[isalist] Re: vpn scenario question...

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 8 May 2008 19:28:47 -0500

http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html

 

:)

 

Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, May 08, 2008 5:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: vpn scenario question...

 

Yes, there is a way, but it involves "routing tricks" which may or may
not be easy for you to configure -- but I would encourage you to first
think about the dangers of allowing your users to do whatever they want
on an alternate pipe while connected up to your SQL server at the same
time.  Any malware, virus, or other nastiness that they may execute
would have access to your SQL data in the context of the logged on user.

 

It may be far more beneficial for you to control what the user can and
can't do while connected up to your server.   Barring that, you would
need to configure the VPN client not to use the remote gateway, and then
ensure that the SQL host was reachable via a route down the VPN.

 

t

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul Laudenslager
Sent: Thursday, May 08, 2008 3:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] vpn scenario question...

 

I've setup the first VPN access to our network.  This was easier than I
expected and was required for SQL Server access only.  I used to use the
client's IP address (on the ISA 2k6) to limit access to SQL but that got
to be a pain in the...  as user's IP address tend to change and quite a
few needed access from several locations.  Therefore, I decided to go
the VPN route.

 

When I test from an external XP client, it connects and I'm able to use
Enterprise Manager/Management Studio just fine.

 

However, when I connect to the VPN (with my external XP client), I lose
the ability to surf, check mail, etc.  It seems that all outgoing
traffic is routed through the VPN.  I've had to open up web, mail, and
many other ports for a VPN client to access everything while a VPN
connection is established.  Once a client disconnects, they are able to
surf and check mail like they normally would.

 

I don't like the idea of remote clients surfing while connected to our
VPN as traffic has to come down through our firewall and then back out
to the client reducing bandwidth as well as other security issues.

 

Is there a way a remote client can connect to our SQL Server through a
VPN but still surf (and other things) without going through us?

 

Any suggestions/comments (good or bad) would be greatly appreciated.  Am
I going about this the wrong way?

 

PS.  This is for remote clients (with Internet access already) to
access/manage their SQL databases hosted with us that are located behind
our ISA2k6 firewall.  This is not for remote clients needing Internet
access through our network.

 

Thanks again and have a wonderful day!

-Paul L.

Other related posts:

• » [isalist] vpn scenario question...
• » [isalist] Re: vpn scenario question...
• » [isalist] Re: vpn scenario question...

1. Home
2. isalist
3. Archive
4. 05-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---