ISA server and secure VPN clients

  • From: "Michael Bertelsen" <mbe@xxxxxxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Fri, 22 Oct 2004 07:49:39 -0600


Up until the release of ISA Server 2004, the use of Microsoft VPN Clients
were thought of as only being semi secure, since you have no way of
blocking the use of split tunneling.
From the Client, you were always able to access the local LAN as well as
any subnet entered into the routing table, when the VPN tunnel was active.

With VPN Quarantining for RRas on Windows Server 2003 you were able to
test on several things on the client before establishing the tunnel, but
as soon as the VPN tunnel was established you could easily change the
routing table, and there by effectively use spilt tunneling.

Also, using RRas policies you can severely lockdown the vpn tunnel it

Does anybody know if this problem has been solved with the release of ISA
server 2004 ??
I have a hard time seeing how a secure ISA VPN gateway can rectify the
insecure vpn client.
The only thing I see as a possible solution is if i.e. Windows XP SP2
supports an advanced setup, and you set a Quarantine policy to only allow
clients running Windows XP SP2.

I look forward to your thoughts on this !


Other related posts: