Solved

vpn allow & control access remote access policy

Posted on 2014-02-07
10
693 Views
Last Modified: 2014-03-02
hi I am currently running a win 2003 domain/gpo server, isa 2006 firewall, xp desktop and win7 laptop and eventually will be upgrading to win 2008.

I can logon via a vpn on my win 7 laptop successfully & access files and save back to my fileserver.

question 1.

when I open up 'aduc' for the specific vpn user: peterp & select the 'dial-up' tab, I can select either of the below and still access my files, is this ok or can I should I disable one of them  ?

- allow
or
- control access through remote access policy

question 2.  also if I access the aduc and double click my win7 laptop and select 'dial-up' and select either it does not do anything, so I am thinking how do I ensure that the same win7 laptop is the only one used to allow access via the vpn to my fileserver  ?

- allow
or
- control access through remote access policy

note:  If I access the gpo 'computer config' I am not sure where to ensure the win7 laptop is the only machine allowed.
0
Comment
Question by:mikey250
  • 6
  • 4
10 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
The user account setting about remote Access Permission, which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting.
If its set to allow, then it will override deny settings in remote access policy on VPN server
if it set to deny it will override allow settings in remote access policy on VPN server

When network access permission on a user account is set to the Control access through remote access policy option, the network policy access permission setting on VPN server determines whether the user is granted or denied access

However,
You can configure NPS network policy to ignore the dial-in properties of user accounts by selecting or clearing the Ignore user account dial-in properties check box on the Overview tab of remote access policy. Normally when VPN server performs authorization of a connection request, it checks the dial-in properties of the user account, where the network access permission setting value can affect whether the user is authorized to connect to the network. When you configure NPS to ignore the dial-in properties of user accounts during authorization, network policy settings determine whether the user is granted access to the network.
The only disadvantage to this configuration is that you cannot use the additional user account dial-in properties of caller-ID, callback, static IP address, and static routes

http://technet.microsoft.com/en-us/library/cc772123(v=ws.10).aspx

better you keep this setting as "Control access through remote access policy"

Also when you use windows based VPN on Win7 computers to connect to corporate network, you have to have install computer certificate on VPN server and client computer as well. Otherwise computer can't connect to VPN server
As a fact computer identity is verified by VPN server and you will get assurance that it is indeed the computers who they say they are (win7 in your case)

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
morning Mahesh,

I am currently using: 'control access through remote access policy' as you also advised.

note:  nps is not a feature that I am aware of on windows 2003 but it is on win 2008 - I believe. (I will eventually be upgrading to win 2008.

your comment:

"also when you use windows based vpn on win7 computers to connect to corporate network, you have to have install computer certificate on vpn server and client computer as well.  otherwise computer can't connect to vpn server"

- yes i can as below logon via my vpn domain member server - described below

note: I can currently logon with either:

- pptp - successfully - popular to use apparantely
or
- L2tp - successfully - more secure than pptp due to layer 2 authentication on apparantely - hence I use L2tp.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Yes, NPS is 2008 Version, but article applies to windows 2003 as well and MS has changed the name from remote access to NPS but base functionality remains same.

PPTP do not require computer certificate, it works only on user password, in that case users can logon to VPN network with any public computer

But if you use L2TP VPN, it is more secure as compared to PPTP as it requires computer certificate on both server and client computer as well
So the computer authenticate 1st and then user authenticates with password
So this is two factor authentication

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi,

ok so my win 2003 set as: 'control access through remote access policy' - is actually 'nps' - ok so I will leave as is then.

pptp - can be used from any pubic computer - ok but where does the vpn server locate the 'password' from or do you mean a random password that I decide to create on my win7 laptop ?

l2tp - I assume because I have a vpn user logging on via my vpn on win7 laptop and the fact that it is a 'domain' is secure enough  ?

l2tp - I assume if my network was not part of a domain, then I would need to purchase 3rd party l2tp certificates  ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
In case of PPTP, If VPN server is part of domain, you can choose domain users \ specific users and then you can enter domain username and password to connect to VPN server.
VPN server will authorize it through active directory
http://support.microsoft.com/kb/314076

L2TP is secure because it require certificate authentication (i.e. you have to have computer certificate installed on client computers and VPN server as well) and also you are using username and password for users, so obviously it is more secure and recommended way than PPTP

On the last question, frankly speaking I am neither comfortable nor worked with workgroup L2TP VPN server.
According to my knowledge, domain based L2TP VPN server works well.
Internal CA server can be used to distribute client certs to clients and CA server root cert need to be installed on all client computers so that they can trust internal CA server.
You may use 3rd party certificates but it is expensive and not required since internal CA can suffice your requirements

Lastly the best option I can see is to use Secure Socket tunnelling Protocol (SSTP) VPN
It works well on TCP 443 SSL port, most secure and affordable option and do not require client computer certificates
Only thing, it requires 2008 \ 2008 R2 domain based VPN server and Clients must have Vista and above.
I think you have all Win7 Laptops who requires VPN and if you could afford 2008 standard edition member server, then SSTP can be the best option
It requires only single SSL certificate and you can use public FQDN and public SSL cert so that client can trust it automatically
Check below links for step by step and more information
http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx - SSTP step by step guide
https://barbatunnel.codeplex.com/wikipage?title=How%20to%20setup%20and%20configure%20SSTP%20VPN%20tunnel%20on%20Windows%20Server%202008%20to%20share%20internet%20traffic%3F  - SSTP Web Listener
http://4sysops.com/archives/how-to-setup-an-sstp-vpn-server-with-windows-server/ - SSTP client configuration.

Mahesh
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mikey250
Comment Utility
morning Mahesh,

I wish to know one more thing and I will then close & allocate points.

I understand your explanation about: pptp & l2tp

but my last question is, that you stated pptp - could be used for: public pc if allowed to be used via a vpn, since l2tp is recommended as you explain, otherwise why don't Microsoft completely delete pptp  ?
0
 

Author Comment

by:mikey250
Comment Utility
hi Mahesh, thanks for that advice I will allocate points now and close thread.  much appreciated.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Sorry, I forgot to answer your last question

PPTP or the Point to Point Tunnelling Protocol is based on PPP and was introduced in the market  through Microsoft. It is available as an inbuilt capability in all the Windows versions and hence is a popular protocol all over the world. However to implement security, encryption and authentication, it relies on Point-to-Point Protocol (PPP). Irrespective of its loyalty for Windows, PPTP is perfectly compatible with all the other known operating systems as well such as Mac, Linux, Android and more. -

See below excellent article
http://www.vpntunnel.co/comparison-between-pptp-and-l2tp-vpn

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi Mahesh, so when a configuration requires 'ppp' then pptp can be used. I think that is used with an circuit-switched line ie isdn.

thanks for that I will have to check my books as that is where I have seen the configuration used of ppp.
0
 

Author Closing Comment

by:mikey250
Comment Utility
sound advice.  much appreciated.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now