RE: What are most people doing?
- From: David Dellanno <david@xxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 25 Aug 2001 11:23:54 -0400
Hi Carl,
VPN purpose is intended for clients outside the Corporate Network
and not behind the ISA2000 network. Assuming that the client belongs to the
Corporate A's network and then has physically moved outside of the Corp A's
network. The client computers that are outside the Corporate Network that
have the Firewall Client installed would not have that symptom that you are
facing since first the Firewall Client can no longer establish a connection
to the ISA2000 server from the outside, the Firewall Client would be
disabled automatically. So if they were either at home or in another
companies network, you would not have a problem able to access web sites,
file shares, or other mail servers on a different network.
In your case, it sounds like you are behind another ISA2000 server
that your Firewall Client communicates with (let's say Network B), and you
are trying to establish a VPN client session into another network. Since
you have not left the network, your Firewall Client can still communicate
with your ISA2000 and it will not automatically disable itself.
Remember when you establish a VPN client connection, your computer
is now acting as a multi-home computer and needs ip forwarding to function
but having the Firewall Clients enabled, its main function is to establish a
continuous TCP session with the ISA2000 to support Winsock applications. My
guess is that the Firewall Client when enabled, disables IP Forwarding or
forces the computer to only communicate with the ISA2000 server. This looks
to me that this is by design, and the Firewall Client was not intended to
establish a VPN client session behind the firewall. If you do want to
establish a VPN for client session to another site behind the firewall, the
best practice would be to have ISA establish the LAN to LAN VPN, to your
corporate site to allowing ISA to support the routing request. The
work-around, looks like you already found it, by disabling the Firewall
Client to establish your vpn session.
HTH,
Dave
-----Original Message-----
From: carl [mailto:carl@xxxxxxxxxxx]
Sent: Friday, August 24, 2001 4:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: What are most people doing?
http://www.ISAserver.org
The problem that I have with the firewall client is that when I VPN into
a corporate site, I cannot access internal web sites, mail servers or
file shares at that corporate site unless I disable the firewall after I
connect. Anyone have any ideas how to solve this?
Carl
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, August 24, 2001 3:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: What are most people doing?
http://www.ISAserver.org
Hi Adam,
This is a subject near and dear to my heart. :-)
All computers that support the Firewall client should have it installed.
It will make a lot of things that you want to do easier to do. Although,
the exception is published servers, don't install it on the servers you
want to publish.
The SecureNAT client configuration is really meant for clients that do
not support the Firewall client installation, or for published servers.
Also, ALL clients should be configured as Web Proxy clients. I don't
think there's a browser out in use now that isnt' CERN compliant.
IMHO,
Tom
www.isaserver.org/shinder
Thomas W Shinder, M.D., MCSE, MCT
-----Original Message-----
From: Adam.Staub@xxxxxxxxxxxxx [mailto:Adam.Staub@xxxxxxxxxxxxx]
Sent: Friday, August 24, 2001 2:25 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] What are most people doing?
http://www.ISAserver.org
What is the consensus? Most of you putting the Firewall clients on your
machines? Or are you trying to control everything via the web proxy and
Client Address sets?
Adam
*********************************************************************
Note: This E-mail and any attachments may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering
this message to the intended recipient, you are hereby notified that any
disclosure, copying, distribution or use of this E-mail and any
attachments is strictly prohibited. If you have received this E-mail in
error, please notify us immediately by returning it to the sender and
deleting it from your computer system. Thank you for your cooperation.
**********************************************************************
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
carl@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
