Welcome to ISAserver.org

Force 128-bit MPPE Encryption?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> Force 128-bit MPPE Encryption?

Page: [1]

Message

<< Older Topic Newer Topic >>

Force 128-bit MPPE Encryption? - 15.Dec.2004 5:03:00 AM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

This question came up on another forum and it peaked my interest.

The default remote access policy created by ISA for incoming VPN connections in RRAS creates a profile that has 40-bit, 56-bit and 128-bit encryption enabled. Is there anyway to force ISA's policy (which doesn't appear to be modifiable within RRAS without the changes being reverted back to the default by ISA) to only accept 128-bit MPPE encryption for PPTP connections?

Post #: 1

Featured Links*

RE: Force 128-bit MPPE Encryption? - 15.Dec.2004 2:45:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jack,

The ISA firewall's default policy will always revert, but you can change the order of policy evaluation and have your own customer RRAS policy evaluated before the ISA policy.

HTH,
Tom

(in reply to Jack in the Box)

Post #: 2

RE: Force 128-bit MPPE Encryption? - 15.Dec.2004 3:45:00 PM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

Hi Tom,

I tried exactly that, creating my own policy with the settings I wanted, and moving it above the default ISA policy that was created so it is first, and it does work. But as soon as the server is restarted, or the services restarted, or a change to the VPN settings via ISA Management is done and applied it always moves the default ISA policy back to #1, above any custom made policy, allowing 40-bit and 56-bit PPTP connections again.

[ December 15, 2004, 03:46 PM: Message edited by: Jack in the Box ]

(in reply to Jack in the Box)

Post #: 3

RE: Force 128-bit MPPE Encryption? - 15.Dec.2004 8:05:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jack,

I'll check it out on another box, but when I restarted the RRAS service within the ISA firewall console, the order of the Remote Access Policies didn't change.

HTH,
Tom

(in reply to Jack in the Box)

Post #: 4

RE: Force 128-bit MPPE Encryption? - 16.Dec.2004 5:04:00 AM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

Hi Tom.

You're right, restarting the remote access service has no affect on the policy order. But if you restart the firewall service, or modify your VPN properties with in ISA Management and apply them, or reboot the server it resets the policy order and places the ISA Default first and along with it re-enables 40-bit and 56-bit VPN support.

Chris

(in reply to Jack in the Box)

Post #: 5

RE: Force 128-bit MPPE Encryption? - 17.Dec.2004 1:38:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jack,

How about using RADIUS policy instead? That won't change the order, or even include an ISA management remote access policy.

HTH,
Tom

(in reply to Jack in the Box)

Post #: 6

RE: Force 128-bit MPPE Encryption? - 19.Dec.2004 8:16:00 PM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

Thanks Tom.

Using RADIUS authentication worked and allowed for a policy to be created that only support 128-bit encryption.

It's shame ISA doesn't let you modify the RRAS policy to make these types of changes though.

(in reply to Jack in the Box)

Post #: 7

RE: Force 128-bit MPPE Encryption? - 20.Dec.2004 12:50:00 AM