I was playing yesterday with the RAS administration DLL and ISA Server 2006 SP1(domain member, Windows 2003 DCs, no RADIUS server for users authentication) and created as described here a DLL to limit one connection to the RRAS VPN server per user(the VPN functionality in ISA is provided by the RRAS):
Now, it seems to run quite nice, tested it with MS-CHAPv2 and EAP-TLS user authentication(I’ve enabled User Mapping too in order to be able to create access rules based on groups for EAP-TLS).
Not sure how it does under heavy loads(many users) though.
You can find here the DLL(actually there you can find the result of the entire debug folder after building the solution, as per the reference articles, it’s a debug version of the DLL), use them at your own risk.
I’ve created a folder named RASDLL under ISA’s installation folder, and copied there the DLL along with other files, otherwise I would get SideBySide assembly errors on ISA(probably the easiest and fastest way of testing the DLL on another machine than the one used to build the solution and “get rid” of the CRT errors). The “dependency” files can be found here(external link, and probably other places on the web too).
Then, as described here I’ve put this DLL under the DLLPath registry entry, there already a DLL was present, the ISA’s vpnplgin.dll, note that the DLLs are separated by a semi-colon and also I’ve added a DisplayName registry entry:
Restart the RRAS service or reboot the ISA machine(more “brutal”). If all is fine the RRAS service should be successfully started. If not, as described in the VPN QA you may need some extra files under the RASDLL folder, either from the debug folder or some “dependencies” DLLs.
To test it, ISA Server 2006 SE(domain member, Windows 2003 DCs, no RADIUS server for authentication), I connect with user adrian from a VPN client.
Next I attempt to connect witch the same user from another VPN client, and the connection gets rejected:
Now, I’ve played a little bit with ISA Server 2006 EE and NLB. I’ve put the RAS administration DLL on each array member.
While it works with ISA Server 2006 EE and NLB, there is a gotcha, an expected one I would say.
For example if there are two ISA Server 2006 EE(NLB enabled) in an array, actually two VPN clients can use the same user to successfully connect if the first connects to one ISA and the second to the other ISA, the connected user information(SID) is not shared between the array members. We created just a per server limitation.
If we expand this, say we have 6 ISA Server 2006 EE(NLB enabled) on an array, 6 VPN clients can use the same user to connect if their connections are distributed among the ISAs.