Re: Securing VPN connections with token's
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 15:19:07 -0500
I'm running it on a member server. But I'm 99% sure they told me they'll
support it on a DC if you don't use the LDAP integration (AD). That means
setting up the users manually, which I did anyway - with 15 remote users, it
only takes a couple of minutes to set up each one. It's basically just name
and username, then you assign a token (which you'd have to do anyway with
LDAP).
"Dave Taylor" <noemail@xxxxxxxxx> wrote in message
news:u4V1Z5qIGHA.524@xxxxxxxxxxxxxxxxxxxxxxx
> Dave,
>
> Thanks for your detailed info. I have contacted cryptocard and asked some
> questions with regards to our setup of providing support to our customers.
> One of there engineers has replied to that question but said that the
> server software should not be installed on a domain controller. Are you
> running it on a member server or the sbs server?
>
> Thanks
> Dave
>
> "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:uvcIbTpIGHA.984@xxxxxxxxxxxxxxxxxxxxxxx
>> I'll try to answer some of this for you.
>>
>> We use the USB tokens. I also have a keychain token for myself. Both
>> work great. We want to limit the computers people log in from. The USB
>> tokens require a little client-side app to do the authentication, which
>> prevents users from logging in from airport kiosks or libraries. I use
>> the keychain token when traveling, so that if I have to log in from a
>> computer without the client software for troubleshooting purposes, I'm
>> not prevented from doing so. With that token, all I need is access to be
>> able to create a VPN connection from XP. (There would be nothing to
>> prevent a user from installing the auth software him/herself, but we
>> trust them not to do that).
>>
>> I have not yet set Cryptocard up for OWA or RWW. I'm preparing for a
>> swing migration to new hardware. The old box is running ISA 2000, which
>> will definitely not work this way. I'm thinking that once I get to ISA
>> 2004, I'll be able to use Cryptocard to authenticate OWA and RWW as well
>> as VPN. I'm not 100% sure of that, but I'm pretty confident that
>> Cryptocard support will work with me to figure it out. If we can get
>> this working, it'll be the first 2-factor auth solution for RWW, which I
>> would think would be a good selling feature for them.
>>
>> I looked at other companies. RSA is very small-business unfriendly - too
>> costly, has a 25-license minimum, the tokens expire and need to be
>> replaced, and it requires dedicated server hardware to run on. The cost
>> of the server and OS alone would easily exceed what I paid for 15
>> Cryptocard licenses, without even starting to pay for RSA. Not to quote
>> anyone's prices, but last I knew the RSA appliance that's offered as an
>> alternative to a standalone server was $4500. Cryptocard's web site
>> charges $500 for 5 users, and your reseller may even discount from that.
>>
>> I looked at Aladdin smartcard tokens using Certificate Services and IAS.
>> This has the advantage of being all Windows, configured the way you want
>> it. Aladdin makes generic smartcard tokens, so there would be no 3rd
>> party proprietary software or hardware involved in this solution. I
>> wanted to do this for that reason, but time pressures intervened -
>> there's a learning curve for setup, and I already had a trial of
>> Cryptocard installed and working. FWIW, the smartcard tokens alone are
>> not much less expensive than the Cryptocard tokens, software, and
>> licenses.
>>
>> Another one I would have looked at is Safeword, made by Secure Computing.
>> I would have given this a better look if it had come to my attention
>> sooner, but by the time it came up I was 99% of the way there with
>> Cryptocard.
>>
>> I used Authenex for a couple of years. They're great people but I had
>> some reliability issues with them. E-mail me directly if you're
>> considering Authenex and I'll give you the details.
>>
>> What made me choose Cryptocard? SBS MVP Susan Bradley referred me to
>> Dana Epp's blog. Although I've never met Dana, he has great credibility
>> with me because of Susan, so his recommendation in the blog carried a lot
>> of weight. His situation is very similar to mine, and he was using
>> Cryptocard successfully in his production environment. When I started
>> investigating Cryptocard, I found them to be very responsive to my
>> inquiries. When I got serious about it, they put me in touch with a
>> support engineer who spent a significant amount of time getting me up to
>> speed. They did all of this knowing that I could easily have chosen a
>> different solution, but by the time I was ready to make a decision, there
>> were just no negatives to be found.
>>
>> Cryptocard will give you a full trial version that you can install to try
>> it for yourself. You'll get a software token (maybe more than one) that
>> you can use to log in remotely just as you would in production - it just
>> installs on the actual client PC rather than on the USB token or
>> whatever. If you decide to buy it, you just go through a little procedure
>> to convert the trial license to full, and you're in business. Especially
>> if OWA and RWW integration is important to you, that would be worth doing
>> to see how easy or hard that all is to configure. And when you find out,
>> let me know.
>>
>>
>>
>>
>> "Dave Taylor" <noemail@xxxxxxxxx> wrote in message
>> news:uBS8vomIGHA.1876@xxxxxxxxxxxxxxxxxxxxxxx
>>> Dave,
>>>
>>> Thanks for the post this looks very interesting. I've just a few
>>> questions that I hope you don't mine answering for me:-
>>>
>>> What devices are you using?
>>> Have you been able to use the pin request on the Remote Web Workspace as
>>> well as the OWA page?
>>> Did you look at other companies (ie RSA Security devices)?
>>> What made you decide to use the cyptocard?
>>>
>>> Thanks
>>> Dave
>>>
>>> "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
>>> message news:%23lvTcldIGHA.1132@xxxxxxxxxxxxxxxxxxxxxxx
>>>>I use Cryptocard for this. They offer different types of tokens
>>>>depending on what you're looking for. I've only been running it for a
>>>>few weeks, but so far I've found it very reliable, simple, and
>>>>trouble-free. I had a great experience with their support department in
>>>>assisting with the initial installation and configuration questions,
>>>>which leads me to suspect that if I ever have a problem, I'll be very
>>>>satisfied. You can get any quantity of tokens/licenses in groups of 5,
>>>>which IMO makes the pricing small business friendly.
>>>>
>>>> Cryptocard: http://www.cryptocard.com/
>>>>
>>>> How I found it: http://silverstr.ufies.org/blog/archives/000833.html
>>>>
>>>>
>>>>
>>>>
>>>> "Dave Taylor" <noemail@xxxxxxxxx> wrote in message
>>>> news:us8fGYZIGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> All,
>>>>>
>>>>> Does anyone use a 3rd party token to help secure vpn connections into
>>>>> SBS Prem with ISA? We are looking at securing a network with this
>>>>> type of device and just wondered if anyone has done this with SBS and
>>>>> got any pointers.
>>>>>
>>>>> Thanks
>>>>> Dave
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Securing VPN connections with token's
- From: Dave Taylor
- Re: Securing VPN connections with token's
- From: Dave Nickason [SBS MVP]
- Re: Securing VPN connections with token's
- From: Dave Taylor
- Re: Securing VPN connections with token's
- From: Dave Nickason [SBS MVP]
- Re: Securing VPN connections with token's
- From: Dave Taylor
- Securing VPN connections with token's
- Prev by Date: Re: How to use one email account for several users?
- Next by Date: SBS 2003 Backup Script
- Previous by thread: Re: Securing VPN connections with token's
- Next by thread: RE: POP3 Connector Authentication Problem
- Index(es):
Relevant Pages
|
