All "appliances" are expensive, IMO. Not just the monetary part, but also their up-keep. I resell a product that gets grossly marked up in appliance form, and is not as regularly updated as the non-applianced version. But people are willing to pay the additional (unnecessary) cost, just because it is applianced, and they don't like "software solutions". Go figure.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wed 11/15/2006 8:43 AM
To: [email protected]
Subject: Re: [ActiveDir] Restrict VPN Access By Computer Name
"Expensive" ISA appliances... let's qualify that.... Akomolafe, Deji wrote: > Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, > because machines are what you want to filter. > Are you providing hosted services to your clients, or what? > Yes, there are ISA appliances. There have been since 2004. > > Sincerely, > _____ > (, / | /) /) /) > /---| (/_ ______ ___// _ // _ > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.akomolafe.com <x-excid://32770000/uri:http://www.akomolafe.com> - > we know IT > *-5.75, -3.23* > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ------------------------------------------------------------------------ > *From:* Dan DeStefano > *Sent:* Wed 11/15/2006 5:09 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name > > Cool, I will test that out, thanks. > > I am not too familiar with using or configuring EAP – would this > solution require installing a CA on the network? Furthermore, would > these certificates be assigned to the machine, not the user? > > No, I understand the difference between IAS and ISA. I just mentioned > ISA because you said that it might be a good idea to use it. For most > of our clients, a $1500 firewall solution is overkill. We are pretty > much standardized on the Netgear FVL328, which costs under $300, > provides 100 VPN tunnels for branch offices and is compact enough to > fit in most of our clients’ wiring closets (the term “closet” being > the operative word as most of our clients do not have or need a server > room). I would prefer a firewall appliance to one installed on a > server and most ISA appliances are on the expensive side and are > designed for rack-mounting. > > I can’t remember where, but I vaguely remember reading that Microsoft > would be offering a light version of ISA2006 that can be used as an > embedded solution for small business networks such as those that I > manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I > am mistaken, but I will try to find out. > > I will take your advice and wait for LH server instead of messing with > WS2k3 quarantine. I appreciate the recommendation. > > Dan DeStefano > Info-lution Corporation > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > http://www.info-lution.com <http://www.info-lution.com/> > Office: 727 546-9143 > FAX: 727 541-5888 > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji > *Sent:* Tuesday, November 14, 2006 12:32 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name > > You are right, Calling-Station-Identifier (in some cases) map to the > telephone number. In 802.1x scenario, though, it's usually the MAC, > but I have also seen it map to the client's IP address. I attribute > this to some vendors not reading the RFC or just opting to do it their > way. In our situation, MS maps it to MAC. > > I re-read your original message and I have another thought. Since > these are computers under your control, why not issue them > certificates and use EAP as your authentication filter? > > Hope we are not mixing acronyms here, re: IAS vs. ISA. > > IAS is the RADIUS server. Free with the OS. > > ISA is the proxy/caching/firewall solution. $1,500.00 for Standard > edition, comes in a black box version, too. For what it does, ISA is > on of the cheapest solutions of its type in the market. I am not aware > of the "light" version you mentioned. > > If you think NAP is complex, try your hands on 2K3 qtine. Also, you > can combine all the NAP roles on one server, you do not have to > separate them. The only strict requirement is that it be installed on > a LH server. > > > Sincerely, > _____ > (, / | /) /) /) > /---| (/_ ______ ___// _ // _ > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> - > we know IT > **-5.75, -3.23** > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ------------------------------------------------------------------------ > > *From:* Dan DeStefano > *Sent:* Tue 11/14/2006 5:28 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name > > Thank you for your response. > > I thought the Calling-Station-Id was used for phone numbers (that is > what the description says anyway). But you are saying that MAC > addresses can be used here as well? > > Other than the above, what would the advantages of deploying IAS be? > This is a small network with 100 or so users and only a handful of > them have VPN access (right now being controlled in the user account > properties). For this reason I am not sure I can also justify the > costs of implementing ISA especially with a current firewall solution > in place. Plus, we have no ISA experts in our organization or anyone > who