Hi, I have remote users (Windows 2K/XP) that connect to ISA/Win2K3 Server using Windows Client VPN. How can I allow them access to Email/Internet while connected to teh VPN? Is there some setting in the VPN Client or there Router to allow this ?
All the VPN I have seen have this same problem and I have been told its a security risk to allow Internet/Email while a VPNis up, is this true ?
Thanks.
Hi, Yes it's a security risk if the remote computer becomes compromised, as the internet connection going out locally could allow a back door into your network when the client vpn is connected. However with the ms client you can open up split routing to do what you need, in the tcpip properties of the remote PCs connection to you under advanced untick the 'use default gateway on remote network' then only traffic destined for the subnet that the client vpn address gets goes down the tunnel, all else goes out locally. If there is more than one subnet at your location the remote clients would need to use the route add command to add the additional routes needed. simon
Thanks Simon, that looks straighforward to set up. I just want to let LAN users access the internet / Email as well as keep a connection to a remote hosted Intranet.
Any tips to do the split tunnel safely in this scanario ? Both LAN and Hosted Intranet do have maintained firewalls.
Thanks
I have this same issue. My cleint connects to a corporate vpn through one of their clients. They use cisco vpn client. when they connect the vpn their LAN goes offline. When I try to add the route I using the local ip the subnet mask and the address of the default gateway given by the vpn it generates an error. when i use the default gateway of the LAN it generates and error. Please help thanks
Hi This split tunnel method diddnt work after all.
When I uncheck the box I cannot access the Intranet, but can access the Internet.
The Intranet is hosted remotely and each network that VPNs in has a different IP Address range. I was advised to set itt up like this so that there wasnt a conflict.
Intranet - 192.168.22.XXX Site 1 - 192.168.0.XXX Site 2 - 192.168.57.XXX Site 3 - 192.168.26.XXX Site 4 - 200.134.6.XXX
I noticed each client machines 2nd Gateway when the VPN is up is a 169 IP Address - one site I was at today , the users machine was
169.254.152.209 when the VPN was established. Is this because my Intranet server doesnt run DHCP? Do I need to turn on DHCP and allow DHCP through the firewalls ? Is there a way to hardcode some setting on the VPN Client and Server instead of allowing DHCPI then tried to add aroute manually to my Intranet from the PC using the info in this article:
But got a "bad argument error" for the last parameter.
Thanks for any help on this.
Hi, the 169 address is a windows generated one when it can't get an address allocated. Have you setup up a range of lan addresses on the server for the remote clients to use ? If there is only a single subnet at the remote site and the client is given an address from this when they connect then there's no need to use the route add command. The syntax for the command is route add 192.168.22.xx netmask
255.255.255.0 y.y.y.y metric 1 where y.y.y.y is the remotely learned address. simonThanks for the info. I am going to pass this problem over to a networking/vpn consultant, rather than risk breaking something that works!, but at least now I understand it all a bit more.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.