Hello MZ, I think SSL VPNs are a pretty lame idea in the first place, but for the specific problem you bring up, would the following design work around this?
Set up a wildcard record, *.webvpn.example.org, pointing to the device. The device then maps all internal domain names or IP addresses to a unique hostname, such as: internalhost.webvpn.example.org, or 192-168-0-1.webvpn.example.org, etc. Wouldn't this properly segment different internal sites, such that an XSS in one wouldn't impact the other? If so, pay attention all SSL VPN vendors: it is your free idea for the week. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/