RE: Help Please!

• From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 10 Jan 2002 17:51:52 -0600

Hi Stephaan,

BINGO! And this is as it should be.

It would be patently INSANE to allow your VPN clients to blithely route
their viruses and worms and Trojans unchecked from their Internet
connection into the corpnet by not requiring the use of the remote VPN
network as the default gateway. Unless, you run the kind of corpnet
where you allow all the users to bring in their own USB modems so they
can dial up their AOL accounts and bypass the ISA Server access controls
:-)

HTH,
Tom
www.isaserver.org/shinder


-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
Sent: Thursday, January 10, 2002 3:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help Please!

http://www.ISAserver.org


Hi guys,

you certainly need to read Thaddeus Fortenberry's book about W2K virtual
private networking (see my previous mail). Then you will understand how
it
works (client-side routing). There's nothing wrong with it, but you have
to
take it into account when designing your vpn. I will try to highlight
the
important points.

The vpn client gets his/her ip-address, dns and wins from a static pool
or a
dhcp server (internal network). A subnetmask is not given to the client!
Therefore you will see a subnet mask of 255.255.255.255 (host entry)
when
doing a route print on the client.

If on the client 'use default gateway on remote network' is checked, the
vpn
client will get a new default gateway who points to the tunnel
interface.
So, all request not for the 'local net' (seen by the client) will be
routed
through the tunnel to the vpn server. No split tunneling is possible. In
other words, the vpn client can, when the tunnel is active, no longer
communicate directly with other remote networks (i.e. the Internet).
This is
very good from a security point of view.

However, if on the vpn client 'use default gateway on remote network' is
NOT
checked, it becomes a little bit tricky. The client gets a route to the
classfull network id from which he got an ip-address. An example:
clients
gets ip-address 10.1.2.3 (out of a pool 10.1.2.0/24) and on the client
you
will find a new route to 10.0.0.0/8 who points to the tunnel interface.
Suppose now that the central internal network has also another subnet
128.1.0.0/16. How can we tell the client to route to that subnet through
the
tunnel? There is at this moment no easy way todo it.

Conclusion: as long as 'use default gateway on remote network' is
checked,
you will have no problems!

Hope this helps a little bit...
Stefaan

-----Original Message-----
From: Stephen Herrera [mailto:sherrera@xxxxxxxxxx]
Sent: donderdag 10 januari 2002 17:17
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help Please!


http://www.ISAserver.org


i am having the same problem with that automatic subnet mask. so far i
have
been unable to change it. please post if you find something.

steve


-----Original Message-----
From: Quita Harris [mailto:qharris@xxxxxxxx]
Sent: Thursday, January 10, 2002 7:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help Please!


http://www.ISAserver.org


Hi Jason,

Thanks again for ALL your assistence, you got me on the right track. I
see
where the invalid subnet mask is coming from, when I enter the block of
static IPS in RRAS (rightclick of RRAS server container, select IP
tab)there is no option to enter a subnet mask and some how an automatic
mask is generated. that's what I need to resolve.

Thanks Again

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sherrera@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » RE: Help Please!
• » Help Please
• » RE: Help Please
• » [isalist] Help Please!
• » [isalist] Re: Help Please!
• » Help Please
• » Re: Help Please
• » Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please
• » RE: Help Please

1. Home
2. isalist
3. Archive
4. 01-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---