http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html :) Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, May 08, 2008 5:50 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: vpn scenario question... Yes, there is a way, but it involves "routing tricks" which may or may not be easy for you to configure -- but I would encourage you to first think about the dangers of allowing your users to do whatever they want on an alternate pipe while connected up to your SQL server at the same time. Any malware, virus, or other nastiness that they may execute would have access to your SQL data in the context of the logged on user. It may be far more beneficial for you to control what the user can and can't do while connected up to your server. Barring that, you would need to configure the VPN client not to use the remote gateway, and then ensure that the SQL host was reachable via a route down the VPN. t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Paul Laudenslager Sent: Thursday, May 08, 2008 3:41 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] vpn scenario question... I've setup the first VPN access to our network. This was easier than I expected and was required for SQL Server access only. I used to use the client's IP address (on the ISA 2k6) to limit access to SQL but that got to be a pain in the... as user's IP address tend to change and quite a few needed access from several locations. Therefore, I decided to go the VPN route. When I test from an external XP client, it connects and I'm able to use Enterprise Manager/Management Studio just fine. However, when I connect to the VPN (with my external XP client), I lose the ability to surf, check mail, etc. It seems that all outgoing traffic is routed through the VPN. I've had to open up web, mail, and many other ports for a VPN client to access everything while a VPN connection is established. Once a client disconnects, they are able to surf and check mail like they normally would. I don't like the idea of remote clients surfing while connected to our VPN as traffic has to come down through our firewall and then back out to the client reducing bandwidth as well as other security issues. Is there a way a remote client can connect to our SQL Server through a VPN but still surf (and other things) without going through us? Any suggestions/comments (good or bad) would be greatly appreciated. Am I going about this the wrong way? PS. This is for remote clients (with Internet access already) to access/manage their SQL databases hosted with us that are located behind our ISA2k6 firewall. This is not for remote clients needing Internet access through our network. Thanks again and have a wonderful day! -Paul L.