Corporate VPN Access Policy

    Date: 02/07/05 (IT Professionals)    Keywords: microsoft

    Hi, new to this forum, I hope some people here can help me, or provide some ideas.

    I was just wondering how other companies deal with remote/traveling user's VPN access back into their company?

    We have established a Cisco router with L2TP support, (with Mainly MS winXP clients). This works fine for the most part, but it seems users are having trouble getting connected when they travel.


    The reasons we have trouble, if you care.
    The main problem(s) seem to be that:
    a) The ISP (usually a hotel or airport, cafe, etc) is blocking VPN traffic for L2TP tunnels.
    b) The ISP (or whatever) has incorectally configured DNS servers which respond authoritatively for domains that don't exist on the internet (for example returning 10.11.12.13 for ANY DNS lookup that doesn't exist in the 'real' internet--like DomainControler1.inside.mycompany.com Thereby, the 'isp' dns server responds like it 'knows' ALL of our companies internal addresses, but simply returns a bogus address. The clients then never fall back to using the internal DNS servers, and thus fail to ever connect to anything internally.

    To Solve a) we plan on adding support back into our strategy a fall-back to PPTP-style VPNs. This isn't prefered because they're less secure, and rely only on username/password for connection (and our users have HORRIBLE passwords), the L2TP one uses both Certificates AND user/pass making it much more secure--not to mention it's using 3DES/SHA1, rather than Microsofts proprietary encryption scheme (which I'm sure is not that good!) However, since it seems SO MANY hotels, cafes, airports, and other access-points block all traffic except http/https/PPTP/FTP we're pretty much stuck using the old crap.

    To bypass problem b) above, I understand that the only good workarounds to this problem is to:
    1) Change the 'binding order' of the VPN connection and the NIC--except a known, and never resolved bug in ALL versions of windows (2K SP0 right through XP SP2) prevents the changes to binding order of VPN connections to EVER actually change. Making this 'fix' completely useless.
    2) Turn off split-tunneling on the clients. We didn't want to go this route because it would mean forwarding all internet traffic through our already busy T1 internet connections (twice), and the added encryption/decryption load! Also hindering this option is I frankly don't know yet how to set this up on a Cisco router--and I've had people on Cisco's forums tell me it can't be done--although I've read elsewhere it can.

    THE REAL QUESTION if you're too busy to read the background info:
    What do other companies do here? Do we just tell the users (the managers, salesmen, etc) that they "can't use it where it doesn't work"--management and the users HATE this option; and in my opinion as an IT Professional it's a cheap way out. What else can we do? We obviously can't 'fix' all the crappy ISP's broken DNS servers; or force cafes and things to learn about new style VPNs and open their firewalls out. What are we to do? What kind of things can I tell management? Are there other options I'm unaware of?

    I'd appreciate any and all comments, discussions, and opinions!

    Source: http://www.livejournal.com/community/itprofessionals/4762.html

« Tape backup software/solutions || Welcome »
Search  •  Site Map  •  Set as Homepage  •  Add to Favourites  • 
antivirus | apache | asp | blogging | browser | bugtracking | cms | crm | css | database | ebay | ecommerce | google | hosting | html | java | jsp | linux | microsoft | mysql | offshore | offshoring | oscommerce | php | postgresql | programming | rss | security | seo | shopping | software | spam | spyware | sql | technology | templates | tracker | virus | web | xml | yahoo | home