Hi Carl, You can control outbound access if you're using a proxy based or integrated stateful packet inspection and proxy based firewall. That's a nice thing about the ISA Firewall. The CONNECT request sent by the SSTP client has a special HTTP header called SSTPVERSION. The value for this header is 1.0. You can use your Web proxy configuration (like an ISA Firewall's HTTP Security Filter) to block it. In contrast, if you're not using a Web proxy enabled firewall, then you're right -- everyone can bypass your security controls on the SSTP VPN outbound.
HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: Carl Houseman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 30, 2008 7:30 PM > To: NT System Admin Issues > Subject: RE: L2TP vs. SSTP > > One starts to wonder, what's the point of outbound firewall > security if > everybody is bypassing it on port 80 or 443 to do whatever they want? > > Carl > > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 30, 2008 8:26 PM > To: NT System Admin Issues > Subject: RE: L2TP vs. SSTP > > One operates at the IP layer > One operates at the TCP layer > > Both use certificates for authentication and encryption. > > But I suppose that SSL VPN products are popular now because > port 443 is seen > as the "universal firewall bypass" port, and so setting up > SSTP (or similar > SSL VPN product) and having roaming clients be able to access > your server > maybe the easiest to do. > > Cheers > Ken > > -----Original Message----- > From: Jim Dandy [mailto:[EMAIL PROTECTED] > Sent: Thursday, 31 January 2008 12:22 PM > To: NT System Admin Issues > Subject: L2TP vs. SSTP > > Windows Server 2008 is supposed to come out with Secure > Socket Tunneling > Protocol (SSTP). Does anyone know the > advantages/disadvantages of using > this verses L2TP? Thanks for your help. > > Curt > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
