• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Force 128-bit MPPE Encryption?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Force 128-bit MPPE Encryption? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Force 128-bit MPPE Encryption? - 15.Dec.2004 5:03:00 AM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
This question came up on another forum and it peaked my interest.

The default remote access policy created by ISA for incoming VPN connections in RRAS creates a profile that has 40-bit, 56-bit and 128-bit encryption enabled. Is there anyway to force ISA's policy (which doesn't appear to be modifiable within RRAS without the changes being reverted back to the default by ISA) to only accept 128-bit MPPE encryption for PPTP connections?
Post #: 1
RE: Force 128-bit MPPE Encryption? - 15.Dec.2004 2:45:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

The ISA firewall's default policy will always revert, but you can change the order of policy evaluation and have your own customer RRAS policy evaluated before the ISA policy.

HTH,
Tom

(in reply to Jack in the Box)
Post #: 2
RE: Force 128-bit MPPE Encryption? - 15.Dec.2004 3:45:00 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Hi Tom,

I tried exactly that, creating my own policy with the settings I wanted, and moving it above the default ISA policy that was created so it is first, and it does work. But as soon as the server is restarted, or the services restarted, or a change to the VPN settings via ISA Management is done and applied it always moves the default ISA policy back to #1, above any custom made policy, allowing 40-bit and 56-bit PPTP connections again.

[ December 15, 2004, 03:46 PM: Message edited by: Jack in the Box ]

(in reply to Jack in the Box)
Post #: 3
RE: Force 128-bit MPPE Encryption? - 15.Dec.2004 8:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

I'll check it out on another box, but when I restarted the RRAS service within the ISA firewall console, the order of the Remote Access Policies didn't change.

HTH,
Tom

(in reply to Jack in the Box)
Post #: 4
RE: Force 128-bit MPPE Encryption? - 16.Dec.2004 5:04:00 AM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Hi Tom.

You're right, restarting the remote access service has no affect on the policy order. But if you restart the firewall service, or modify your VPN properties with in ISA Management and apply them, or reboot the server it resets the policy order and places the ISA Default first and along with it re-enables 40-bit and 56-bit VPN support.

Chris

(in reply to Jack in the Box)
Post #: 5
RE: Force 128-bit MPPE Encryption? - 17.Dec.2004 1:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

How about using RADIUS policy instead? That won't change the order, or even include an ISA management remote access policy.

HTH,
Tom

(in reply to Jack in the Box)
Post #: 6
RE: Force 128-bit MPPE Encryption? - 19.Dec.2004 8:16:00 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Thanks Tom.

Using RADIUS authentication worked and allowed for a policy to be created that only support 128-bit encryption.

It's shame ISA doesn't let you modify the RRAS policy to make these types of changes though.

(in reply to Jack in the Box)
Post #: 7
RE: Force 128-bit MPPE Encryption? - 20.Dec.2004 12:50:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
I'm asking around to see if there is some way to work with this behavior.

(in reply to Jack in the Box)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Force 128-bit MPPE Encryption? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts