I am in the process of configuring an ISA 2006 L2TP/IPSec VPN to allow remote access for approximately 60 laptops.
What is an effective way to manage the 60 machine certificates using a W2K3 STD CA? When I request and install a certificate for a laptop I am logged in as an Administrator and the resulting certificate is called "Administrator". In the 'CA MMC Issued Certificates' there is no easy way to distinguish which certificate belongs to which laptop. I would like to be able to easily revoke a certificate in the event that a laptop is stolen.
I currently plan on using MSCHAPV2 for authentication but am also considering EAP-TLS, but that requires managing another 60 certificates. Would both scenarios be considered 2 Factor Authentication?
VPN on ISA is very poor. IPSec is obsolete if you ask me. In most cases. Have a look a Microsoft IAG/UAG Server.
Interesting, Microsoft's latest remote access technology DirectAccess is primarily based on IPsec as it forms part of the IPv6 framework. It includes a fallback to SSL, yes, but this is secondary.
Looking at UAG (or even TMG with SSTP) is a good suggestion, but I'm not sure IPsec is obsolete just yet
It is in the sense most of the time employees should not need remote access to files. This is just a security concept, where people should be able to do most of their daily tasks using web based applications, no need to carry files over on laptops etc...
That's why IAG is so right and IPSEC is not enabled per defaut. Everybody should have one.
As an admin, I find SSTP to be a perfect solution.
But for users, traditional VPN solutions aren't that good -- yes, we can create rules that limit VPN users to what they need, but that does get complicated, and for much of content, we don't have very good application layer inspection with ISA/TMG.
However, with IAG/UAG, we can promote least priviledge and have two factor authentication *and* DirectAccess. Now you might say -- DA isn't a least priv solution, and that's true. But then, with traditional VPNs we wanted to deliver a beat down with least priv because the hosts were typically unmanaged and untrusted, even if we tried to use something like VPN quarantine.
With DA, the hosts are completely managed hosts, just like those on the corpnet. So, it's like extending the corpnet to the Internet. I used to think the threat profile of an external user was greater, even if well managed, because that host has left the private network -- but the fact is that almost everyone is using laptops that they user at work and at home and on the road -- so that old division in threat profiles doesn't seem to be valid anymore.