I have the following network layout, and I would like to setup a VPN to the internal protected LAN.
The SBS 2003 Premium box is running all services, Exchange, SQL, ISA 2004. The setup has worked well for me, and appears to be as secure as it possibly can be considering it is SBS, and that I also run RWW on it. To mitigate the risks, I do run daily vulnerability scanning, and view my security logs. However, I think it may be time to ratchet this up a notch and disable RWW and setup a VPN to the LAN. This appears to be the way to go, even more important now that there are a host of mobile devices that can utilize VPNs.
My question is, which would be the most secure way of achieving this? Should I set up the VPN on the Cisco ASA 5505 and open the necessary ports on the ISA server, or should I open the necessary ports on the ASA, and set up the VPN on the ISA server? Or is there something I am missing, and it should be a combination of the two using a Radius implementation if that is even possible between the two?
Any opinions or links to articles on the subject would be appreciated.