locked
NPS external authentication RRS feed

  • Question

  • When setting up a NPS server for external authentication (e.g. Phone E-mail access / WiFi access) what is the best practice when concerning all security issues? We need to deploy external reachable servers at a DMZ.

    When installing a NPS server, is it possible (and wanted) to install it on a stand alone (non domain member) windows 2008 r2 server, and forward authentication requests to the AD thats on the LAN. Or is it needed for the NPS server to be minimal domain member when authentication to the domain is needed. And what about using RADIUS Proxy for the DMZ server and forward requests to an internal NPS server?

    What is the best method? Or is there a better solution? We want to give authenticated access to network resources, and want to minimalize opening firewall ports.

    Thanks in advance,

    Roland

    Wednesday, July 6, 2011 8:21 AM

Answers

  • Hi,

    Thanks for the post.

    In my opinion, you could configure a Radius Proxy server on a stand-alone machine with Windows Server 2k8 r2. When you use NPS as a RADIUS proxy, NPS forwards connection requests to an NPS server or other RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in Active Directory Domain Services (AD DS) because it does not need access to the dial-in properties of user accounts. In addition, you do not need to configure network policies on an NPS proxy because the proxy does not perform authorization for connection requests.

    You could find more by visiting http://technet.microsoft.com/es-es/library/dd197525(v=ws.10).aspx

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Miles Zhang Friday, July 15, 2011 1:55 AM
    Thursday, July 7, 2011 7:04 AM

All replies

  • Hi,

    Thanks for the post.

    In my opinion, you could configure a Radius Proxy server on a stand-alone machine with Windows Server 2k8 r2. When you use NPS as a RADIUS proxy, NPS forwards connection requests to an NPS server or other RADIUS servers for processing. Because of this, the domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in Active Directory Domain Services (AD DS) because it does not need access to the dial-in properties of user accounts. In addition, you do not need to configure network policies on an NPS proxy because the proxy does not perform authorization for connection requests.

    You could find more by visiting http://technet.microsoft.com/es-es/library/dd197525(v=ws.10).aspx

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Miles Zhang Friday, July 15, 2011 1:55 AM
    Thursday, July 7, 2011 7:04 AM
  • Hello Miles,

    Thank you for the reply.

    So in this case the best option is to use the Radius Proxy? The only problem when using a radius proxy, is that a secundairy server is needed for the radius server. But if this is the best option for security point of view, than we need to try it this way.

    The other option, in my opinion, is to configure a radius server at the dmz only, but then the server needs to be an AD member and more firewall ports are needed for the AD Member server.

    Please correct me if i'm wrong.

    Thanks again,
    Roland

    Friday, July 8, 2011 6:25 AM
  • Hi Roland,

    Thanks for the reply.

    I think the Radius Proxy Server is the best option in this scenario. From the security perspective, I don't think it's a good idea to put a domain member server at the DMZ.

    Thanks,

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 15, 2011 1:55 AM