Travis, Currently, the only solution that is available from Microsoft is a nascent and very hard to implement technology that is focused on Remote Access and VPN for your users and clients from home and in the field. ISA Server 2004 bolsters that further, but is still not the complete package that we're looking for. But, make no mistake - there are solutions available for Remote Access today - but not as complete as what you want.
To get to where we really want to be will/is requiring a heavy dose of re-write in specific functionality of key infrastructure pieces - namely, IAS (RADIUS) and DHCP. These pieces were deemed to critical to do a rewrite in the timeframe that might have made them available in the Windows Server 2003 Refresh build - commonly referred to as 'R2'. The Network Access Protection (NAP) technology was pushed back to the Longhorn release and will be available then. However, the upside to this (and IMHO, the real reason that it was pushed back) is the joining of forces with Cisco to provide an even higher level of functionality IF one has Longhorn/Windows Server 2007 (or whatever the bloody hell it will be called) and Cisco NAC. What you will get (at least as it is commonly and publicly available now) is the ability to toss new connections into a 'quarantined' area, check them against a known set of requirements (think policies) for up-to-dateness on patches, virus scanning, what have you, and then allow them to connect to the internal network. This would happen each time this system would leave your 'trusted' network and came back to attach to that trusted network again. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 24, 2004 9:39 AM To: [email protected] Subject: RE: [ActiveDir] OT Network Quarentine Products I have looked at 2003 but at this point the product seems to be focused on remote access. I would need a RRAS server, etc. I could do that and it may be the easiest solution but I am looking. If I am missing something let me know. I agree we will probably want to do more checks once we have the basic check in place. Thanks! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, December 23, 2004 8:59 AM To: [email protected] Subject: RE: [ActiveDir] OT Network Quarentine Products Have you looked at what Windows 2003 Server can offer in this scenario? I mean, since you're already Active Directory and all. I think you'll likely want to take a look at checking for the updated pieces as well, but only after you've implemented. Don't discount that portion when looking as it's a natural follow-on later IMHO. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 22, 2004 10:32 PM To: [email protected] Subject: [ActiveDir] OT Network Quarentine Products We are looking at network quarentine products and I was wondering what others are doing. We can't do Cisco's Nac since all our switches are not Cisco. We are looking at a product from StillSecure called Safe Access. Has anyone else looked at this product? Can anyone recommend a particular product? Some of our requirements are as follows: * The focus is on internal machines not remote access. People coming into conference rooms, people bringing in personal machines, etc. * I am not as focused on if someone doesn't have the latest patch or av definition as much as I want to keep machines that aren't part of our domain in an Internet only vlan. These machines could come online anywhere so I can't just separate the conference rooms. * We need a way to allow a person access to the LAN if they need it but not initially. I have thought about IPSEC authentication on the servers but that could be messy to implement. I am also looking into 802.1x machine authentication via Active Directory but I am not sure how easy it would be to grant visitors access when they need it. Ideas? Thanks and Happy Holidays! Holland + Knight Travis Abrams Systems Engineer Holland & Knight LLP List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
