Hi Tom, as usual a very nice article. I like two comment on two points: Browser Settings and Improve VPN Client Security. 1) Browser Settings: -------------------- My way of configuring a standard outbound access control for the Web Proxy Service is to define 'All external destinations' instead of the 'All destinations'. Now, when you configure the proxy settings for the VPN connection, I found that you have to include your 'central' local domain in the proxy exception list of your local browser (advanced settings). Otherwise you don't have access because the above setting prevents you from 'looping' through the proxy service. So, the flag 'Bypass proxy server for local addresses' seems not to work. BTW, what's the meaning of 'local addresses' within the browser for a VPN environment? 2) Improve VPN Client Security: ------------------------------- In order to be able to use DHCP for VPN client address assignment and have the same security effect as using off-subnet Addresses, I assign a 'off-subnet' address range to the ISA internal interface itself (in example: ISA internal interface is 172.16.0.0/16 and the internal LAN is 10.0.0.0/8). Of course this imply that you have a routed internal network, you activate the DHCP relay service on ISA and don't place any other device on this subnet. But, it works very well. Regards, Stefaan -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: zondag 10 maart 2002 0:04 To: [ISAserver.org Discussion List] Subject: [isalist] VPN Client Security Issues http://www.ISAserver.org In my never ending quest to avoid having a life, I present to all our ISAserver.org members a draft of my "VPN client security" article :-) http://www.tacteam.net/isaserverorg/vpnclientsec.htm Comment, questions, etc. are welcome. We'll try to get this up on the ISAServer.org site next week (with enhancements and fixes). HTH, Tom www.isaserver.org/shinder ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')