VPN Users not being protected

Hello All,

I have ISA 2004 and allow of-site users access via VPN.  Their connection to
the server works great.  However, I have noticed that they are not being
protected with they access the internet after logging in.  They each have the
proper proxy setting set up in IE7 and I can see them come in as a Web Proxy
Client as well as a VPN Client and Firewall Client.  But, they are not
getting same protection as our internal users.  We use an ISA add-in called
WebMarshal and their login names do not show up in the monitoring for this
program.  Is there some type of rule that I have to set to make sure that
their information is being passed properly to the add-in program?  Or, do I
need to modify one of the network settings to make sure that they are
protected.

Any suggestions would be greatly appreciated.

Regards,

Rob

They have the same protection.

They have the same protection.

You will not see their names because they are not logged into the Domain.
Giving credentials to establish the VPN connection does not authenticate
them into the Domain at the same time,...all that is doing is establishing
the VPN Connection at Layer3.

To have them be actually logged into the Domain at the same time requires
that the machines they are sittilng at be members of your Domain and they
must enable the Checkbox at the "Ctrl-Alt-Del" prompt that say "Log on using
dialup connection".

They will also create a security risk to the LAN if they disable the
Checkbox for "Use gateway on remote network" in the dialup settings on the
machine they are sitting at.

So,...for them to behave a close as possible to being normal user/machines
on the LAN requires that both checkboxes be enabled:

1.  Machines must be domain members
2.  Enable "Log on using dialup connection"
3.  Enable "Use gateway on remote network"


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Hello Phillip,Thank you for the information.

Hello Phillip,

Thank you for the information.  These machines are all part of the domain.
I set them up first in the office and then send them on their way.  The other
two items I am having a hard time finding.  My users are accessing the
network using the wizard in the network connections area of XP and connecting
via the VPN option.  I have looked through all of the options in the
connection and cannot find the Use gateway on remote network or the Log on
using dialup connection check boxes.  Where are they found?

Rob

That gateway one is:Internet Protocol

That gateway one is:

Internet Protocol (TCP/IP)--->Properties-->Advanced--General Tab


The "log on using.." is,...at the Crtl-Alt-Del prompt.

I am not going to claim that Web Marshal will be happy with anything.  I
do not use it, am not familiar with it, and cannot provide support for it.
Not all these kinds of products are as well developed as all the "marketing"
says they are.  Some of these types of products are not capable of dealing
with user authentication properly unless authentication is forced *globally*
at the ISA, which eliminates the possiblity of having SecureNAT
Clients,...which is just not do-able in the real world.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

The Gateway check box is already checked.

The Gateway check box is already checked.  Our users that are off-site
usually log into their computers (domain is already there since the machine
was set up in the office) and then they open the VPN connection and connect.
Are you saying that they should not use the VPN to connect but instead
connect concurent with logging into their computer?

Rob

Since they are already Domain Member machines and they are already loggingin

Since they are already Domain Member machines and they are already logging
in with a "cached" Domain Account,...it should work either way,...but it
will not hurt if you have them try it with the checkbox.

The workstation always has to be a Domain Member first,... no way around
that,...but if the user is remote and has never logged into that particular
machine before,...using that "checkbox" is the only way they can get on the
machine the first time and have their profile created.  You simply "dodged"
that issue by having them log in at the main facility first before taking
the machine out.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------