>>In a win2k world I assume that client hardening means patched to the eyballs, NTFS + securewksta GPO template, no unneccessary users and no services listening on non vpn interfaces...?
Exactly, plus the threat of beheading or similar excuse for not keeping it that way. >>I'm new to this VPN lark.. what's EAP/LEAP? LEAP is the on-air rekeying and authentication protocol that Cisco is currently hyping. Uses a RADIUS server I believe to token authenticate the session. In that way each Wireless-NIC get's its own on-air WEP key essentially and the access point (AP) knows how to understand each one. They don't have any stats yet on how many stations per AP are possible, but it's a step in the right direction, though I wouldn't rely on it entirely and would still use a VPN for encryption. It also ties you to their infrastructure (i.e. only their cards and AP support it). But they do claim to deliver QOS over that hardware as well. >>I am thinking of going down this route. Anyone tried running 100 w2kpro workstations through a (hardened) w2k server using VPN? I was hoping to be able to use the VPN server to also allow internet based clients (ie people accessing from home via thier local ISP) Would this be a bad idea? All depends on the VPN server technology you are using. MS PPTP dies at about 30 stations performance wise. Checkpoint Secure Client does quite a bit better. Ours goes to about 75 stations before either our ISP link or the server slows things down. Hardware VPNs are a bit better and usually result in less issues, but you are usually more limited in terms of client support. Just make sure the VPN box is behind the firewall regardless of what you do. Cheers Michel
