• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion on Internet Access for VPN clients

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion on Internet Access for VPN clients Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion on Internet Access for VPN clients - 3.May2005 4:41:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on Internet access for VPN clients at http://isaserver.org/tutorials/2004vpnclientnetaccess.html

Thanks!
Tom

[ May 03, 2005, 04:45 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion on Internet Access for VPN clients - 4.May2005 10:49:00 PM   
erickufrin

 

Posts: 58
Joined: 15.Apr.2003
From: Milwaukee, WI
Status: offline
Hey Tom,

Could you explain more as to why you would not want to allow outbound SSL? Is that only in this particular case of SecureNAT VPN Clients going out to the internet?

I currently have my ISA2K4 box setup with VPN access. I dont not have mine setup per your article though. My clients use FWC and Web proxy for internet access. Is that any more secure as far as outbound SSL goes? My clients are allowed to SSL to any site.

Thanks

Eric Kufrin

(in reply to tshinder)
Post #: 2
RE: Discussion on Internet Access for VPN clients - 5.May2005 11:48:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Eric,

VPN clients using the Web proxy and Firewall client configuration are more secure and more flexible than the VPN SecureNAT client, so you have a great configuration right now.

Outbound SSL tunneling is a risk for all clients. Check out my article on the evils of SSL tunneling at http://msmvps.com/shinder/articles/12268.aspx

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion on Internet Access for VPN clients - 13.May2005 6:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ian,

A site to site VPN could be thought of as a split tunnel, if the client is configured as a Web proxy and/or Firewall client to its local ISA firewall.

So, the user could access the Internet (and potentially, vice versa) and the remote "internal" network at the same time.

However, since the ISA firewall is both an SPI and statefuil application layer firewall, addiing an addition "hardware" firewall provide no benefits (except to the saleman and vendor selling the "hardware" firewall).

HTH,
Tom

(in reply to tshinder)
Post #: 4
RE: Discussion on Internet Access for VPN clients - 22.May2005 2:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ian,

BIG difference. You NEVER want to allow split tunneling. Its like allowing users to bring modems or WAPs into the corpnet, both of which enable the client connected to the corporate network to *subvert* network usage policy. Why would you allow remote access clients to subvert network use policy when you work so hard to prevent this for localling conneted hosts?

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion on Internet Access for VPN clients - 5.Oct.2005 8:14:00 AM   
schristopher

 

Posts: 6
Joined: 19.Sep.2003
From: usa
Status: offline
What would be the difference in the configuration if your clients had public addresses? Our corporate office makes us use public addresses. [Confused]

(in reply to tshinder)
Post #: 6
RE: Discussion on Internet Access for VPN clients - 25.Jan.2007 1:25:10 AM   
jhn_daz

 

Posts: 16
Joined: 18.Jan.2007
Status: offline
Hi All ,

i am having ISA 2000 ..my clients are not able to surf the internet when they are connected to my server from vpn ..also not able to check the mails...i have read the article about the isa 20004 but please please can anyone guide me how to configure it in the isa 2000 ..please i am lot of trouble as my VP is travelling out side frequently ....please Mr. T Shinder ...help me ...

John

(in reply to schristopher)
Post #: 7
RE: Discussion on Internet Access for VPN clients - 4.Jun.2009 1:16:01 AM   
z_haseeb

 

Posts: 209
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline
i want to use the local internet service provider for the VPN clients to use internet. i don't want that my VPN users fulfill their internet request from destination VPN/ISA Server

BUT i am facing one problem. VPN clients are using the internet from the destination ISA/VPN server as per your recommanded article but some times what happen that my internet browsing get stopped but other application works perfectly like GTALK (google talk messenger) ....even when my internet browsing is stopped at that time i can successfully ping the yahoo.com.

thanks in advance
Zahid Haseeb

< Message edited by z_haseeb -- 4.Jun.2009 1:56:41 AM >


_____________________________

Thanks
Zahid Haseeb

MCP, Veritas Netbackup6.5 certified
Interest ISA Server2004/2006, SHFA, VVR

(in reply to jhn_daz)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion on Internet Access for VPN clients Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts