[THIN] Re: Help is appreciated....
- From: "Chad Schneider (IT)" <Chad.M.Schneider@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 29 Apr 2008 16:17:20 -0500
It is allowed, but unfortunately, is going back out the external port (INT0),
rather than going through the internal, based o the IP Pool IP and default
gateway.
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
>>> On 4/29/2008 at 4:06 PM, <tsguy92@xxxxxxxxx> wrote:
Can your firewall guys confirm if port 80 TCP outbound is allowed from your CAG?
On Tue, Apr 29, 2008 at 1:54 PM, Chad Schneider (IT)
<Chad.M.Schneider@xxxxxxxxxxxxx> wrote:
CAG Standard.
The odd thing, this DID work, on our old firewall, maybe inadvertently....
Seems silly though, I want all network traffic, to go through my network. I
want those connected to me, to be forced to use our internet rules. Sounds
like my only option is to turn on split tunneling? Is that not still
considered a security concern?
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
>>> On 4/29/2008 at 3:39 PM, <tsguy92@xxxxxxxxx> wrote:
Chad, are you using CAG + AAC / Advanced Access Control?
if so, this issue is by design. During our setup I actually called CTX support
on it, and was informed that's the case.
Consider the fact that the CAG by default "denies" any connection with is not
explicitly defined as allowed. That's the issue you're likely fighting.
Port 80 / 443 traffic to *.*.*.* is not defined as allowed for the CAG,
therefore, it won't pass that traffic on. Sadly, you can't define wildcards
like this in the CAG / AAC config.
Setup an allowed resource for the ip addresses for www.abc.com (
http://www.abc.com/ ) or something similar on Port 80 and it will work.
Our work around for this was the following entries on our AAC server as
"allowed" resources for our VPN users.
server - 128.0.0.0 ( http://128.0.0.0/ ), subnet - 128.0.0.0 (
http://128.0.0.0/ ), port - 80, 443, protocol - TCP
server - 0.0.0.0 ( http://0.0.0.0/ ), subnet - 128.0.0.0 ( http://128.0.0.0/ ),
port - 80, 443, protocol - TCP
HTH
Lan
On 4/29/08, Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx> wrote:
CAG 4.5.
We want to make an SSL VPN connection via the CAG. We want split tunneling off
(I feel for obvious reasons), but are now unable to get to external internet
sites. Our VPN users get an internal IP address, with an internal Default
gateway. We have 3 static routes into our internal network. All requests to
the internal network work fine. No requests to any external site work.
How can I make this work, allowing no split tunneling, but also allowing
internet traffic to the outside of the network.
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
Other related posts:
