[THIN] Re: Help is appreciated....
- From: "TSguy92 Lan" <tsguy92@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Tue, 29 Apr 2008 14:06:34 -0700
Can your firewall guys confirm if port 80 TCP outbound is allowed from your
CAG?
On Tue, Apr 29, 2008 at 1:54 PM, Chad Schneider (IT) <
Chad.M.Schneider@xxxxxxxxxxxxx> wrote:
> CAG Standard.
>
> The odd thing, this DID work, on our old firewall, maybe inadvertently....
>
> Seems silly though, I want all network traffic, to go through my network.
> I want those connected to me, to be forced to use our internet rules.
> Sounds like my only option is to turn on split tunneling? Is that not still
> considered a security concern?
>
> Chad Schneider
> Systems Engineer
> ThedaCare IT
> 920-735-7615
>
> >>> On 4/29/2008 at 3:39 PM, <tsguy92@xxxxxxxxx> wrote:
> Chad, are you using CAG + AAC / Advanced Access Control?
>
> if so, this issue is by design. During our setup I actually called CTX
> support on it, and was informed that's the case.
>
> Consider the fact that the CAG by default "denies" any connection with is
> not explicitly defined as allowed. That's the issue you're likely fighting.
>
> Port 80 / 443 traffic to *.*.*.* is not defined as allowed for the CAG,
> therefore, it won't pass that traffic on. Sadly, you can't define wildcards
> like this in the CAG / AAC config.
>
> Setup an allowed resource for the ip addresses for www.abc.com or
> something similar on Port 80 and it will work.
>
> Our work around for this was the following entries on our AAC server as
> "allowed" resources for our VPN users.
>
> server - 128.0.0.0, subnet - 128.0.0.0, port - 80, 443, protocol - TCP
> server - 0.0.0.0, subnet - 128.0.0.0, port - 80, 443, protocol - TCP
>
> HTH
>
> Lan
>
> On 4/29/08, Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx> wrote:
> >
> > CAG 4.5.
> >
> > We want to make an SSL VPN connection via the CAG. We want split
> > tunneling off (I feel for obvious reasons), but are now unable to get to
> > external internet sites. Our VPN users get an internal IP address, with an
> > internal Default gateway. We have 3 static routes into our internal
> > network. All requests to the internal network work fine. No requests to
> > any external site work.
> >
> > How can I make this work, allowing no split tunneling, but also allowing
> > internet traffic to the outside of the network.
> >
> > Chad Schneider
> > Systems Engineer
> > ThedaCare IT
> > 920-735-7615
> >
>
>
Other related posts:
