Solved

vpn allow & control access remote access policy

Posted on 2014-02-07
10
709 Views
Last Modified: 2014-03-02
hi I am currently running a win 2003 domain/gpo server, isa 2006 firewall, xp desktop and win7 laptop and eventually will be upgrading to win 2008.

I can logon via a vpn on my win 7 laptop successfully & access files and save back to my fileserver.

question 1.

when I open up 'aduc' for the specific vpn user: peterp & select the 'dial-up' tab, I can select either of the below and still access my files, is this ok or can I should I disable one of them  ?

- allow
or
- control access through remote access policy

question 2.  also if I access the aduc and double click my win7 laptop and select 'dial-up' and select either it does not do anything, so I am thinking how do I ensure that the same win7 laptop is the only one used to allow access via the vpn to my fileserver  ?

- allow
or
- control access through remote access policy

note:  If I access the gpo 'computer config' I am not sure where to ensure the win7 laptop is the only machine allowed.
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39843946
The user account setting about remote Access Permission, which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting.
If its set to allow, then it will override deny settings in remote access policy on VPN server
if it set to deny it will override allow settings in remote access policy on VPN server

When network access permission on a user account is set to the Control access through remote access policy option, the network policy access permission setting on VPN server determines whether the user is granted or denied access

However,
You can configure NPS network policy to ignore the dial-in properties of user accounts by selecting or clearing the Ignore user account dial-in properties check box on the Overview tab of remote access policy. Normally when VPN server performs authorization of a connection request, it checks the dial-in properties of the user account, where the network access permission setting value can affect whether the user is authorized to connect to the network. When you configure NPS to ignore the dial-in properties of user accounts during authorization, network policy settings determine whether the user is granted access to the network.
The only disadvantage to this configuration is that you cannot use the additional user account dial-in properties of caller-ID, callback, static IP address, and static routes

http://technet.microsoft.com/en-us/library/cc772123(v=ws.10).aspx

better you keep this setting as "Control access through remote access policy"

Also when you use windows based VPN on Win7 computers to connect to corporate network, you have to have install computer certificate on VPN server and client computer as well. Otherwise computer can't connect to VPN server
As a fact computer identity is verified by VPN server and you will get assurance that it is indeed the computers who they say they are (win7 in your case)

Mahesh
0
 

Author Comment

by:mikey250
ID: 39843951
morning Mahesh,

I am currently using: 'control access through remote access policy' as you also advised.

note:  nps is not a feature that I am aware of on windows 2003 but it is on win 2008 - I believe. (I will eventually be upgrading to win 2008.

your comment:

"also when you use windows based vpn on win7 computers to connect to corporate network, you have to have install computer certificate on vpn server and client computer as well.  otherwise computer can't connect to vpn server"

- yes i can as below logon via my vpn domain member server - described below

note: I can currently logon with either:

- pptp - successfully - popular to use apparantely
or
- L2tp - successfully - more secure than pptp due to layer 2 authentication on apparantely - hence I use L2tp.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39843953
Yes, NPS is 2008 Version, but article applies to windows 2003 as well and MS has changed the name from remote access to NPS but base functionality remains same.

PPTP do not require computer certificate, it works only on user password, in that case users can logon to VPN network with any public computer

But if you use L2TP VPN, it is more secure as compared to PPTP as it requires computer certificate on both server and client computer as well
So the computer authenticate 1st and then user authenticates with password
So this is two factor authentication

Mahesh
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:mikey250
ID: 39844015
hi,

ok so my win 2003 set as: 'control access through remote access policy' - is actually 'nps' - ok so I will leave as is then.

pptp - can be used from any pubic computer - ok but where does the vpn server locate the 'password' from or do you mean a random password that I decide to create on my win7 laptop ?

l2tp - I assume because I have a vpn user logging on via my vpn on win7 laptop and the fact that it is a 'domain' is secure enough  ?

l2tp - I assume if my network was not part of a domain, then I would need to purchase 3rd party l2tp certificates  ?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39844474
In case of PPTP, If VPN server is part of domain, you can choose domain users \ specific users and then you can enter domain username and password to connect to VPN server.
VPN server will authorize it through active directory
http://support.microsoft.com/kb/314076

L2TP is secure because it require certificate authentication (i.e. you have to have computer certificate installed on client computers and VPN server as well) and also you are using username and password for users, so obviously it is more secure and recommended way than PPTP

On the last question, frankly speaking I am neither comfortable nor worked with workgroup L2TP VPN server.
According to my knowledge, domain based L2TP VPN server works well.
Internal CA server can be used to distribute client certs to clients and CA server root cert need to be installed on all client computers so that they can trust internal CA server.
You may use 3rd party certificates but it is expensive and not required since internal CA can suffice your requirements

Lastly the best option I can see is to use Secure Socket tunnelling Protocol (SSTP) VPN
It works well on TCP 443 SSL port, most secure and affordable option and do not require client computer certificates
Only thing, it requires 2008 \ 2008 R2 domain based VPN server and Clients must have Vista and above.
I think you have all Win7 Laptops who requires VPN and if you could afford 2008 standard edition member server, then SSTP can be the best option
It requires only single SSL certificate and you can use public FQDN and public SSL cert so that client can trust it automatically
Check below links for step by step and more information
http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx - SSTP step by step guide
https://barbatunnel.codeplex.com/wikipage?title=How%20to%20setup%20and%20configure%20SSTP%20VPN%20tunnel%20on%20Windows%20Server%202008%20to%20share%20internet%20traffic%3F  - SSTP Web Listener
http://4sysops.com/archives/how-to-setup-an-sstp-vpn-server-with-windows-server/ - SSTP client configuration.

Mahesh
0
 

Author Comment

by:mikey250
ID: 39861043
morning Mahesh,

I wish to know one more thing and I will then close & allocate points.

I understand your explanation about: pptp & l2tp

but my last question is, that you stated pptp - could be used for: public pc if allowed to be used via a vpn, since l2tp is recommended as you explain, otherwise why don't Microsoft completely delete pptp  ?
0
 

Author Comment

by:mikey250
ID: 39897155
hi Mahesh, thanks for that advice I will allocate points now and close thread.  much appreciated.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39897763
Sorry, I forgot to answer your last question

PPTP or the Point to Point Tunnelling Protocol is based on PPP and was introduced in the market  through Microsoft. It is available as an inbuilt capability in all the Windows versions and hence is a popular protocol all over the world. However to implement security, encryption and authentication, it relies on Point-to-Point Protocol (PPP). Irrespective of its loyalty for Windows, PPTP is perfectly compatible with all the other known operating systems as well such as Mac, Linux, Android and more. -

See below excellent article
http://www.vpntunnel.co/comparison-between-pptp-and-l2tp-vpn

Mahesh
0
 

Author Comment

by:mikey250
ID: 39898266
hi Mahesh, so when a configuration requires 'ppp' then pptp can be used. I think that is used with an circuit-switched line ie isdn.

thanks for that I will have to check my books as that is where I have seen the configuration used of ppp.
0
 

Author Closing Comment

by:mikey250
ID: 39898267
sound advice.  much appreciated.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question