RE: VPN Client Security Issues

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 10 Mar 2002 01:02:59 +0100

Hi Tom,

as usual a very nice article.

I like two comment on two points: Browser Settings and Improve VPN Client
Security.

1) Browser Settings:
--------------------

My way of configuring a standard outbound access control for the Web Proxy
Service is to define 'All external destinations' instead of the 'All
destinations'. Now, when you configure the proxy settings for the VPN
connection, I found that you have to include your 'central' local domain in
the proxy exception list of your local browser (advanced settings).
Otherwise you don't have access because the above setting prevents you from
'looping' through the proxy service. So, the flag 'Bypass proxy server for
local addresses' seems not to work. BTW, what's the meaning of 'local
addresses' within the browser for a VPN environment?

2) Improve VPN Client Security:
-------------------------------

In order to be able to use DHCP for VPN client address assignment and have
the same security effect as using off-subnet Addresses, I assign a
'off-subnet' address range to the ISA internal interface itself (in example:
ISA internal interface is 172.16.0.0/16 and the internal LAN is 10.0.0.0/8).
Of course this imply that you have a routed internal network, you activate
the DHCP relay service on ISA and don't place any other device on this
subnet. But, it works very well.

Regards,
Stefaan

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: zondag 10 maart 2002 0:04
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Client Security Issues


http://www.ISAserver.org


In my never ending quest to avoid having a life, I present to all our
ISAserver.org members a draft of my "VPN client security" article :-)

http://www.tacteam.net/isaserverorg/vpnclientsec.htm

Comment, questions, etc. are welcome. We'll try to get this up on the
ISAServer.org site next week (with enhancements and fixes).

HTH,
Tom
www.isaserver.org/shinder


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » VPN Client Security Issues
• » RE: VPN Client Security Issues
• » RE: VPN Client Security Issues

1. Home
2. isalist
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---