Hi Carl, VPN purpose is intended for clients outside the Corporate Network and not behind the ISA2000 network. Assuming that the client belongs to the Corporate A's network and then has physically moved outside of the Corp A's network. The client computers that are outside the Corporate Network that have the Firewall Client installed would not have that symptom that you are facing since first the Firewall Client can no longer establish a connection to the ISA2000 server from the outside, the Firewall Client would be disabled automatically. So if they were either at home or in another companies network, you would not have a problem able to access web sites, file shares, or other mail servers on a different network. In your case, it sounds like you are behind another ISA2000 server that your Firewall Client communicates with (let's say Network B), and you are trying to establish a VPN client session into another network. Since you have not left the network, your Firewall Client can still communicate with your ISA2000 and it will not automatically disable itself. Remember when you establish a VPN client connection, your computer is now acting as a multi-home computer and needs ip forwarding to function but having the Firewall Clients enabled, its main function is to establish a continuous TCP session with the ISA2000 to support Winsock applications. My guess is that the Firewall Client when enabled, disables IP Forwarding or forces the computer to only communicate with the ISA2000 server. This looks to me that this is by design, and the Firewall Client was not intended to establish a VPN client session behind the firewall. If you do want to establish a VPN for client session to another site behind the firewall, the best practice would be to have ISA establish the LAN to LAN VPN, to your corporate site to allowing ISA to support the routing request. The work-around, looks like you already found it, by disabling the Firewall Client to establish your vpn session. HTH, Dave -----Original Message----- From: carl [mailto:carl@xxxxxxxxxxx] Sent: Friday, August 24, 2001 4:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: What are most people doing? http://www.ISAserver.org The problem that I have with the firewall client is that when I VPN into a corporate site, I cannot access internal web sites, mail servers or file shares at that corporate site unless I disable the firewall after I connect. Anyone have any ideas how to solve this? Carl -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, August 24, 2001 3:27 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: What are most people doing? http://www.ISAserver.org Hi Adam, This is a subject near and dear to my heart. :-) All computers that support the Firewall client should have it installed. It will make a lot of things that you want to do easier to do. Although, the exception is published servers, don't install it on the servers you want to publish. The SecureNAT client configuration is really meant for clients that do not support the Firewall client installation, or for published servers. Also, ALL clients should be configured as Web Proxy clients. I don't think there's a browser out in use now that isnt' CERN compliant. IMHO, Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Adam.Staub@xxxxxxxxxxxxx [mailto:Adam.Staub@xxxxxxxxxxxxx] Sent: Friday, August 24, 2001 2:25 PM To: [ISAserver.org Discussion List] Subject: [isalist] What are most people doing? http://www.ISAserver.org What is the consensus? Most of you putting the Firewall clients on your machines? Or are you trying to control everything via the web proxy and Client Address sets? Adam ********************************************************************* Note: This E-mail and any attachments may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this E-mail and any attachments is strictly prohibited. If you have received this E-mail in error, please notify us immediately by returning it to the sender and deleting it from your computer system. Thank you for your cooperation. ********************************************************************** ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: carl@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')