Internal hospital vpn clients want to connect to UCSF internal network and maintain their internet connection. They are behind our firewall, but we don't have direct administrative control. I guess I was concerned about the ability for someone on the UC network to use the ip we connect to as a default gateway and come back over the line. The UC network seems to be a breeding ground for virus's, Trojans, and worms. _______________________________________________ Eric Poole IS Security Analyst Community Medical Centers 1140 "T" Street, Fresno, California 93721 559-459-6784 (phone) 559-459-2045 (fax) -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, December 07, 2003 4:29 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Split Tunneling http://www.ISAserver.org Hi Eric, Those doctors certianly can be a pain ;-) I'm not clear why split tunnel would be a problem in this situation. Who are the VPN clients and where are they located? Are they located behind a firewall under your administrator control? Thanks! Tom -----Original Message----- From: Eric Poole [mailto:EPoole@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, December 04, 2003 12:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] Split Tunneling http://www.ISAserver.org Ok, I've been researching this quite a bit, but am having trouble convincing my superiors that this is a bad idea. We have a university that wants to have an always on vpn tunnel (access to their inside and to the internet at the same time) from us to them to allow doctors to access their internal web library. I've already setup ISA to talk to their squid to allow authentication requests to pass, so I don't see the need and think it would be a huge hindrance to our corporation to allow this tunnel to exist. I've ran out of ammo and would appreciate anyone's thoughts and suggestions. (final note, they want this to occur via cisco vpn concentrators on both ends. So instead of a single workstation being able to connect, all 3000 pc's would have the ability) _______________________________________________ Eric Poole IS Security Analyst Community Medical Centers 1140 "T" Street, Fresno, California 93721 559-459-6784 (phone) 559-459-2045 (fax) ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: epoole@xxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')