Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
1
Replies

Best way to allow contractors to VPN in?

cscbrannent
Level 1
Level 1

‎12-11-2008 06:03 AM

The goal: Allow contractors VPN access to our company network utilizing VPN while minimizing risk and maximizing ease and convenience.

Question: We are using Cisco ASA 5540's with SSL VPN clients for employees and contractors. We check to see if the machine is an asset and then allow it to connect to the VPN after the user is authenticated. If they're a contractor, we're imposing an Access Control List (ACL) on them and enabling split tunneling.

We'd like to limit this even further, since right now we have to support our vpn client on THEIR computer, which a bit sticky and also we don't trust their computer - with antivirus etc.

What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer. Then, they'd be using one of OUR assets - for which we can maintain appropriate patches, antivirus, etc. Then, we can build firewall rules allowing their RDP session in through the firewall.

Is this how you do it? Or would do it? Or do you have a better idea?

Labels:
Preview file
17 KB
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎12-11-2008 10:16 AM

What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer....

Brannen,

This is an excellent solution for your concerns, at least for me. You have prety much lay down a very good RA access control for contractor users, you could also throw in per user vpn filters and have a single ssl tunnel for contractors to even segregate your contractors per username if they happen to be in different companies.

Remote access VPN filters

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Also there are other solutions for your main concern you previously posted like for example

RA users personal systems and viruses on none company machines, I will post the link for just reference in future etc..

Network Admision Control framework, but that requires other platforms and architecture.

http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents