mikey250
asked on
vpn allow & control access remote access policy
hi I am currently running a win 2003 domain/gpo server, isa 2006 firewall, xp desktop and win7 laptop and eventually will be upgrading to win 2008.
I can logon via a vpn on my win 7 laptop successfully & access files and save back to my fileserver.
question 1.
when I open up 'aduc' for the specific vpn user: peterp & select the 'dial-up' tab, I can select either of the below and still access my files, is this ok or can I should I disable one of them ?
- allow
or
- control access through remote access policy
question 2. also if I access the aduc and double click my win7 laptop and select 'dial-up' and select either it does not do anything, so I am thinking how do I ensure that the same win7 laptop is the only one used to allow access via the vpn to my fileserver ?
- allow
or
- control access through remote access policy
note: If I access the gpo 'computer config' I am not sure where to ensure the win7 laptop is the only machine allowed.
I can logon via a vpn on my win 7 laptop successfully & access files and save back to my fileserver.
question 1.
when I open up 'aduc' for the specific vpn user: peterp & select the 'dial-up' tab, I can select either of the below and still access my files, is this ok or can I should I disable one of them ?
- allow
or
- control access through remote access policy
question 2. also if I access the aduc and double click my win7 laptop and select 'dial-up' and select either it does not do anything, so I am thinking how do I ensure that the same win7 laptop is the only one used to allow access via the vpn to my fileserver ?
- allow
or
- control access through remote access policy
note: If I access the gpo 'computer config' I am not sure where to ensure the win7 laptop is the only machine allowed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
ok so my win 2003 set as: 'control access through remote access policy' - is actually 'nps' - ok so I will leave as is then.
pptp - can be used from any pubic computer - ok but where does the vpn server locate the 'password' from or do you mean a random password that I decide to create on my win7 laptop ?
l2tp - I assume because I have a vpn user logging on via my vpn on win7 laptop and the fact that it is a 'domain' is secure enough ?
l2tp - I assume if my network was not part of a domain, then I would need to purchase 3rd party l2tp certificates ?
ok so my win 2003 set as: 'control access through remote access policy' - is actually 'nps' - ok so I will leave as is then.
pptp - can be used from any pubic computer - ok but where does the vpn server locate the 'password' from or do you mean a random password that I decide to create on my win7 laptop ?
l2tp - I assume because I have a vpn user logging on via my vpn on win7 laptop and the fact that it is a 'domain' is secure enough ?
l2tp - I assume if my network was not part of a domain, then I would need to purchase 3rd party l2tp certificates ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
morning Mahesh,
I wish to know one more thing and I will then close & allocate points.
I understand your explanation about: pptp & l2tp
but my last question is, that you stated pptp - could be used for: public pc if allowed to be used via a vpn, since l2tp is recommended as you explain, otherwise why don't Microsoft completely delete pptp ?
I wish to know one more thing and I will then close & allocate points.
I understand your explanation about: pptp & l2tp
but my last question is, that you stated pptp - could be used for: public pc if allowed to be used via a vpn, since l2tp is recommended as you explain, otherwise why don't Microsoft completely delete pptp ?
ASKER
hi Mahesh, thanks for that advice I will allocate points now and close thread. much appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi Mahesh, so when a configuration requires 'ppp' then pptp can be used. I think that is used with an circuit-switched line ie isdn.
thanks for that I will have to check my books as that is where I have seen the configuration used of ppp.
thanks for that I will have to check my books as that is where I have seen the configuration used of ppp.
ASKER
sound advice. much appreciated.
ASKER
I am currently using: 'control access through remote access policy' as you also advised.
note: nps is not a feature that I am aware of on windows 2003 but it is on win 2008 - I believe. (I will eventually be upgrading to win 2008.
your comment:
"also when you use windows based vpn on win7 computers to connect to corporate network, you have to have install computer certificate on vpn server and client computer as well. otherwise computer can't connect to vpn server"
- yes i can as below logon via my vpn domain member server - described below
note: I can currently logon with either:
- pptp - successfully - popular to use apparantely
or
- L2tp - successfully - more secure than pptp due to layer 2 authentication on apparantely - hence I use L2tp.