Re: RES: Oh no! Not another VPN problem!
- From: "John G. Lyon" <jlyon@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 11 Jul 2003 23:44:28 -0400
I will disagree Ben. On ISAserver.org you'll find
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
Here is a snipit of the document. I personally would NOT AGREE with your
opinion on it. Sorry.
VPN Client Default Route
By default, the Use default gateway on the remote network option is enabled.
When the VPN client establishes a link with the VPN server, a new default route
is created on the VPN client and appears in the VPN client's routing table. You
can view the new route by opening a command prompt and typing the route print
command. This new default route replaces the old default gateway that may have
been set on the VPN client when the dial-up connection was established. If a
dial-up connection is used, the default gateway is typically the ISP's router.
This allows the dial-up clients to access the Internet.
However, when the new default route is added, the VPN clients that have the Use
default gateway on remote network cannot access the Internet, because the
clients now use the VPN interface to route packets to remote (non-local)
networks. As a VPN administrator, this is exactly what you want. You do not
want VPN clients to be able to access your private network and the Internet at
the same time. Doing so creates a significant security risk since the VPN
client can become a gateway between the Internet and the private network.
-----Original Message-----
From: Ben Schorr [mailto:bms@xxxxxxxxxxxxxxxx]
Sent: Friday, July 11, 2003 8:12 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: RES: Oh no! Not another VPN problem!
http://www.ISAserver.org
I don't think so. The box he's suggesting they uncheck just tells his machine
not to try and forward unknown route requests through the default gateway on
the network on the other side of his VPN. In other words IE will use his
RoadRunner connection for websites while his VPN connection remains intact for
corporate data.
I think all of our VPN clients are set up that way -- so the user can browse
the web while their VPN is connected. I don't see that it opens up any
additional security holes; if anything it might make him slightly more secure
because requests to unknown hosts will go out on his broadband connection to
the Internet instead of down his VPN to the corporate network.
Aloha,
-Ben-
Ben M. Schorr, MVP-OneNote, CNA, MCPx4
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com
> -----Original Message-----
> From: Chris H [ mailto:ntpro@xxxxxxxxxx]
> Sent: Friday, July 11, 2003 11:14
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: RES: Oh no! Not another VPN problem!
>
> http://www.ISAserver.org
>
>
> I wouldnt uncheck that box!! As soon as you do anyone from
> the internet on the other side of that broadband connection
> can tunnel through that PC right on in to your corporate network!!
>
> Chris
>
> ----- Original Message -----
> From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, July 11, 2003 11:19 AM
> Subject: [isalist] RES: Oh no! Not another VPN problem!
>
>
> http://www.ISAserver.org
>
>
>
> When you open a VPN thru a Workstation, there's a proxy
> configuration for each dial-up connection you create. Set the
> proxy configuration for your ISA Server inside that
> connection on Explorer's Internet Properties.
>
> Workaround: try unchecking the box "default gateway in remote network"
> on the advanced TCP/IP properties of the VPN connection. This
> won't mess up all routes on your workstation.
>
> And one more thing (like Steve Jobs always says =)): disable
> the firewall client when you need to access resources on the
> VPN. When I connect to remote computers I must disable it in
> order to open the resources on the remote network.
>
> Tiago de Aviz
> SoftSell
> (41) 340-2363
> www.softsell.com.br
>
>
> -----Mensagem original-----
> De: Rui Silva [ mailto:rui.silva@xxxxxxxxxxx] Enviada em:
> sexta-feira, 11 de julho de 2003 12:02
> Para: [ISAserver.org Discussion List]
> Assunto: [isalist] Oh no! Not another VPN problem!
>
> http://www.ISAserver.org
>
>
> Yes, it's true (I'm beginning to think that ISA and VPN don't
> play well...).
> So, imagine this scenario:
> ISA SERVER
> ----------
> -SP1
> -Integrated mode
> -PPTP through ISA firewall allowed
> -Site and Content Rule that requires authentications for all
> destinations -The Web Proxy is not configured to ask for
> authentication
>
> CLIENTS
> -------
> -Simultaneously SecureNAT/Firewall/Web Proxy -IE 6.0 SP1
>
> Everything works well when clients are browsing the net,
> BUT... When a client makes a VPN connection, he (she) is
> still able to make Terminal Services connections to the
> outside, do DNS resolutions, etc (the protocol rules are OK,
> so I think there's nothing wrong with the Firewall Service).
> The problem is that browsing with IE is no longer allowed.
> The ISA Server comes up with this message:
>
> The page cannot be displayed
> [...]
> 403 Forbidden - The ISA Server denies the specified Uniform
> Resource Locator (URL). (12202) Internet Security and
> Acceleration Server
>
> I already tried to look at the logs and I can't see anything
> wrong. I even used a network sniffer, but with no results.
>
> What is going wrong here?
>
> Txs.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tiago@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> ntpro@xxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: bms@xxxxxxxxxxxxxxxx To unsubscribe send a blank
> email to $subst('Email.Unsub')
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jlyon@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
