Hi Michael, But if you properly configure Access Policy, what is the issue? Since users access only the content they require, and the ISA firewall performs stateful application layer inspection on the connections, then what's the difference between a VPN connection and any other remote access connection through publishing? You're not giving them full access to everthing? That's not what the ISA firewall is all about. Its about access control. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] Sent: Sunday, October 24, 2004 5:50 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server and secure VPN clients http://www.ISAserver.org How nice of you guys to respond so quickly. I am just sorry that you did not take the time to think on what I wrote instead of simply mistaking me for a rookie. I do realize that many people have a "Microsoft cannot be secure" attitude, but this was in no way what I was getting at. I am a MS Certified consultant, and I have been working with MS products as a proffesional for over six years.... The point of my previos post was to investigate whether others had thought of and maybe solved (what I find to be) the problem with MS VPN. I have been searching for a solution of controlling VPN clients after the tunnel has been build. I have spend the several hours today digging into CMAK, RRas policies and ISA firewall rules and add-ins, but have not found a way to make sure that a user does not manually change the routing information on the computer. Think of this situation: A user downloads and installs a fun little app, and with it a trojan. Later the user open a MS VPN connection. During the establishing of the locked down (CMAK) VPN connection the Quantine scripts will check the routing table, the antivirus, then firewall etc, but the trojan will not be detected. The VPN connection is established successfully. Now at this point what is stop the trojan process from adding or changing a route entry and thereby effectively sending traffic around the VPN tunnel. (Other than making sure the user is not local admin :-)) This situation will actually enable a hacker to control the client computer and launch an attack through the vpn tunnel. If you actually do have a way to prevent this scenario, I would very much like to here it, as I am encounting an increasing numbre of requests for MS like VPN functionallity, that third party vendors has a hard time offering. A Nortel VPN implementation solves this by continuesly monitor the routing table and closes the VPN tunnel in case of a change in the routing table. I was hoping for a somewhat semilar MS solution. I look forward to a hopefully somewhat more useful answer from you. Regards, Michael ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx