I have a two part question. 1. When a user connects to PIX using the VPN client, what is the best way to allow internet access? I am not really familiar with setting up a split tunnel. Does the end user go through the VPN, and then out the internet connection they are VPNing into? Can they gow out through the local VPN firewall at all when it is up? How would you configure their email, like a pop3 account to work both with the VPN client on and off?
2. I have been unable to get into the PDM using a Win2003 server lately, this just started happening in the past few weeks, some sort of a java problem??
Split tunnel will enable users to connect to your corporate site over VPN and at the same time access the Internet directly from their computers. That is, the traffic to the corporate site will be encrypted by the VPN tunnel and all other traffic (Internet) will be directly going to the user's service porvider network. Configuring split-tunnel is easy.
Another way to allow Internet access to the VPN users is to have them come to corporate site and then go out to Internet. This is not an efficient way as all the traffic will have to go over the VPN connection. Also note that PIX cannot do the "hair-pinning" of the traffic by itself. You will need additional device (concentrator) to send the Internet traffic back outside the firewall.
1. really depends on the security policy. another factor is the head office device, and whether it is capable to re-route the internet traffic. with pix v6.x, this operation is not feasible, thus the only option is to configure split tunneling. with split tunneling, remote host will only send traffic via the vpn if the destination is the head office, and all other traffic, such as internet browsing, will go out directly.
it's complicated to configure outlook to work with both vpn on and off. the reason being that the email server ip address will be public when the vpn is off; whereas the ip address will be private when the vpn is on. i suggest you to configure secure owa for user has no vpn; and use outlook only with vpn.
2. from what we did in the lab, java 2 runtime environment se v1.4.2 and later may not work with some pdm. i suggest you to upgrade to the latest pdm.
Perhaps this is crazy, but would it be possible to eliminate the "hair pinning" (love that term) by using a second virtual interface for the vpn connections and the primary internet interface as the egress point for the outbound traffic. So a pptp vpn connection could be tunneled to the vpn interface ip address and the www traffic that came over the tunnel would be routed out the primary internet interface?
Of course you need 2 internet connection, or at least 2 internet ip addresses for this, but is it even feasable?