Hi I am currently trying to setup a VPN solution for approximately 500 users.
The current setup I believe is unsecure as all users have access to everything in the network.
The customers main router is in my office and every branch office router connects to the main router over IPsec Tunnels. The users currently VPN into a server in my office which puts them on the internal subnet that has access to all store subnets. I currently assign static IP's to each VPN user so that I can track who is doing what.
I would like to have a VPN server in a DMZ on a different subnet and be able to control who has access to what, wether it be devices on the internal subnet or devices within their store subnet.
I need all users to have remote default gateway enabled on their computers as I want them to use the filtered internet access when connected via VPN.
During some testing I was able to use NAP to restrict user access to specific IP addresses but users were unable to get internet access. (Clients still on Internal Subnet)
We would like to implement system health checks before allowing them access to the network.
I don't know if using RADIUS is of any benefit here as we are only using the one VPN server.
I just want a solution that will be easy to manage by AD possibly and not have to configure firewall policies on the router for every individual user.