Thank you for your input. I hear you about SBS, but for small
businesses it is really a great deal. We are a managed solution provider and
most of our clients are in the SBS range of 5-50 users, for which SBS cannot be
beat. I love the RWW and try to use it as much
as possible on SBS networks. However, there are still some laptops that require
offline data access and intermittent connectivity to the network to update
offline files, OST files, etc, for which the RWW alone is not enough. Also, I should
have mentioned that the network of which I am speaking belongs to our largest
client who does not use SBS. The reason I mentioned SBS is that I would like to
leverage whatever solution comes out of this to our SBS clients. We also have a policy that machines from
which users connect must have latest AV and AS software, but users are normally
admins on these machines (usually personal PCs/laptops). So, no matter what you
do to the PC to make it secure, ultimately the user has control over it and its
security is always in question. Ideally, I would like any user that
requires VPN access to the network to be using a corporate asset, such as a
laptop, to which we are the only people with admin privileges. However,
management requires certain users that are not issued company notebooks to have
VPN access. I am just trying to balance requirements from management with
proper security. Dan DeStefano From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Say SBS and it's like waving a red flag in front of
me) Call-Station-Identifier is a much more stable and
reliable filter - it is the Client's MAC address. "Client Friendly
Name" is optional and may not be sent in many VPN negotiation. The
identifier will very likely be sent (I don't want to say ALWAYS since I don't
have any relevant doc that say that, but I am yet to see a negotiation that
does not include the identifier. Unfortunately, in order to use the identifier
as a filter, you will have to create a policy for each device. I don't see how
you can wildcard it. So, depending on how many clients you are talking here,
well.... Yes, if I were you, I'd bring in RADIUS. Better, I'll
bring in something like ISA 2006. With ISA, you should be able to create a
Computer Set that includes the names or IPs of the Clients in question, and you
can use that to filter your inbound VPN connection requests. I don't have such
configuration, but it makes sense in my head. Also, if you haven't started messing
with that 2K3 quarantine thingamabob yet, thank your stars. You don't
want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that
you encourage your techs to concentrate on learning NAP instead. I just took a
quick look around in NAP, and I can see where what you are trying to do here
can be easily accomplished. Hope I haven't thoroughly confused you yet.
From: Dan
DeStefano I was wondering if there is a way to restrict client
VPN connections via computer name. The reason for this is that we only want
clients connecting from approved devices for which they do not have administrative
privileges. In other words, we do not want people VPNing into our network from
their possibly virus and spyware-infested home PCs. I know that a clever user
could rename his/her home PC, but this is probably not too likely and that type
of user is probably likely to be conscious of updated antivirus/spyware
software. I saw a setting in Remote Access Policies called
Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I
have to set up an IAS server? If not, is there another way I can accomplish my
goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with
it, though it looks like a bit of a PITA to set up and I am looking for a quick
way to fix this problem. We will probably eventually use the new quarantine
feature after our techs have had a chance to learn and test it a bit. I think
another problem with this feature is for small business networks that have just
a single SBS server. Any help would be greatly appreciated. Thanks, Dan DeStefano If you have received this message in error
please notify the sender, disregard any content and remove it from your
possession. Dan DeStefano If you have received this message in error please notify the sender, disregard any content and remove it from your possession. |
- [ActiveDir] Restrict VPN Ac... Dan DeStefano
- RE: [ActiveDir] Restri... Akomolafe, Deji
- Re: [ActiveDir] Re... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir... Dan DeStefano
- Re: [Activ... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] Re... Dan DeStefano
- Re: [ActiveDir... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir... Akomolafe, Deji
- RE: [Activ... Dan DeStefano