Hi Mark, If the machine is a member of the domain, the user can log on with local or domain credentials. I'm betting that you are logging in with an admin account. Just make sure your VPN user passwords meet complexity requirements and you'll be in good shape. Of course, you can implement L2TP/IPSec and use user certificate authentication :-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Mark Hopkins [mailto:mark@xxxxxxxxxxxxx] Sent: Wednesday, January 29, 2003 12:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA VPN Security http://www.ISAserver.org Hello, I just set up my ISA Server for inbound VPN calls, as per http://www.isaserver.org/tutorials/Configuring_ISA_Server_For_Inbound_VP N_Calls.html. Everything works but my concern is security. All anyone need do is guess an authentic domain username/password and they are "in". Not even the domain name is necessary. Is there a way to secure this authentication? Thanks. Mark ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')