That's also easy-peasey... Unless your "outbound" rules say "anywhere" in the "to" tab, the internal folks can't get anywhere in the VPN networks without either: - Rules allowing traffic to them from the VPN entities - rules allowing them traffic to the VPN entities -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Saturday, February 04, 2006 8:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Point-to-point VPN vs. Client VPN http://www.ISAserver.org Cool... I'll give it a whirl. The remote side is not so much the issue- that's easy... It's handling the corporate side where I've got other remote VPN users and such... Once I actually get into it I'm sure it will make more sense... Thx t ----- "I'll see your Llama and up you a Badger." John T ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, February 03, 2006 11:13 PM Subject: [isalist] RE: Point-to-point VPN vs. Client VPN > http://www.ISAserver.org > > Yes; network objects - not networks. > You can choose from computers, computer sets, address sets, subnets, > etc... > > That's kinda the reverse idea of the net-behind-a-net article on > isaserver.org, except it's the distant side of the VPN tunnel. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Friday, February 03, 2006 9:18 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Point-to-point VPN vs. Client VPN > > http://www.ISAserver.org > > Ah- I think I see... So, build new network objects or just keep the VPN > Clients object and base everything off of IP? I can kind of see both > ways. > I guess the main question is how to control assets on the other side of > the > point-to-point that won't show up a "VPN Clients" because they are on > the > internal network- is that where I would want to build separate network > objects with a NAT relationship? That kind of makes sense to me... > > t > > > ----- > "I'll see your Llama and up you a Badger." > John T > > > > ----- Original Message ----- > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, February 03, 2006 12:08 PM > Subject: [isalist] RE: Point-to-point VPN vs. Client VPN > > > http://www.ISAserver.org > > Even "VPN Client" rules can be source-specific. > Since you know the IP range for each, you can create subnets > representing > each and use them in the rules to separate them from each other. > > ..not exactly intuitive from a user standpoint, but it's how ISA 2004 > was > designed and actually works pretty well. > BTW, I lost the SQL bitch-list you sent me before and the folks in Haifa > are > interested... > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Friday, February 03, 2006 12:01 > To: [ISAserver.org Discussion List] > Subject: [isalist] Point-to-point VPN vs. Client VPN > > http://www.ISAserver.org > > Is there any super-secret way to present a point-to-point VPN connection > to > ISA 2004 differently than a regular client VPN connection, or are we > forced > to treat them both as "VPN Clients" and thus have everything on the > client/end-point side all follow the same "VPN Client" rules? > > t > > ----- > "I'll see your Llama and up you a Badger." > John T > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.