Hi Gary, (... same as previous, but little correction in 'wordings'...) a real world answer... ;-) Personally I would never, I repeat NEVER, allow surfing the Internet directly while they are connected to the VPN. This is a security policy issue. There is always the possibility to surf the Internet through the VPN tunnel when connected. Then they are working just like any other internal corporate client and are subject to the corporate security policy. This works for the ISA web proxy services. I've never tested it with the firewall client. Maybe Tom has an answer on that. If you find that split tunneling should be allowed in the security policy, you can do it on your own risk. But then you have to be very carefully with your corporate internal network design. The point is that all corporate servers who must be available to the roadwarriors, must belong to the SAME classfull network ID (i.e. 10.0.0.0/8), and you have to create an ip-pool for the vpn clients who belongs to the SAME classfull network ID (i.e. so also 10.0.0.0/8). This should also work without any problem. Other configurations are at the moment not adviced because of the client side routing issue. Hope this helps, Stefaan -----Original Message----- From: Gary Anderson [mailto:gary.anderson@xxxxxxxxxx] Sent: vrijdag 11 januari 2002 8:27 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org Hi Stephaan & Tom, Real world situation: Corporate Users with Notebooks. 1) They "need" - used remote default gateway - unchecked for VPN/Surfing. 2) They "need" to use their Corporate Outlook for personal mail. Point 1 - they want to surf the Internet from home while they are connected to the VPN. Point 2 - a notebook is like the company car - it is a perk. In terms of ISA Server, Point 1 is the kiss-of-death because it effectively disables your "protocol rules" and your "site and content rules" for any "roadwarrior". The solution is in Chapter 3 of your book, Tom. I have yet to see an organization address this problem. Have you? Gary -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, January 11, 2002 00:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org Hi Stephaan, BINGO! And this is as it should be. It would be patently INSANE to allow your VPN clients to blithely route their viruses and worms and Trojans unchecked from their Internet connection into the corpnet by not requiring the use of the remote VPN network as the default gateway. Unless, you run the kind of corpnet where you allow all the users to bring in their own USB modems so they can dial up their AOL accounts and bypass the ISA Server access controls :-) HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Thursday, January 10, 2002 3:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org Hi guys, you certainly need to read Thaddeus Fortenberry's book about W2K virtual private networking (see my previous mail). Then you will understand how it works (client-side routing). There's nothing wrong with it, but you have to take it into account when designing your vpn. I will try to highlight the important points. The vpn client gets his/her ip-address, dns and wins from a static pool or a dhcp server (internal network). A subnetmask is not given to the client! Therefore you will see a subnet mask of 255.255.255.255 (host entry) when doing a route print on the client. If on the client 'use default gateway on remote network' is checked, the vpn client will get a new default gateway who points to the tunnel interface. So, all request not for the 'local net' (seen by the client) will be routed through the tunnel to the vpn server. No split tunneling is possible. In other words, the vpn client can, when the tunnel is active, no longer communicate directly with other remote networks (i.e. the Internet). This is very good from a security point of view. However, if on the vpn client 'use default gateway on remote network' is NOT checked, it becomes a little bit tricky. The client gets a route to the classfull network id from which he got an ip-address. An example: clients gets ip-address 10.1.2.3 (out of a pool 10.1.2.0/24) and on the client you will find a new route to 10.0.0.0/8 who points to the tunnel interface. Suppose now that the central internal network has also another subnet 128.1.0.0/16. How can we tell the client to route to that subnet through the tunnel? There is at this moment no easy way todo it. Conclusion: as long as 'use default gateway on remote network' is checked, you will have no problems! Hope this helps a little bit... Stefaan -----Original Message----- From: Stephen Herrera [mailto:sherrera@xxxxxxxxxx] Sent: donderdag 10 januari 2002 17:17 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org i am having the same problem with that automatic subnet mask. so far i have been unable to change it. please post if you find something. steve -----Original Message----- From: Quita Harris [mailto:qharris@xxxxxxxx] Sent: Thursday, January 10, 2002 7:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help Please! http://www.ISAserver.org Hi Jason, Thanks again for ALL your assistence, you got me on the right track. I see where the invalid subnet mask is coming from, when I enter the block of static IPS in RRAS (rightclick of RRAS server container, select IP tab)there is no option to enter a subnet mask and some how an automatic mask is generated. that's what I need to resolve. Thanks Again ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sherrera@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gary.anderson@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')