Re: ISA 2006 configuration question - multiple VLANs and domains
- From: j_crum@xxxxxxxxxxx
- Date: 12 Jan 2007 13:10:28 -0800
Er, yes there is.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1c82.html
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/5000sw/conc52x/50028con/vpngrp.htm
I think you've been misunderstanding me, probably my fault. Thanks for
the reply.
Jennifer_C
Phillip Windell wrote:
<j_crum@xxxxxxxxxxx> wrote in message
news:1168617358.230800.59170@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The IP addresses in this case are of paramount importance due to legal
regulations. When I mentioned DHCP, I wasn't referring to running DHCP
on the ISA server. Perhaps it's best expressed like this: can a
multihomed ISA 2006 server forward a DHCP request to the proper VLAN
based on the users authentication credentials?
No it cannot,...and there is *not* going to be any other product that can
either. Networking technology just does not work like that. I think you
misunderstand what you need to meet the legal requirement.
It is not possible to get a particular IP# based on a user account,..period.
We are an NBC Affiliate TV Station that are regulated by the FCC and are
overseen by the Sarbanes-Oxley Act (my spelling is questionable). I have
legal issues that are probably up to my ears. What the laws state is that
users are not supposed to have access to company information that falls
outside the jurisdiction of their jobs. The laws do not dictate that a user
has to have a certain IP#, be in a certain segment, be in a certain VLAN, or
even use DHCP to begin with. It does not dictate that you have to even have
a Windows Domain or multiple network segments at all. You could run a
single segment with a workgroup of Linux machines and comply with the law as
long as the user only had access to only what they are supposed to access.
It is not possible for a VPN user to get an IP from a Segment (VLans are
just logical network segments) that is not from the Segment they are
connected into when establishing the VPN connection in the first place,...it
just can't happen,...and even if it did happen it would simply render the
user's machine useless because it could not communicate with anything
anywhere after that.
Besides all that, you are never supposed to use IP#s as a means to identify
users to begin with,...that is a security flaw in and of itself.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
.
- References:
- Prev by Date: ftp-data 20 timing out
- Next by Date: Re: Questions about ISA2004 and Active Directory
- Previous by thread: Re: ISA 2006 configuration question - multiple VLANs and domains
- Next by thread: ftp-data 20 timing out
- Index(es):
Relevant Pages
|
Loading
