We currenly use an old Cisco VPN device for our remote users and are now looking into a new VPN solution to support two factor authentication for compliance. Since we're a complete Microsoft shop we decided to test RRAS with L2TP and leverage our existing Cert infrastructure. The certificate issued to the remote machine will be what they have and the domain credentials will be what they know.
So far our intial testing has proved very positive, but now were looking a few unknowns that I am hoping someone can shed some light on.
Here are some of the issues
- One of our requirements is split tunnelling must be disabled. While we were able to force the use of the remote gateway by creating the VPN connection using the CMAK tool, we're concerned someone could figure out the connection properties and simply setup their own and leave the remote gateway box unchecked. Is there a way to force RRAS or NPS to only accept connections from our CMAK created connection?
- In our testing of revoking client certificates, we're not seeing the RRAS server go out and check the OCSP (using Wireshark). So far, we've only been able to get the RRAS server to reject if we manually import the Delta. Is there a known issue with RRAS and OCSP?
Thank you in advance for any suggestions,
Denny