Re: RES: Oh no! Not another VPN problem!
- From: "John G. Lyon" <jlyon@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 11 Jul 2003 23:47:07 -0400
Well, Tom beat me to it. Sorry for the duplication!!!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, July 11, 2003 11:12 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: RES: Oh no! Not another VPN problem!
http://www.ISAserver.org
Hi Ben,
Split tunnel is quite dangerous. Definitely not recommended.
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
HTH,
Tom
Thomas W Shinder
<http://www.isaserver.org/shinder> www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp
-----Original Message-----
From: Ben Schorr [mailto:bms@xxxxxxxxxxxxxxxx]
Sent: Friday, July 11, 2003 7:12 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: RES: Oh no! Not another VPN problem!
http://www.ISAserver.org
I don't think so. The box he's suggesting they uncheck just tells his machine
not to try and forward unknown route requests through the default gateway on
the network on the other side of his VPN. In other words IE will use his
RoadRunner connection for websites while his VPN connection remains intact for
corporate data.
I think all of our VPN clients are set up that way -- so the user can browse
the web while their VPN is connected. I don't see that it opens up any
additional security holes; if anything it might make him slightly more secure
because requests to unknown hosts will go out on his broadband connection to
the Internet instead of down his VPN to the corporate network.
Aloha,
-Ben-
Ben M. Schorr, MVP-OneNote, CNA, MCPx4
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com
> -----Original Message-----
> From: Chris H [ mailto:ntpro@xxxxxxxxxx]
> Sent: Friday, July 11, 2003 11:14
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: RES: Oh no! Not another VPN problem!
>
> http://www.ISAserver.org
>
>
> I wouldnt uncheck that box!! As soon as you do anyone from
> the internet on the other side of that broadband connection
> can tunnel through that PC right on in to your corporate network!!
>
> Chris
>
> ----- Original Message -----
> From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, July 11, 2003 11:19 AM
> Subject: [isalist] RES: Oh no! Not another VPN problem!
>
>
> http://www.ISAserver.org
>
>
>
> When you open a VPN thru a Workstation, there's a proxy
> configuration for each dial-up connection you create. Set the
> proxy configuration for your ISA Server inside that
> connection on Explorer's Internet Properties.
>
> Workaround: try unchecking the box "default gateway in remote network"
> on the advanced TCP/IP properties of the VPN connection. This
> won't mess up all routes on your workstation.
>
> And one more thing (like Steve Jobs always says =)): disable
> the firewall client when you need to access resources on the
> VPN. When I connect to remote computers I must disable it in
> order to open the resources on the remote network.
>
> Tiago de Aviz
> SoftSell
> (41) 340-2363
> www.softsell.com.br
>
>
> -----Mensagem original-----
> De: Rui Silva [ mailto:rui.silva@xxxxxxxxxxx] Enviada em:
> sexta-feira, 11 de julho de 2003 12:02
> Para: [ISAserver.org Discussion List]
> Assunto: [isalist] Oh no! Not another VPN problem!
>
> http://www.ISAserver.org
>
>
> Yes, it's true (I'm beginning to think that ISA and VPN don't
> play well...).
> So, imagine this scenario:
> ISA SERVER
> ----------
> -SP1
> -Integrated mode
> -PPTP through ISA firewall allowed
> -Site and Content Rule that requires authentications for all
> destinations -The Web Proxy is not configured to ask for
> authentication
>
> CLIENTS
> -------
> -Simultaneously SecureNAT/Firewall/Web Proxy -IE 6.0 SP1
>
> Everything works well when clients are browsing the net,
> BUT... When a client makes a VPN connection, he (she) is
> still able to make Terminal Services connections to the
> outside, do DNS resolutions, etc (the protocol rules are OK,
> so I think there's nothing wrong with the Firewall Service).
> The problem is that browsing with IE is no longer allowed.
> The ISA Server comes up with this message:
>
> The page cannot be displayed
> [...]
> 403 Forbidden - The ISA Server denies the specified Uniform
> Resource Locator (URL). (12202) Internet Security and
> Acceleration Server
>
> I already tried to look at the logs and I can't see anything
> wrong. I even used a network sniffer, but with no results.
>
> What is going wrong here?
>
> Txs.
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jlyon@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
