By default MS PPTP connections have a box checked for "use default gateway on remote network" under TCP/IP properties/advanced which forces ALL TCP/IP traffic to go through the VPN once you establish the connection. Unchecking obviously only passes TCP/IP traffic bound for equipment on the ohter side of the VPN go through the VPN. -----Original Message----- From: Roger Riggins [mailto:Roger@xxxxxxxxxxxx] Sent: Wednesday, October 09, 2002 5:45 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: A question from my security guys about exposure Some VPN clients disallow internet activity outside of the VPN once established. I think even MS PPTP does that.=20 It'll be tough to prevent the scenario you describe unless you protect every single device that will be used to access your network. Even then, it's all a 'best effort' attempt. Roger Riggins, A+ MCSE CCNA CCA ACES Systems Engineer * 319-352-1234 * roger@xxxxxxxxxxxx =20 -----Original Message----- From: Rowlandson, John [mailto:John.Rowlandson@xxxxxxxxxxxxx]=20 Sent: Wednesday, October 09, 2002 8:17 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: A question from my security guys about exposure i use csg 1.1 in a dmz with sta etc etc.. we are in the process or a company wide ethical (sp) attack.... i'm waiting to see what they come up with as i have left a hole for them =3D to find... if they don't find my deliberate hole (1494tcp nat'd to a box) then i'll =3D rethink the "attack" but it should show the strength of CSG 1.1 Roly -----Original Message----- From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] Sent: Wednesday, 9 October 2002 10:34 PM To: 'citrixse@xxxxxxxxxxxxxxx'; 'thin@xxxxxxxxxxxxx' Subject: [THIN] A question from my security guys about exposure Setup: MF XPe, Nfuse 1.7 with CSG, no SSL relay configured. Most users =3D only have access to published apps, though some have desktops. We are using =3D a mix of ICA web clients and full PN clients, though will be moving to 99% =3D web clients. Scenario: We have an at-home worker who has a PC that is direct =3D connected to the Internet through a cable-modem or DSL (take your pick). The worker =3D has a VPN connection to our network. Their PC at home has been back-doored. Now when the worker connects through the VPN, they are opening a =3D connection to our network for whoever back-doored them. Now change the scenario, such that instead of a VPN connection, the =3D worker is connecting to us via a Citrix connection over the web. Their PC =3D still has the back-door on it. What is the equivelant exposure under this scenario? Can the person that controls the back-door hijack the Citrix session somehow or gain access to the resources on the network while the connection is active? I am guessing the exposure is not as great since =3D that workstation isn't truly a node on the network as it would be under a VPN solution, but I am curious as to what other risks may exist and how we = =3D can safeguard against them if they exist. Thanks, Paul ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm