Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Prevent split tunnel?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Prevent split tunnel? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Prevent split tunnel? - 9.Jun.2008 8:42:17 AM   
pread

 

Posts: 3
Joined: 9.Jun.2008
Status: offline 		Hi there,

Is there any way to prevent users using split-tunnel VPN via configuration on the ISA 2006 itself?  I've had a google and read the ISA 2006 migration guide book but am still none the wiser....  Presume not possible actually, but thought I'd get confirmation if that is the case :)

Cheers,
Peter
Post #: 1
RE: Prevent split tunnel? - 9.Jun.2008 9:27:28 AM   
paulo.oliveira

 

Posts: 826
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hello,

what do you mean "split-tunnel"? Prevent users to make their computers bridge between internet and internal network when connected to VPN?

Regards,
Paulo Oliveira.

(in reply to pread)
Post #: 2
RE: Prevent split tunnel? - 9.Jun.2008 9:30:32 AM   
pread

 

Posts: 3
Joined: 9.Jun.2008
Status: offline 		Basically I want to force users to use the remote ISA server as their default gateway when they connect with the VPN client.  Regardless of the 'use remote gateway' setting in the client itself.

(or I could probably live with it refusing connection if that checkbox is cleared.  Or open to other suggestions :) )

(in reply to paulo.oliveira)
Post #: 3
RE: Prevent split tunnel? - 9.Jun.2008 9:44:44 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi,
Yes, with ISA addons:
http://www.winfrasoft.com/vpnq.htm
Not sure about this:
http://fesnouf.online.fr/qss-whatisVPN-q.htm
Or if you a script master, you can mess with Microsoft's VPN-Q crap.
Regards!

(in reply to pread)
Post #: 4
RE: Prevent split tunnel? - 9.Jun.2008 10:01:38 AM   
paulo.oliveira

 

Posts: 826
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi Peter,

this is not an ISA configuration, this is a client configuration. So, what you can do is set a policy to prohibit the users from modify the conection properties.

Regards,
Paulo Oliveira.

(in reply to pread)
Post #: 5
RE: Prevent split tunnel? - 9.Jun.2008 10:23:39 AM   
pread

 

Posts: 3
Joined: 9.Jun.2008
Status: offline 		Absolutely Paolo :)  I guess I need to look at NAP / quarantine / something....

(basically I'm concerned about non-managed clients, and thought there might be a "drop connection if it wants to use a different gateway" config option server side)

(in reply to paulo.oliveira)
Post #: 6
RE: Prevent split tunnel? - 9.Jun.2008 10:46:57 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
quote:

this is not an ISA configuration, this is a client configuration.

Hmmm, maybe ...
But how does ISA know if the client is not cheating ?
NAP is not working with ISA.

(in reply to pread)
Post #: 7
RE: Prevent split tunnel? - 9.Jun.2008 11:55:20 AM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: online 		If you define the VPN connection profile using CMAK, you have options to force the default gateway to send traffic via the VPN only.

I think the option is called "make this connection the client default gateway" and is the equivalent of "use default gateway on remote network" available in manually created VPN connection entries.

With CMAK, the users cannot easily disable this otpion

This may help?

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to justmee)
Post #: 8
RE: Prevent split tunnel? - 9.Jun.2008 5:05:11 PM   
elmajdal

 

Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Yep, CMAK is the asnwer, check this article : http://www.isaserver.org/img/upl/vpnkitbeta2/cmak.htm

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to pread)
Post #: 9
RE: Prevent split tunnel? - 9.Jun.2008 7:44:58 PM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: online 		Thanks Tarek

Text from the above link:

A critical setting is the Make this connection the client’s default gateway. This option forces the VPN client to use the VPN link to connect to all non-local networks (all networks that VPN client is not directly connected to). This prevents the VPN client that has not been configured as a Web Proxy and/or Firewall client from connecting to the Internet. Requiring the VPN clients to use the VPN interface as their default gateway prevents VPN clients from circumventing firewall policy when connected to the network. If you disabled the Make this connection the client’s default gateway, it would have the same effect as allowing users to connect modems to their desktops to get around your firewall policy. Please refer to ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients


_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to elmajdal)
Post #: 10
RE: Prevent split tunnel? - 10.Jun.2008 9:52:17 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		It boils down to one man's definition of defining "to prevent".
Maybe this "is zee answer" ?

(in reply to Jason Jones)
Post #: 11
RE: Prevent split tunnel? - 10.Jun.2008 5:15:00 PM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: online 		Cryptic as ever J...

How about you define a "traditional DMZ"

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to justmee)
Post #: 12
RE: Prevent split tunnel? - 11.Jun.2008 7:54:26 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Why am I cryptic Jason ?
Isn't this ("to prevent") in the game we play ?
Isn't this ("definition") moving through time as challenges and attacks change as this time goes by ?
Isn't this ("of defining") a way to understand, say a threat from the point/position we're standing ?
Isn't this point of observation relative, a bi-directional relativity, the point to the object we observe and the object to the point of observation  ?
Don't we bring in the end all the pieces together and complete the puzzle ?
So what's cryptic with the "definition of defining" ?
Maybe is just my unfortunate way of speaking english, as I'm not a native english speaker.
I should have a few words with my english teacher ...
Damn, I don't think I can really do that, he was I ...

What about you Jason, can't we consider the association of "traditional" with "DMZ" a cryptic result ?
Is it a well understood/defined/implemented concept ?
Or it has to deal with the "definition of defining" of someone ?

On a sunny summer day watching the crystal blue sky, I might bite the "traditional DMZ" bait....

< Message edited by justmee -- 13.Jun.2008 2:26:44 PM >

(in reply to Jason Jones)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Prevent split tunnel? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts