Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Best practices
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Best practices - 25.Jul.2008 2:54:17 AM
|
|
|
jmcfadyen
Posts: 8
Joined: 21.Mar.2005
From: Sydney
Status: offline
|
Hi all,
I am currently using an ISA 2006 with VPN clients connecting in PPTP mode.
My question is in relation to security and reading many of the guides they seem to suggest a multitude of different practices.
For example some guides suggest using on subnet addressing, some suggest off subnet addressing. From one article I read that by using Off Subnet addressing you can enforce the requirement for "Use Default Gateway on remote network".
From what I understand this option is best to be selected, I also believe (correct me if I am wrong) that using on subnet addressing allows this option to be deselected. Using off subnet addresses enforces the requirement for this to be on.
As such it would appear to me Off subnet is the way to go.
The next item I want to look at is IPSec on the site to site VPN's. Is it best to use Windows IPSec between the two VPN endpoints or try to create an L2TP/IPSec connection using ISA firewalls. (I have had some issues with this due to the necessity to use routers which implement IPSec passthrough.
Can anyone suggest what kinda of routers would be suited L2TP connections via a standard ADSL connection.
|
|
|
|
|
RE: VPN Best practices - 25.Jul.2008 10:17:15 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi,
If we are talking about ISA 2004/2006, there aren't any issues with off-subnet or on-subnet IP assignment and the "Use Default Gateway on remote network".
This should stay checked, a security best practice.
You'll do just fine with on-subnet IP addresses, even the same subnet problem is not a problem anymore(nor the off-subnet ones fixed anything), see:
http://blogs.technet.com/yuridiogenes/archive/2008/03/28/routing-issues-accessing-internal-resources-through-vpn.aspx
The recommended way, as per Microsoft docs, is to used L2TP/IPsec for VPN site-to-site connections between two ISAs.
Regarding those "routers"- I suppose you refer to some cheap NAT devices-, hard to say, you might try some that can be put into bridge mode, so ISA will receive the public IP address on its external IP address, thus no NAT device to break NAT-T.
Regarding security issues, I would try to get rid of PPTP.
Regards,
J
< Message edited by justmee -- 25.Jul.2008 10:19:12 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
