I want to add two factor security to some of my published servers, say citrix secure gateway and lotus domino webmail. I have looked at some of the solutions out there, but they are rather expensive. So I thought why not build our own?
What I want to do is restrict access to the published servers through a combination of windows 2000 domain/username and a one time password. This one time password will be generated at the server, and sendt to the users mobile phone on request. The mobile phone numbers will be stored in the user profiles. I have the means to generate and send the passwords, but how do I block or open a session against a published server on the isa server? I could of course block all access to the published server by default, and open the published server for access by the ip address of the user. But this is not an optimal solution as it would also open the published server to any user behind a nat network using the same official ip address.
I hope this was not to confusing, and would really appreciate all help.
I get your point, but I'm not sure that it is true in this case. A cheap token like SafeWord for citrix will set me back 99$ per user, even with discounts this would be costly with 500 users. Also, depending on the programming features of ISA server I don't think that this task is that hard to do. All you need to do is figure out a way to disconnect or allow an incoming session against one of the published servers programatically. The rest is no problem..
I have decided to go with the safeword solution. I have not the time to investigate this further, allthough I think my idea of using random passtokens sendt to the users mobile phone can be done securly. I think maybe the way to go would be to integrate the citrix webinterface/secure gateway against a radius server that reads the randomly generated passwords from a database.