Hi Tom, YaDamnSkippy! ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, October 22, 2004 06:44 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server and secure VPN clients http://www.ISAserver.org Hi Jim, This makes me think I need to include a section in the VPN chapter in the book: "Why the world isn't flat and other Microsoft VPN client/server misconceptions" Thanks! Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Friday, October 22, 2004 8:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server and secure VPN clients http://www.ISAserver.org Hi Michael, Inline... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] Sent: Friday, October 22, 2004 6:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA server and secure VPN clients http://www.ISAserver.org Hi Up until the release of ISA Server 2004, the use of Microsoft VPN Clients were thought of as only being semi secure, since you have no way of blocking the use of split tunneling. [[Jim]] This is pure, unadulterated BS; take a look at the Connection Mangler components; you can (and should) disable the user's ability to change the "use default gateway..." setting in the connectoid. From the Client, you were always able to access the local LAN as well as any subnet entered into the routing table, when the VPN tunnel was active. [[Jim]] I'll stipulate that allowing a connection to any network other than the VPN connection is potentially hazardous to the remote network, but the real danger is in allowing the VPN client to access non-local networks. Even the MS VPN client doesn't allow this by default. Take a read here: http://www.microsoft.com/windows2000/en/server/help/sag_CMAKtopnode.htm? id=1634 ..and here: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa rd/proddocs/en-us/sag_CMAKtopnode.asp and here: http://www.microsoft.com/technet/community/columns/cableguy/cg0901.mspx ..and here: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/DNSBG_RAC_OVERVIEW.asp ..aw, hell; just start here: http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu =%22connection+manager%22 With VPN Quarantining for RRas on Windows Server 2003 you were able to test on several things on the client before establishing the tunnel, but as soon as the VPN tunnel was established you could easily change the routing table, and there by effectively use spilt tunneling. [[Jim]] Again, see my response to point #1 Also, using RRas policies you can severely lockdown the vpn tunnel it self. Does anybody know if this problem has been solved with the release of ISA server 2004 ?? I have a hard time seeing how a secure ISA VPN gateway can rectify the insecure vpn client. The only thing I see as a possible solution is if i.e. Windows XP SP2 supports an advanced setup, and you set a Quarantine policy to only allow clients running Windows XP SP2. [[Jim]] Neither ISA nor RRAS (which actually handles the VPN connections) doesn't control the client configuration and doesn't have any way to observe it after the connection is created. See my response to point #1 I look forward to your thoughts on this ! Mike ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.