RE: VPN Client cannot access the Internet?

  • From: "David Haam" <DavidH@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 23 Apr 2002 10:57:18 -0700

Brian,
 
You're looking at the default configuration of the client to "Use default 
gateway on remote network"
 
If you open your client connectoid, and go to the properties of TCP/IP, and 
then hit the Advanced button, you'll see this checkbox setting.
 
With that said, there is now the philosophical discussion of "split-tunnelling" 
where you're potentially openning up your network to the internet via this VPN 
connected client that is also connected to the internet.
 
Security best-practices say that the default setting is the preferred one since 
it mitigates the risk of adding another entry point from the internet while 
that client is connected (never mind that if the client was already breached, 
it's a new entry point .. different security discussion).
 
 
 
 

        -----Original Message----- 
        From: Brian Hoover [mailto:brianh@xxxxxxxxx] 
        Sent: Tue 4/23/2002 10:47 AM 
        To: [ISAserver.org Discussion List] 
        Cc: 
        Subject: [isalist] VPN Client cannot access the Internet?
        
        
        http://www.ISAserver.org
        
        

        Many thanks to the contributors to this list and to ISAServer.org. 

        I have set up a lab to simulate an enterprise network with back to back 
ISA servers.  After establishing a VPN tunnel into the network the client can 
no longer access the Internet.  When I do trace route to any site the the 
astericks come back on the first hop.  If I disconnect the VPN connections all 
is well again.  I am using PPTP as I have not set up CertSrv yet.

        Can anyone explain this behavior?  Does the IP stack lock down to point 
only to the ISA server to protect from the client being hacked and an intruder 
gaining an autenticated path to the LAN?

        Thanks, 

        Brian Hoover 
        I.T. Manager 
        Vidar Systems Corporation 

        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List as: 
davidh@xxxxxxxxxxxx
        To unsubscribe send a blank email to 
leave-isalist-261457I@xxxxxxxxxxxxx 

Other related posts: