Jeffrey
Mon Jul 21 15:23:25 CDT 2003
Chad, thank you very much. You instructions have been very informative and
have provided me with what I needed to know.
Sincerely,
Jeffrey Reed
"Chad A Gross" <chad.gross@laytonflower.nospam.com> wrote in message
news:OMYXoQ8TDHA.2088@TK2MSFTNGP10.phx.gbl...
> Hi Jeffrey -
>
> The source of your problem is that once the VPN is connected, the remote
PC
> routes all traffic (whether for the SBS LAN or internet) to your SBS. The
> easiest (albeit less secure) solution is to configure your VPN connectoid
to
> not use the default gateway on the remote network. What this does is
create
> a split-tunneling scenario where LAN traffic is routed over the VPN
> connection and internet traffic uses the local internet connection (cable
in
> your case). The potential security issue is that if an internet-based
> attack successfully gained access to the remote client (or it became
> infected with a virus), the attacker and/or virus would have direct access
> to your SBS LAN with all of the priviliges of the remotely connected user.
> Yuck. For more info, check out Tom Shinder's article on split tunnelling
> over at isaserver.org:
>
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
>
> Now if we want to treat this remote client as a LAN client and have all
> traffic routed through SBS (ISA), we need to do some configuration changes
> on the remote client. Regular web access is easy - just open up IE, go to
> Tools | Internet Options | Connections. Select your VPN connection from
the
> list and click Settings. Check to Use Proxy Server and enter the internal
> IP of your SBS and port 8080. If you need full internet access besides
just
> web browsing (pop3, nntp, instant messaging, etc.) then you'll have to
> install the firewall client on the remote client. Unfortunately, VPN
> clients cannot be configured as SecureNAT clients in ISA - so our only
other
> option is to configure them as firewall clients. Ok, so we can install
the
> firewall client on the remote PC - but if we leave the firewall client
> enabled after the VPN is disconnected, the user won't have internet
access.
> Likewise, the same will be true if we don't enable the firewall client
after
> connecting via VPN. Luckily, we don't have to rely on the user to
remember
> to enable / disable the firewall client. By using the Connection Manager
Ad
> ministration Kit, we can create a custom VPN connectoid and use two simple
> scripts to automate the process. Thus the VPN connectoid automatically
> enables the firewall client when the VPN is created and disables the
> firewall client when the VPN is disconnected with the entire process being
> transparent to the user.
>
> Of course, the other item that needs to be taken into consideration is
> bandwidth. By routing all internet traffic through the VPN connection,
your
> internet connection on your SBS is actually doing double-duty by
downloading
> internet content then sending back out on the same interface to the remote
> VPN client. If you're just talking about a few users with typical
internet
> use (ie web browsing, newsgroups, basic pop mail (barring a significant
> number of large attachments) this shouldn't be a problem. If you have a
> large number of remote users and/or high traffic demands with those remote
> clients, it may be beneficial to have a split-tunnelling scenario.
However,
> I would strongly suggest that you make sure any remote clients are
> thoroughly protected by both a firewall and up-to-date anti-virus before
> implementing a split-tunnelling scenario.
>
> Just my $0.02 :^)
>
> --
>
> Chad A. Gross
>
> Lerman's Law of Technology: Any technical problem can be overcome
> given enough time and money. Corollary: You are never given enough
> time or money.
>
>
> In news:uB3SJE8TDHA.2148@TK2MSFTNGP11.phx.gbl,
> Jeffrey Reed <jeff@ashlandhome.net> posted:
> > Thanks for the feedback. I set up the VPN and it connects without
> > problem, though once connected the client can no longer access the
> > internet. I'm probably missing something very basic here, but not
> > sure what.
> >
> > The server is connected via fiber and the client is connected via
> > cable modem. Can you explain or direct me to a good source outline
> > how to access resources on the server and the internet from the
> > client simotaniously?
> >
> >
> > Thanks,
> >
> >
> > "Chad A Gross" <chad.gross@laytonflower.nospam.com> wrote in message
> > news:uRhzhQ7TDHA.3700@tk2msftngp13.phx.gbl...
> >> Hi Jeffrey -
> >>
> >> The most secure method is to have users VPN into your server, then
> >> run OWA / Outlook over the VPN tunnel. However, if this isn't a
> >> viable option then I'd suggest setting up OWA to use SSL.
> >>
> >>
>
http://www.smallbizserver.net/sbs2000/How_do_I_configure_OWA_with_SSL.aspx
> >>
> >> --
> >> Chad A Gross
> >>
> >> Lerman's Law of Technology: Any technical problem can be overcome
> >> given enough time and money. Corollary: You are never given enough
> >> time or money.
> >>
> >>
> >>
> >> Jeffrey Reed wrote:
> >>> I have setup SBS 2000 with Exchange and ISA Server. I have two
> >>> NIC's, one with a public IP and the other with a private IP.
> >>> Everything
> >>> seems to be functioning as it should. Everything works and we can
> >>> access OWA from our network.
> >>>
> >>> My question is what would be the best way to configure the system to
> >>> allow OWA from the internet?
> >>>
> >>> The default configuration by the wizard in ISS for the Default Web
> >>> Site is using the private IP, so that I understand why we can't
> >>> access fro mthe internet. I have already tried changing the IP
> >>> setting in IIS for the Default Web to All Unassigned (just for
> >>> testing), but the system didn't like that.
> >>>
> >>> Any help would be appreciated,
> >>>
> >>> Jeffrey Reed
>
>
>
>