has even administered ISA before. Maybe this will change with the > new ISA 2006, but most ISA solutions right now are enterprise-class > and on the expensive side (for most small businesses). I heard that > ISA 2006 is supposed to have a “light” version of some sort, but that > being said, I am not sure if it would be as fully-featured and support > what you are suggesting (though I know little of it other than the > fact that it exists). > > Thanks for the advice about ws2k3 quarantine, I guess we won’t waste > our time with it. I have read about Longhorn NAP and it looks great. > But it also looks a bit complex, requiring a bit more infrastructure > than most small businesses need or can afford. > > Have you ever tried restricting VPN access by MAC address? > > Dan DeStefano > Info-lution Corporation > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > http://www.info-lution.com <http://www.info-lution.com/> > Office: 727 546-9143 > FAX: 727 541-5888 > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji > *Sent:* Tuesday, November 14, 2006 1:45 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name > > Call-Station-Identifier is a much more stable and reliable filter - it > is the Client's MAC address. "Client Friendly Name" is optional and > may not be sent in many VPN negotiation. The identifier will very > likely be sent (I don't want to say ALWAYS since I don't have any > relevant doc that say that, but I am yet to see a negotiation that > does not include the identifier. Unfortunately, in order to use the > identifier as a filter, you will have to create a policy for each > device. I don't see how you can wildcard it. So, depending on how many > clients you are talking here, well.... > > Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in > something like ISA 2006. With ISA, you should be able to create a > Computer Set that includes the names or IPs of the Clients in > question, and you can use that to filter your inbound VPN connection > requests. I don't have such configuration, but it makes sense in my head. > > Also, if you haven't started messing with that 2K3 quarantine > thingamabob yet, thank your stars. You don't want to. Not now the NAP > in Longhorn is so close at hand. I'd recommend that you encourage your > techs to concentrate on learning NAP instead. I just took a quick look > around in NAP, and I can see where what you are trying to do here can > be easily accomplished. > > Hope I haven't thoroughly confused you yet. > > > Sincerely, > _____ > (, / | /) /) /) > /---| (/_ ______ ___// _ // _ > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> - > we know IT > **-5.75, -3.23** > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ------------------------------------------------------------------------ > > *From:* Dan DeStefano > *Sent:* Mon 11/13/2006 9:54 PM > *To:* [email protected] > *Subject:* [ActiveDir] Restrict VPN Access By Computer Name > > I was wondering if there is a way to restrict client VPN connections > via computer name. The reason for this is that we only want clients > connecting from approved devices for which they do not have > administrative privileges. In other words, we do not want people > VPNing into our network from their possibly virus and spyware-infested > home PCs. I know that a clever user could rename his/her home PC, but > this is probably not too likely and that type of user is probably > likely to be conscious of updated antivirus/spyware software. > > I saw a setting in Remote Access Policies called Client Friendly Name > (IAS). Is this the setting I am looking for? If so, do I have to set > up an IAS server? If not, is there another way I can accomplish my > goal. I know that WS2k3 R2 has a quarantine feature, but I am not > familiar with it, though it looks like a bit of a PITA to set up and I > am looking for a quick way to fix this problem. We will probably > eventually use the new quarantine feature after our techs have had a > chance to learn and test it a bit. I think another problem with this > feature is for small business networks that have just a single SBS server. > > Any help would be greatly appreciated. > > Thanks, > > Dan DeStefano > **Info-lution Corporation** > [EMAIL PROTECTED] > http://www.info-lution.com <http://www.info-lution.com/> > Office: 727 546-9143 > FAX: 727 541-5888 > > If you have received this message in error please notify the sender, > disregard any content and remove it from your possession. > > Dan DeStefano > **Info-lution Corporation** > [EMAIL PROTECTED] > http://www.info-lution.com <http://www.info-lution.com/> > Office: 727 546-9143 > FAX: 727 541-5888 > > If you have received this message in error please notify the sender, > disregard any content and remove it from your possession. > > Dan DeStefano > *Info-lution Corporation* > [EMAIL PROTECTED] > http://www.info-lution.com <http://www.info-lution.com/> > Office: 727 546-9143 > FAX: 727 541-5888 > > If you have received this message in error please notify the sender, > disregard any content and remove it from your possession. > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
