Well, Tom beat me to it. Sorry for the duplication!!! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, July 11, 2003 11:12 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: RES: Oh no! Not another VPN problem! http://www.ISAserver.org Hi Ben, Split tunnel is quite dangerous. Definitely not recommended. http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Ben Schorr [mailto:bms@xxxxxxxxxxxxxxxx] Sent: Friday, July 11, 2003 7:12 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: RES: Oh no! Not another VPN problem! http://www.ISAserver.org I don't think so. The box he's suggesting they uncheck just tells his machine not to try and forward unknown route requests through the default gateway on the network on the other side of his VPN. In other words IE will use his RoadRunner connection for websites while his VPN connection remains intact for corporate data. I think all of our VPN clients are set up that way -- so the user can browse the web while their VPN is connected. I don't see that it opens up any additional security holes; if anything it might make him slightly more secure because requests to unknown hosts will go out on his broadband connection to the Internet instead of down his VPN to the corporate network. Aloha, -Ben- Ben M. Schorr, MVP-OneNote, CNA, MCPx4 Director of Information Services Damon Key Leong Kupchak Hastert http://www.hawaiilawyer.com > -----Original Message----- > From: Chris H [ mailto:ntpro@xxxxxxxxxx] > Sent: Friday, July 11, 2003 11:14 > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: RES: Oh no! Not another VPN problem! > > http://www.ISAserver.org > > > I wouldnt uncheck that box!! As soon as you do anyone from > the internet on the other side of that broadband connection > can tunnel through that PC right on in to your corporate network!! > > Chris > > ----- Original Message ----- > From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, July 11, 2003 11:19 AM > Subject: [isalist] RES: Oh no! Not another VPN problem! > > > http://www.ISAserver.org > > > > When you open a VPN thru a Workstation, there's a proxy > configuration for each dial-up connection you create. Set the > proxy configuration for your ISA Server inside that > connection on Explorer's Internet Properties. > > Workaround: try unchecking the box "default gateway in remote network" > on the advanced TCP/IP properties of the VPN connection. This > won't mess up all routes on your workstation. > > And one more thing (like Steve Jobs always says =)): disable > the firewall client when you need to access resources on the > VPN. When I connect to remote computers I must disable it in > order to open the resources on the remote network. > > Tiago de Aviz > SoftSell > (41) 340-2363 > www.softsell.com.br > > > -----Mensagem original----- > De: Rui Silva [ mailto:rui.silva@xxxxxxxxxxx] Enviada em: > sexta-feira, 11 de julho de 2003 12:02 > Para: [ISAserver.org Discussion List] > Assunto: [isalist] Oh no! Not another VPN problem! > > http://www.ISAserver.org > > > Yes, it's true (I'm beginning to think that ISA and VPN don't > play well...). > So, imagine this scenario: > ISA SERVER > ---------- > -SP1 > -Integrated mode > -PPTP through ISA firewall allowed > -Site and Content Rule that requires authentications for all > destinations -The Web Proxy is not configured to ask for > authentication > > CLIENTS > ------- > -Simultaneously SecureNAT/Firewall/Web Proxy -IE 6.0 SP1 > > Everything works well when clients are browsing the net, > BUT... When a client makes a VPN connection, he (she) is > still able to make Terminal Services connections to the > outside, do DNS resolutions, etc (the protocol rules are OK, > so I think there's nothing wrong with the Firewall Service). > The problem is that browsing with IE is no longer allowed. > The ISA Server comes up with this message: > > The page cannot be displayed > [...] > 403 Forbidden - The ISA Server denies the specified Uniform > Resource Locator (URL). (12202) Internet Security and > Acceleration Server > > I already tried to look at the logs and I can't see anything > wrong. I even used a network sniffer, but with no results. > > What is going wrong here? > > Txs. > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')