Hi,
I am seeking ways to enhance the overall security of our SSL VPN by limiting access to only corporate laptops. We have Sophos UTM9 Firewall.
I am considering the option of utilizing SSL VPN with a Certificate. However, I am uncertain about how to configure it. Currently, we have RADIUS authentication with AD and Duo 2FA.
Moreover, I am concerned about the possibility of the certificate being exported by end-users, which would enable them to import it into other devices and undermine our efforts to limit access to corporate laptops.
Would it be necessary to implement NPS to achieve this? If yes, how can I configure it?
I am open to considering other quick solutions.
Any help or insights on how to accomplish this would be greatly appreciated.
If you are already using AD, then why not just setup the computer profiles to auto import the cert? Users can’t export it without admin anyway.
Moreover, I am concerned about the possibility of the certificate being exported by end-users, which would enable them to import it into other devices and undermine our efforts to limit access to corporate laptops
Typically you issue different certs to each device. They can be issued in a way that the private key isn’t exportable. And if users don’t have local admin they can’t export the private key anyway.
Would it be necessary to implement NPS to achieve this? If yes, how can I configure it?
Any RADIUS server should work, but NPS is fairly easy and included in the cost of the Windows server. There are tons of configuration guides available on the internet. You will need a certificate authority as well, also free with Windows, but can be a lot of work to set up.
I am not sure about how Sophos UTM firewall work but i know that Palo Alto and Fortinet firewalls have a feature that checks the host trying to connect via SSL VPN for certain parameters like being part of a certain AD group or having a specific registry key. That could be a way to restrict only corporate PCs from connecting to your ssl vpn.
If your corporate systems are joined to a domain (Windows AD), then you can restrict SSL to those machines and exclude other non-corporate systems.
If you are a Linux environment, then you can use Ansible or other network management software to achieve this. Also LDAP might work, though I’m not sure.
Duo also has an app option to look for applications/device posture that may be worth looking into if you don’t want to deal with certs, and rather the health/status of the machine:
Also, look up SCEP if you want an easy way to provision user certs (and mark them as non-exportable).
Please for the love of god do more than a string like match on the CA name… I found out a previous company did that and was dumb founded at how simple of a bypass it would have been.
Why not completely switch to Azure AD with MS MFA using their access controls that will limit access to those on the domain, etc, etc, etc?
IF the VPN client supports posture checking you can usually also layer up other checks to verify the machine.
E.G it needs to have the cert to connect, it also needs to have certain other characteristics like the hostname needs to match the SN of the cert, you can pre-load your machines with other files and settings values that are checked before access is granted. You can make sure it’s running your corporate antivirus for example.
This is what we do. We authenticate both the laptop and the user for our SSL VPN.
TBH that should already be in place, but if not then should be now.