From: Milwaukee, WI
Could you explain more as to why you would not want to allow outbound SSL? Is that only in this particular case of SecureNAT VPN Clients going out to the internet?
I currently have my ISA2K4 box setup with VPN access. I dont not have mine setup per your article though. My clients use FWC and Web proxy for internet access. Is that any more secure as far as outbound SSL goes? My clients are allowed to SSL to any site.
A site to site VPN could be thought of as a split tunnel, if the client is configured as a Web proxy and/or Firewall client to its local ISA firewall.
So, the user could access the Internet (and potentially, vice versa) and the remote "internal" network at the same time.
However, since the ISA firewall is both an SPI and statefuil application layer firewall, addiing an addition "hardware" firewall provide no benefits (except to the saleman and vendor selling the "hardware" firewall).
BIG difference. You NEVER want to allow split tunneling. Its like allowing users to bring modems or WAPs into the corpnet, both of which enable the client connected to the corporate network to *subvert* network usage policy. Why would you allow remote access clients to subvert network use policy when you work so hard to prevent this for localling conneted hosts?
i am having ISA 2000 ..my clients are not able to surf the internet when they are connected to my server from vpn ..also not able to check the mails...i have read the article about the isa 20004 but please please can anyone guide me how to configure it in the isa 2000 ..please i am lot of trouble as my VP is travelling out side frequently ....please Mr. T Shinder ...help me ...
i want to use the local internet service provider for the VPN clients to use internet. i don't want that my VPN users fulfill their internet request from destination VPN/ISA Server
BUT i am facing one problem. VPN clients are using the internet from the destination ISA/VPN server as per your recommanded article but some times what happen that my internet browsing get stopped but other application works perfectly like GTALK (google talk messenger) ....even when my internet browsing is stopped at that time i can successfully ping the yahoo.com.
thanks in advance Zahid Haseeb
< Message edited by z_haseeb -- 4.Jun.2009 1:56:41 AM >
Thanks Zahid Haseeb
MCP, Veritas Netbackup6.5 certified Interest ISA Server2004/2006, SHFA, VVR