RE: [ActiveDir] Restrict VPN Access By Computer Name

[Dan DeStefano]

Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well?   Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a “light” version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists).   Thanks for the advice about ws2k3 quarantine, I guess we won’t waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit complex, requiring a bit more infrastructure than most small businesses need or can afford.   Have you ever tried restricting VPN access by MAC address?     Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, November 14, 2006 1:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restrict VPN Access By Computer Name   Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well....   Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head.   Also, if you haven't started messing with that 2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished.   Hope I haven't thoroughly confused you yet.   Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon   From: Dan DeStefano Sent: Mon 11/13/2006 9:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restrict VPN Access By Computer Name I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to be conscious of updated antivirus/spyware software.   I saw a setting in Remote Access Policies called Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to set up an IAS server? If not, is there another way I can accomplish my goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though it looks like a bit of a PITA to set up and I am looking for a quick way to fix this problem. We will probably eventually use the new quarantine feature after our techs have had a chance to learn and test it a bit. I think another problem with this feature is for small business networks that have just a single SBS server.   Any help would be greatly appreciated.     Thanks,   Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.   Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.