Re: router vpn and isa in concert by Gizmo
Gizmo
Fri Sep 12 15:38:08 CDT 2003
Hi Charles
Yes 2k and XP are usually easier, XP more so than 2000 from my preference
but also talking to users over the phone diagnosing /troubleshooting.
Anything earlier than 2000 from user point of view can be more confusing but
also security wise...ME (yuk), 98 are very lax on security compared to 2k
and xp. Also support is being withdrawn for these from Microsoft.
Yes you can do just HW routers, for the two connections BUT never to your
LAN nic it would still go to the internet nic. But configurations are going
to be complex unless you do at all sites (so you can remeber configurations)
or if just one site make sure is documented. If something doesn't work..just
look at how many items / configurations you have to check. Every site .
scenario is different and what suits one might not suit another.
ISA is VERY SECURE...patch, make sure updated by microsoft security alerts
shouldn't be a problem (except those users... :-))
This is only personal / generic views as each site is different. The wants
and configuration of your site could mean a different approach. JUST DO NOT
ATTACH ANY EXTERNAL CONNECTIONS TO YOUR INTERNAL LAN NIC.....sorry to shout.
Just briefly we could look at Dmz, another ISA server with routers attached
to this....how far to you want togo ?
"Charles Dickerson" <charles at baypc dot com dot au> wrote in message
news:eRv4IqDeDHA.2320@TK2MSFTNGP12.phx.gbl...
> why only 2k and xp, cos you can get better pptp vpn client ??
>
> i have set up vpn routers plugged directly into the hub on a lan and i
have
> also set them up on the second nic on a sbs server and that works well
too.
>
> i am thinking is there a more secure way ? a lot of routers have vpn end
> point termination built in yet we usually set them up as pass through and
> get sbs to do the vpn endpoint.
>
> could you allow the hw router to do the vpn endpoint termination (not the
> sbs server) and then have the router forward the traffic to the wan nic on
> the sbs server. you would then set up isa server to only allow the traffic
> you want, in my case just term serv traffic.
>
> gizmo :-)" <dontwant@anymorespam.com> wrote in message
> news:uQP#0PDeDHA.3228@tk2msftngp13.phx.gbl...
> > Hi Charles,
> >
> > Any client vpn is a back door to your server. If that pc has a virus /
> > trojan then yes it will get in.
> >
> > Users need to be educated about virus updates / security updates. I only
> > allow 2000 and XP clients to vpn.
> >
> > They also get regular reminders to virus update and security patches.
Spot
> > checks are done and NO second chance if anything out of date no vpn.
> >
> > Now your comment... Router on Lan directly....why and dont do it ? can
you
> > please elaborate ? Router should be on your internet nic assuming it
does
> > support vpn pass thru.
> >
> >
> > "Charles Dickerson" <charles at baypc dot com dot au> wrote in message
> > news:%23DdwjsCeDHA.2140@TK2MSFTNGP10.phx.gbl...
> > > lan ------- two nic sbs server -------vpn router-------- adsl modem
> > >
> > > has anywon set up a two nic sbs2k server with a hardware router doing
> vpn
> > > termination and all traffic on the vpn link is forwarded to the wan
nic
> on
> > > the sbs server ? isa server would them filter traffic more allowing
only
> > ts
> > > traffic through.
> > >
> > > i figure if i placed the router on the lan directly and establised a
vpn
> > > connection from a remote client, if the remote client didnt have its
av
> > > uptodate the vpn connection would be a nice pipe for the virus to
travel
> > > down and have fun on the lan.
> > >
> > > comments please
> > >
> > > charles
> > >
> > >
> > >
> > >
> >
> >
>
>