Thanks a million for the info. _____ From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Friday, August 24, 2007 3:25 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important: Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) Not, not *only* two options... there's always other things one could do... Publishing would not necessarily expose servers to the Internet- rules could limit access to the source network on the other end. What we really need is a better idea of what services you need from the ISA protected network. Is the goal to get "full internal access" of the ISA protected network? You said that you attempted to change the network relationship to ROUTE from NAT- is that to say that the internal IP range is a reachable, routable network? And why tunnel to the Fortigate box when you have ISA? Why not just VPN into ISA as others have said? Using VPN network rules would be far more secure than an IPSec tunnel where a full stack would be available between the two networks. But if you like the added security of an IPSec tunnel between the branches, then yes, you could simply VPN inside the IPSec tunnel to ISA and not worry about publishing scenarios (as it relates to the branch office). It all depends on what your topology is like-- is the ISA box reachable on the network, or is it "private" behind the Fortigate box? If private, you could indeed use a ROUTE relationship and access rules to accomplish what you want. Need more infoz ;) t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jagathese Gnana Sent: Friday, August 24, 2007 12:28 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important: Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) Hi, Thanks for your reply first of all. Basically does it mean that I have 2 options only? 1) Publishing the servers. 2) VPN into ISA box through the IPSEC tunnel. IN the first option the internal fileservers would be public, which I would prefer if nothing works out. Secondly from your mail below are you saying to tunnel into the ISA box through the hardware firewall, if it is so do I have to create a tunnel between the ISA srever and the firewall at my office or do I Have to configure the remote (branch router) to terminate at the ISA box after passing through the hardware firewall. Could you please elaborate this for me. Eagerly waiting for response. _____ From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Thursday, August 23, 2007 9:36 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important: Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) If the IPSec tunnel terminates in front of ISA, then the traffic hitting the external interface of ISA from the remote location is "external" traffic to ISA. You'll have to create publishing rules to allow that traffic into the internal network, unless you VPN into the ISA box through the IPSec tunnel. t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Aman Bedi Sent: Thursday, August 23, 2007 12:15 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) Why not have vpn with isa instead of the router ? _____ From: Jagathese Gnana [mailto:Jagathese@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, August 23, 2007 2:21 PM To: tshinder@xxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) Dear Thomas, My name is jags, I would like to have your expert advice and guidance to overcome the problem I am facing. Scenario: 1) I am trying to setup ISA server 2004 with a hardware firewall (fortigate), the hardware firewall is connected to the internet ,the internal interface of the Hardware firewall and the external interface of the ISA server are on the same network. 2) We have a branch office connected to us using IPSEC tunneling to get connected to the internal network, The tunnel is between the branch office router and the our office router. 3) With the introduction of ISA server at our end( head office) between the hardware firewall and the internal network , we have a situation wherein the ipsec tunnel from the branch terminates in front of the ISA server , which obviously means the branch office cannot communicate to the internal network, Unless something is worked out. 4) I have tried changing the network relation ship between internal and external interface if ISA server to route from NAT to achieve some results as a result of which the internal web proxy clients of the ISA server cannot connect to the internet. 5) I have gone through your notes having 3 chapters at ISASERVER.ORG , Which provides a solution wherein I can create new network between perimeter network and the internal and keep a route relationship but really doesn't work I would like to have your suggestion if there is a way of getting the packets from the IPSEC tunnel clients to the internal network of the ISA server, or is publishing the assets of the firm the only option. Eagerly waiting for your response. _____ From: Thomas W Shinder [mailto:] Sent: Tuesday, August 14, 2007 8:04 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Microsoft Security Bulletin MS07-049 - Important: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) This is way we don't put Firewalls in VMs: Microsoft Security Bulletin MS07-049 - Important: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986): http://www.microsoft.com/technet/security/Bulletin/ms07-049.mspx <http://www.microsoft.com/technet/security/Bulletin/ms07-049.mspx>