Good call Rick (as always)- be sure that DNS is pointing to the inside authority! Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack Sent: Monday, May 12, 2008 3:09 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: I will ask again... Hi Chad, Let's accept that's what happens for the moment. But it's worth noting that split tunnelling happens at the client end, NOT the SSL appliance end. So how do we stop it? The CAG has no need to know about the rest of the world. It needs to know the internal DNS to resolve internal host names, eg to your citrix servers etc, but it doesn't need to be able to resolve external host names. So let's talk about internal DNS configurations. The only, and I repeat ONLY systems on your internal network that should be able to do an external DNS lookup are your web proxy/IIS servers and your mail servers and associated support functionality (spam filters, mail virus checker, smtp gateway). Doing this will break stuff, but it's about time you upgraded your ISA server anyway ;-). Everything else has no requirement to talk directly to the internet and shouldn't even know where to look. Now lets be properly paranoid and make sure that the ONLY outbound connections allowed through the internal and external firewall are from our web proxy and mail servers (include mail gateway, spam filters etc). In that scenario, if I point the CAG at an internal DNS server which doesn't resolve external DNS addresses, it won't be able to resolve external DNS addresses, and even if it could, it would be blocked at your firewall. Having fixed your DNS I'm also pretty sure you can tighten down on the web resources available on the CAG to fix this problem. It's a lot smarter than just a SecureGateway replacement. But secure your internal DNS and firewall first. regards, Rick -- Ulrich Mack Quest Software Provision Networks Division On 5/13/08, Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx> wrote: Public interface is Eth0. As far as we can tell, gateway is configured properly. We are able to watch the external port 80 traffic go right back out the eth0 on the CAG, rather than route through the internal network. Chad Schneider Systems Engineer ThedaCare IT 920-735-7615