[windows2000] Re: VPN, Routing and internet access problem
- From: "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Wed, 30 Apr 2003 07:17:50 -0400
Frankly Carson, what you are proposing is called Split Tunneling, and can be
a scary situation.
Let me give you an example:
*Assume things are configured as you say
*Also assume that you have a user that creates a VPN connectoid, and chooses
to save the password
*That user's machine is compromised remotely
*The hacker in control of that machine initiates a VPN connection, which
automatically logs into the corporate network
*The original internet connection (that the attacker came in on) is still
active, which allows him to use the remote machine as a "gateway" to your
corporate network.
These risks can be mitigated by securing the VPN client, but often, to
secure it properly requires more than a user is usually willing to succumb
to. And to rely on them to secure it is laughable.
That aside, have you tried using the loopback address (127.0.0.1) as the
gateway in your route add statement? If that works (which I haven't tried,
but would take 30 seconds to test) then your job is easy... add an 033
option to your DHCP scope, and your VPN clients will get the route.
Otherwise, I believe that you can get IP information and add routes with
VBS.
But I recommend finding another way around your problem... Why do the VPN
users need to access the internet directly, instead of through the corporate
network, when attached to the VPN?
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: Carson Tu [mailto:ctu@xxxxxxxxxxxx]
Sent: Tuesday, April 29, 2003 3:08 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] VPN, Routing and internet access problem
Hi, All:
I have a VPN problem which I believe worthy to discuss here.
My company is currently running on a 192.168.2.0 class C network, all =
servers are windows 2000, clients are win2k/XP. I am using Win2k/ISA =
server (Server1) to be as VPN server. Server1 is also the default =
gateway of all of the internal host, what take advantage of NAT. Since =
the company is still not that big, I just let VPN user pick up a IP =
address from DHCP server. Now the company is growing, I plan to put VPN =
user on a different subnet, say 192.168.7.0. I have configured a static =
IP pool for VPN client, say 192.168.7.1 to 192.168.7.100.=20
Now, the VPN client don't have problem in access our internal resource, =
if the client choose to "use default way on remote network". But if =
that, the VPN user cannot browse internet by the path through their ISP =
directly. If VPN client (which get 192.168.7.x IP) not to "use default =
way on remote network". They CAN browse internet directly via their ISP, =
but they cannot access our company's internal network (which is =
192.168.2.x subnet).
Then, If I let VPN client not use "use default way on remote network", =
but I manually add a route on VPN client side as:
(Assuming this client get the first available IP from VPN IP pool, =
192.168.7.2)
=20
C:\>route add 192.168.2.0 mask 255.255.255.0 192.168.7.2
In this way, the VPN don't have problem in either access company =
internal network, or direct internet via ISP. This seems to be a =
solution. But, the problem is:
1, How can I specify a VPN logon script to force it running while the =
VPN client connected?
2, Since each client need to specify its PPP adapter IP as the gateway =
to 192.168.2.0 network. How can write the script to pick up its PPP =
adapter's IP?
Overall, I believe there should be a common solution for intermediate or =
big company. How do the bigger companys take care of this issue? Is that =
because if they choose some 3rd party VPN package, which give them more =
options to control?
Thanks a lot.
Carson Tu=20
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
