Welcome to ISAserver.org

Tranferring routes to client

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Tranferring routes to client

Page: [1]

Message

<< Older Topic Newer Topic >>

Tranferring routes to client - 10.Nov.2007 5:25:03 PM

tiwas

Posts: 8
Joined: 10.Nov.2007
Status: offline

Hi all,

My network has two segments; one local and one remote through a vpn set up by our access provider. The default gw is different than the ISA.

Is it possible for me to, somehow, tell the client that the default gateway to the remote segment is through the VPN, or must I script it? I use the RAS client from Windows, and I've set the client not to default to the default gw on the remote network.

Cheers!

Post #: 1

Featured Links*

RE: Tranferring routes to client - 9.Dec.2007 3:07:24 AM

Jason Jones

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

You can dynamically add routes to the VPN client if you create the connection using CMAK.

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tiwas)

Post #: 2

RE: Tranferring routes to client - 9.Dec.2007 4:27:22 AM

tiwas

Posts: 8
Joined: 10.Nov.2007
Status: offline

Cool! Can you point me in the direction of some info? I'm already using CMAK, but I haven't found the info you mention...

(in reply to tiwas)

Post #: 3

RE: Tranferring routes to client - 9.Dec.2007 9:57:23 AM

Jason Jones

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

It's one of the options as you go through the wizard.

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tiwas)

Post #: 4

RE: Tranferring routes to client - 11.Dec.2007 4:00:49 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

My LAN has 3 segments.
ISA is not the DFG
ISA is the VPN Server
VPN Clients work fine "out of the box" without doing anything.

The "use gateway on remote network" *must* be enabled,... that is what it is for.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to tiwas)

Post #: 5

RE: Tranferring routes to client - 26.Dec.2007 4:20:45 PM

tiwas

Posts: 8
Joined: 10.Nov.2007
Status: offline

Yes, I'm aware of the use gateway on remote network, but I believe that is an insecure solution. I don't want my user's infected home computers closer to my network than they need to be ;)

Guess I'll have to do it programatically...

(in reply to pwindell)

Post #: 6

RE: Tranferring routes to client - 28.Dec.2007 9:31:15 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

That is the completely wrong view of it and short sighted.

Enabling the "gateway on remote network" *is* the secure way.

Disabling the "gateway on remote network" is the *insecure* way. It's called Split Tunneling,...it is considered "bad" for security.

The intention of it being Enabled is that it isolates the user's machine from other networks they are connected to (like the internet) during the period they are connected to your system.

Disabling it allows the users to be connected to anything else they want (like the Internet) while they are also connected to your LAN.

If you want to isolate the users to a particular segment of your LAN or to only certain "target" machines, then do it with the ISA Access Rules,...that is what they are for.

Rule Name: VPN Users Limits
From: VPN Clients
To: (Subnet Object or Computer Set)
Protocol: (choose desired protocols, [outbound])
Users: (choose specific User Sets or use All Users for anonymous)

_____________________________

Phillip Windell
www.wandtv.com

(in reply to tiwas)

Post #: 7

RE: Tranferring routes to client - 28.Dec.2007 12:58:46 PM

tiwas

Posts: 8
Joined: 10.Nov.2007
Status: offline

Sure, I can see there are applications if you want the isolate the users from the internet. However, try doing that in Norway *lol* I'm not kidding when I say that the users would demand two computers, one for surfing privately in their work time and one for accessing work related stuff.

So, with my kind of users, this is the absolutely most secure way without employees actually quitting their jobs ;)

P.S. I actually had the director of finances, or whatever his position would be called in English, threatening to quit his job because I demanded he use a more secure password today. We had to agree on him not having any kind of remote access except webmail and that he kept his 6 letter "come-find-me-in-a-dictionary" password...

(in reply to pwindell)

Post #: 8

RE: Tranferring routes to client - 28.Dec.2007 2:41:12 PM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi,
Yay!
I would like to throw my two cents in here if I'm allowed.
It does not matter what "your people" demand(private surf at work

, and I suppose they are paid for that

) if they are not capable of understanding basic stuff.
Phillip have shown you the simple and secure way of doing it.
"Your people" say: if it's simple let's complicate it.
You do not isolate them from anything. They can continue accessing the Internet through ISA. Looks to me they will not notice anything if you do not tell them....
And here is one for your director

:
"If we conceive a being whose faculties are so sharpened that he can follow every molecule in its course, such a being, whose attributes are still essentially finite as our own, would be able to do what is at present impossible for us"(James Maxwell).
(Kindly)Meaning: is just a temporary state of human incompetence(a monument of incompetence and ignorance in his case