Do I need to set up a CA for NPS/VPN?

Home Forums Security General Security Do I need to set up a CA for NPS/VPN?

Viewing 1 post (of 1 total)
  • Author
  • Avatar


    I have recently setup NPAS on a Win 2008 server to replace RADIUS/IAS on a W2k3 server in our domain.

    Our domain is a .local, single-site, two DC’s, one storage server and 37 clients. Users Dial-in properties in ADUC are explicitly defined – either allow or deny. ‘Control access through NPS network policy’ is not used.

    Remote access is VPN for 11 staff (so far).

    NPAS connection control policies are the default polices as set up during installation. One network policy is configured that checks that the user account dialing in is a member of a security group before allowing access. Health policies and NAP have not been defined.

    This is working fine so far.

    I have been reading about NAP and the use of PEAP et al. as I am thinking about setting up rules that deny access to a VPN client if it is not up to date or does not have security software installed.

    This led me onto certificates which is something that we have never used. Do you think I should setup a CA and distribute certificates to the server and clients? I would presumably also have to configure a backup server for this in case the W2k8 DC went down.

    I have read a little about this on Microsoft’s site and can follow the instructions fine, but what I don’t understand is the implications for the clients on the network. If there is a problem with the CA (which there may be when I first set it up due to misconfiguration or something else), will the clients be denied access to the storage server or do the CA certificates only authenticate access via the VPN? The instructions on the Microsoft website include using group policy to install certificates on the clients on the network. These clients will never use a VPN to connect as they are all local.

    I wonder if it is worth doing this. I would like to do it but wonder if it is overkill for our needs?

    Any thoughts or opinions gratefully received!


Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.