Re: RES: Oh no! Not another VPN problem!
- From: Ben Schorr <bms@xxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 11 Jul 2003 14:11:34 -1000
I don't think so. The box he's suggesting they uncheck just tells his
machine not to try and forward unknown route requests through the default
gateway on the network on the other side of his VPN. In other words IE will
use his RoadRunner connection for websites while his VPN connection remains
intact for corporate data.
I think all of our VPN clients are set up that way -- so the user can browse
the web while their VPN is connected. I don't see that it opens up any
additional security holes; if anything it might make him slightly more
secure because requests to unknown hosts will go out on his broadband
connection to the Internet instead of down his VPN to the corporate network.
Aloha,
-Ben-
Ben M. Schorr, MVP-OneNote, CNA, MCPx4
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com
> -----Original Message-----
> From: Chris H [mailto:ntpro@xxxxxxxxxx]
> Sent: Friday, July 11, 2003 11:14
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: RES: Oh no! Not another VPN problem!
>
> http://www.ISAserver.org
>
>
> I wouldnt uncheck that box!! As soon as you do anyone from
> the internet on the other side of that broadband connection
> can tunnel through that PC right on in to your corporate network!!
>
> Chris
>
> ----- Original Message -----
> From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, July 11, 2003 11:19 AM
> Subject: [isalist] RES: Oh no! Not another VPN problem!
>
>
> http://www.ISAserver.org
>
>
>
> When you open a VPN thru a Workstation, there's a proxy
> configuration for each dial-up connection you create. Set the
> proxy configuration for your ISA Server inside that
> connection on Explorer's Internet Properties.
>
> Workaround: try unchecking the box "default gateway in remote network"
> on the advanced TCP/IP properties of the VPN connection. This
> won't mess up all routes on your workstation.
>
> And one more thing (like Steve Jobs always says =)): disable
> the firewall client when you need to access resources on the
> VPN. When I connect to remote computers I must disable it in
> order to open the resources on the remote network.
>
> Tiago de Aviz
> SoftSell
> (41) 340-2363
> www.softsell.com.br
>
>
> -----Mensagem original-----
> De: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] Enviada em:
> sexta-feira, 11 de julho de 2003 12:02
> Para: [ISAserver.org Discussion List]
> Assunto: [isalist] Oh no! Not another VPN problem!
>
> http://www.ISAserver.org
>
>
> Yes, it's true (I'm beginning to think that ISA and VPN don't
> play well...).
> So, imagine this scenario:
> ISA SERVER
> ----------
> -SP1
> -Integrated mode
> -PPTP through ISA firewall allowed
> -Site and Content Rule that requires authentications for all
> destinations -The Web Proxy is not configured to ask for
> authentication
>
> CLIENTS
> -------
> -Simultaneously SecureNAT/Firewall/Web Proxy -IE 6.0 SP1
>
> Everything works well when clients are browsing the net,
> BUT... When a client makes a VPN connection, he (she) is
> still able to make Terminal Services connections to the
> outside, do DNS resolutions, etc (the protocol rules are OK,
> so I think there's nothing wrong with the Firewall Service).
> The problem is that browsing with IE is no longer allowed.
> The ISA Server comes up with this message:
>
> The page cannot be displayed
> [...]
> 403 Forbidden - The ISA Server denies the specified Uniform
> Resource Locator (URL). (12202) Internet Security and
> Acceleration Server
>
> I already tried to look at the logs and I can't see anything
> wrong. I even used a network sniffer, but with no results.
>
> What is going wrong here?
>
> Txs.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tiago@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> ntpro@xxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: bms@xxxxxxxxxxxxxxxx To unsubscribe send a blank
> email to $subst('Email.Unsub')
>
Other related posts:
