have
> clients surfing through our network. I would prefer only the traffic
> destined for our network to come through the VPN…
>
>
>
> Thanks!
>
> -Paul
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Thursday, August 21, 2008 1:26 PM
> *To:* isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
> *Subject:* [isalist] Fwd: ISA Server 2006 VPN Question
>
>
>
> All,
>
>
>
> I'm not sure this got through the first time so I thought I'd send it again
> and also submit to isapros.
>
> ---------- Forwarded message ----------
> From: *Jerry Young* <jerrygyoungii@xxxxxxxxx>
> Date: Aug 20, 2008 9:30 AM
> Subject: ISA Server 2006 VPN Question
> To: isalist@xxxxxxxxxxxxx
>
>
>
> All,
>
>
>
> I've set up a virtual environment on a workstation at my client's location
> and installed an ISA Server 2006 instance in this virtual environment
> (Hyper-V for those who are interested).
>
>
>
> The basic topology of the environment looks like the following:
>
>
>
> Corporate Network (treating as ISA external)
>
> |
>
> .---------.
>
> | ISA | --- Perimeter Network (treating as ISA perimeter)
>
> '---------"
>
> |
>
> Internal Network (treating as ISA internal)
>
> The Corporate Network is the corporate internal network; I'm simply using
> it as the "Internet" in this case.
>
>
>
> The setup is working fine and I can VPN into the ISA server from the
> Corporate Network and access resources on the other two legs. The "problem"
> is that doing so locks me out of the Corporate Network and I can no longer
> access those resources (Email, LCS, etc.) while connected. I was wondering
> if there were a way (aside from allowing traffic from VPN clients to pass
> through the ISA server to the Corporate Network again) to be able to
> maintain access to the Corporate Network resources. My client uses an SSL
> VPN Extender (Cisco) and that seems to work (access to local, home
> networking resources remains intact even while connected to the Corporate
> SSL VPN).
>
>
>
> Thoughts?
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
