Doesn't sound insulting at all, but Microsoft VPN client provides secure password based on NTLM...then the password would be encryptic when the vpn establish network connectivity. If you do have a mix network environment the best practice would recommend to authenticate using basic clear text authentication, then I agree your password would be hanging out like a soar thumb and obtainable. -----Original Message----- From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx] Sent: Tuesday, July 31, 2001 2:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Teminal in through ISA - Security http://www.ISAserver.org See, that sounds a bit funny, when you think about it. This is going to sound insulting, perhaps, but it isn't intended to be. It's a risk to have port 3389 open, password protected, and spawning a 128 bit encrypted datastream. But it's OK to have port 2323 (or whatever port Window's integral VPN server listens to) open, password protected, and spawning a 128 bit encrypted datastream. This does make a few assumptions, such as you're not using certificates on your VPN client side, but does hold true, to some extent. Now, that having been said, for completeness sake, VPN is a good extra layer. But if your password is 'password' I can get into your VPN server easily enough. :-) -----Original Message----- From: David V. Dellanno [mailto:david@xxxxxxxxxxxxxxx] Sent: Tuesday, July 31, 2001 2:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Teminal in through ISA - Security http://www.ISAserver.org JMO......I would find it a risk to have an open door to your firewall, meaning having port 3389 open at your firewall. What I would feel much comfortable would be VPN first then allow you to use TS on the internal side. Again, JMO Dave -----Original Message----- From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx] Sent: Tuesday, July 31, 2001 12:27 PM To: [ISAserver.org Discussion List] Subject: [isalist] Teminal in through ISA - Security http://www.ISAserver.org Changed the subject... Anyone have any thoughts on terminal sessions coming in through ISA? And associated risks? Thanks. -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Sunday, July 29, 2001 5:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN from behind another firewall...? http://www.ISAserver.org Well to gget around this problem, i published a workstation terminal to the internet. Works great from behind the other firewall... now how much of a security risk might this be? Are the user/pass encrypted when logging in? -----Original Message----- From: Nóri [mailto:nori@xxxxxxx] Sent: Saturday, July 28, 2001 9:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN from behind another firewall...? http://www.ISAserver.org I've had this happen when GRE is not allowed back to the client. Users are behind a Netopia router that support basic packet filtering and it doesn't allow GRE back to the client. Regards, Arnor -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: 27. júlí 2001 22:05 To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN from behind another firewall...? http://www.ISAserver.org No takers on this? :| -----Original Message----- From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx] Sent: Friday, July 27, 2001 8:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN from behind another firewall...? http://www.ISAserver.org BTW it seems to connect then does verifying user and password then craps out with a 721 error (something about ppp not supported). It is a default client setup except I have the 'include domain' checked so I can input my domain name and I unchecked require encryption just in case. Thanks. -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Friday, July 27, 2001 7:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] VPN from behind another firewall...? http://www.ISAserver.org I am trying to create a vpn connection to my isa network from a client inside another network (behind a pix firewall). The isa server seems to allow a vpn to standard internet clients... Any thoughts on this? Thanks... ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bryan.andrews@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: nori@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bryan.andrews@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: slebrun@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')