This is a two part question. We have ISA Server 2006. Our topology is very simple: Internet .. Hardware Firewall .. DMZ .. ISA Server .. Internal Domain / Network
We're running Windows Server 2003 R2 for our Domain Controller. In Active Directory we have a Security Group called "Remote Users" - The purpose of this group was to allow members to both be allowed to VPN, and Remote Desktop to workstations (if they have remote control enabled). We are not using RAS that is built into Windows Serverv 03.
So in order for me to give someone VPN access, I am supposed to add them to this security group, and in Active Directory, right click their name -> Properties -> Dial In, Allow Remote access (instead of using the RAS policy).
In ISA, under the console, ISAServer -> Virtual Private Networks.. I can click Enable VPN Client Access, this is where I see that Remote Users windows group has been added to the VPN Clients object. There is also a Firewall rule that allows VPN clients to get to the internal network.
Question 1: The above all works fine. Today, I realized I have a VPN user, who's active directory properties are set to Allow, but he is NOT apart of the remote user's security group... How is this possible? Is ISA really controlling who is allowed to VPN in at all? This user VPN's in just fine.
Question 2: Is there any way to track which server share files a VPN user is accessing? I can see which websites they go through when quering the logs.. but is there any way to see which Files are accessed?
I may have just answered question 1, there are 20 rules above the VPN rule in ISA, one of these rules must be letting that user VPN in even though he is not part of the Remote Users security group. I need to clean my rules up anyways.