Hi, I have remote users (Windows 2K/XP) that connect to ISA/Win2K3
Server using Windows Client VPN. How can I allow them access to
Email/Internet while connected to teh VPN?
Is there some setting in the VPN Client or there Router to allow this ?

All the VPN I have seen have this same problem and I have been told its
a security risk to allow Internet/Email while a VPNis up, is this true
?

Thanks.

[ Post a follow-up to this message ]

hals left wrote:
> Hi, I have remote users (Windows 2K/XP) that connect to ISA/Win2K3
> Server using Windows Client VPN. How can I allow them access to
> Email/Internet while connected to teh VPN?
> Is there some setting in the VPN Client or there Router to allow this ?
>
> All the VPN I have seen have this same problem and I have been told its
> a security risk to allow Internet/Email while a VPNis up, is this true
> ?
>
> Thanks.
>
Hi,
Yes it's a security risk if the remote computer becomes compromised, as
the internet connection going out locally could allow a back door into
your network when the client vpn is connected. However with the ms
client you can open up split routing to do what you need, in the tcpip
properties of the remote PCs connection to you under advanced untick the
'use default gateway on remote network' then only traffic destined for
the subnet that the client vpn address gets goes down the tunnel, all
else goes out locally. If there is more than one subnet at your location
the remote clients would need to use the route add command to add the
additional routes needed.
simon

[ Post a follow-up to this message ]

Thanks Simon, that looks straighforward to set up. I just want to let
LAN users access the internet / Email as well as keep a connection to a
remote hosted Intranet.

Any tips to do the split tunnel safely in this scanario ?
Both LAN and Hosted Intranet do have maintained firewalls.

Thanks

[ Post a follow-up to this message ]

I have this same issue. My cleint connects to a corporate vpn through
one of their clients. They use cisco vpn client. when they connect the
vpn their LAN goes offline. When I try to add the route I using the
local ip the subnet mask and the address of the default gateway given
by the vpn it generates an error. when i use the default gateway of the
LAN it generates and error. Please help
thanks

[ Post a follow-up to this message ]

Hi This split tunnel method diddnt work after all.

When I uncheck the box I cannot access the Intranet, but can access the
Internet.

The Intranet is hosted remotely and each network that VPNs in has a
different IP Address range. I was advised to set itt up like this so
that there wasnt a conflict.

Intranet - 192.168.22.XXX
Site 1  - 192.168.0.XXX
Site 2 - 192.168.57.XXX
Site 3 - 192.168.26.XXX
Site 4 - 200.134.6.XXX

I noticed each client machines  2nd Gateway when the VPN is up is a 169
IP Address - one site I was at today , the users machine was
169.254.152.209 when the VPN  was established. Is this because my
Intranet server doesnt run DHCP? Do I need to turn on DHCP and allow
DHCP through the firewalls ? Is there a way to hardcode some setting on
the VPN Client and Server instead of allowing DHCP

I then tried to add aroute manually to my Intranet from the PC using
the info in this article:
https://www.microsoft.com/technet/c...guy/cg1003.mspx

I typed route add 192.168.22.XXX 255.255.255.0 169.254.152.209
(XXX = the actual local address of the Intranet)

But got a "bad argument error"  for the last parameter.

Thanks for any help on this.

[ Post a follow-up to this message ]

hals left wrote:
> Hi This split tunnel method diddnt work after all.
>
> When I uncheck the box I cannot access the Intranet, but can access the
> Internet.
>
> The Intranet is hosted remotely and each network that VPNs in has a
> different IP Address range. I was advised to set itt up like this so
> that there wasnt a conflict.
>
> Intranet - 192.168.22.XXX
> Site 1  - 192.168.0.XXX
> Site 2 - 192.168.57.XXX
> Site 3 - 192.168.26.XXX
> Site 4 - 200.134.6.XXX
>
> I noticed each client machines  2nd Gateway when the VPN is up is a 169
> IP Address - one site I was at today , the users machine was
> 169.254.152.209 when the VPN  was established. Is this because my
> Intranet server doesnt run DHCP? Do I need to turn on DHCP and allow
> DHCP through the firewalls ? Is there a way to hardcode some setting on
> the VPN Client and Server instead of allowing DHCP
>
> I then tried to add aroute manually to my Intranet from the PC using
> the info in this article:
> https://www.microsoft.com/technet/c...guy/cg1003.mspx
>
> I typed route add 192.168.22.XXX 255.255.255.0 169.254.152.209
> (XXX = the actual local address of the Intranet)
>
> But got a "bad argument error"  for the last parameter.
>
> Thanks for any help on this.
>
Hi,
the 169 address is a windows generated one when it can't get an address
allocated. Have you setup up a range of lan addresses on the server for
the remote clients to use ?
If there is only a single subnet at the remote site and the client is
given an address from this when they connect then there's no need to use
the route add command.
The syntax for the command is route add 192.168.22.xx netmask
255.255.255.0 y.y.y.y metric 1 where y.y.y.y is the remotely learned
address.
simon

[ Post a follow-up to this message ]

Thanks for the info. I am going to pass this problem over to a
networking/vpn consultant, rather than risk breaking something that
works!, but at least now I understand it all a bit more.

[ Post a follow-up to this message ]