Vpn client authorization

Vpn client authorization (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN

Message

naj -> Vpn client authorization (1.Jul.2008 12:42:11 PM)
HI I have my vpn clients connecting through my ISA server ,Iam using AD and allowing users through AD users and computers dial in tap and I would like to just allow users through my VPN groups in ISA server How can I make use of remote access policy or any other mains thank you

elmajdal -> RE: Vpn client authorization (1.Jul.2008 3:23:35 PM)
Hi Naj, In AD, under the dial-in tab , dont enable the option Allow Access under the Remote access Permission ( Dial-in or VPN ) then in ISA Server, creata group and add this group to your vpn users. read this article : http://www.isaserver.org/articles/2004vpnserver.html

naj -> RE: Vpn client authorization (2.Jul.2008 1:53:16 AM)
Hi tareq sorry may be I was not clear but what I wanted to say is how can I make use of remote access policy on my ISA to override the setting in the AD setting in the dile in tap , hence allow only the selected users in the remote access policy (even the other users have dile in tap enable they should not be able to access the VPN) as if now all my users who have dile in tap enabled could access my vpn how can i prevent them thanks

justmee -> RE: Vpn client authorization (2.Jul.2008 4:32:59 AM)
Hi Naj, You can add on ISA in the Configure VPN Client Access/Groups tab a domain global group which is permitted to dial-in(doing so you modify ISA's default remote policy on RAS). However, you need your users to have their dial-in permission set to Control access through Remote Access Policy. So you can use group-based allowed access for dial-in. The setting per user account overrides the permissions set on the remote access policy. If individual access permissions are specified in the user's profile(such as allow or deny), they will "nulify" the remote access policy. Regards, J

naj -> RE: Vpn client authorization (3.Jul.2008 5:11:43 AM)
Hi J If I have users diling in using modems to the ras (not vpn) and have vpn users I set my modem dile in users in the AD (dile in tap) allow dile in and VPN users through remote access policy I found out that my dile in users can also access my VPN is there any way out of this pls thanks

justmee -> RE: Vpn client authorization (3.Jul.2008 10:10:32 AM)
Hi Naj, Why don't you set your users' Dial-in permissions to Control access through Remote Access Policy? Configure a remote access policy for your dial-up users. On ISA you will have one for your VPN users. As far as I know, if your users' permissions are set to Allow, there is nothing you can do with the remote access policy to block them. This script may help you find out what users still have the permissions set to Allow: Hey, Scripting Guy! How Can I Find All the Users with Remote Access Permissions? http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0825.mspx Regards, J

elmajdal -> RE: Vpn client authorization (3.Jul.2008 10:19:09 AM)
and even if your users dial in into ISA Server, they will need to have rules configured on ISA Server in order to be able to communicate with any resource on your Network.

justmee -> RE: Vpn client authorization (3.Jul.2008 11:52:17 AM)
Hi Tarek, [:D][:)][:D] Yep, ISA is not the "ordinary" VPN server. <Edited> And if only L2TP/IPsec would be used as the VPN protocol with certificates for IKE authentication, only machines that have installed a certificate that can be used for IKE authentication will be able to successfully complete IKE negotiations and reach the PPP authentication phase. Regards, J

Page: [1]