I still rock an old ass RRAS VPN on 2003 VM, obviously it has got to go… with that I have few choices, I can pay more for the already expensive barracuda firewalls to I believe give me a decent VPN client + single sign-on, I’m not sure how I would do 2FA with that but I assume it can do that as it has enough bells & whistles to confuse me anytime I look at it. I also don’t look forward to deploying the client to my users, I love built-in windows VPN and it always treated me well.
OR
just a new 2019 VM with VPN and somehow enable 2FA on that.
OR
the VM + I wouldn’t mind paying for DUO or something similar either, just not sure how that works to be honest with windows VPN server? can it?
I use my firewall for this.
Palo Alto firewall with SSO and security group syncing to our AAD. MfA is provided by 365 and is required anytime someone connects externally using GlobalProtect (PAN VPN client).
All vendors are required to use the same method with MFA configured after logging a ticket to enable their accounts.
I run a standalone openvpn server in a VM. Used to run it on the pfSense firewall, but separation of concerns etc. Point to point for our main location and two “satellites”, individual users connect with the openvpn client. Not a solution for users who aren’t somewhat tech savvy.
I deploy fortigates and configure SSO integration with azure AD. The support staff invites people as guests to azure AD, have them download the forticlient and they put in vpn.whatever.com to the address bar, press SSO login and it works.
SMB space is a bad place to get stuck with solutions only one person understands.
If you want an easy to manage and hardened VPN solution, look into pfSense or OPNsense VMs and configure two OpenVPN instances. Primary with UDP 1194 and your fallback one with TCP 443.
There is good documentation for both systems and ways to enable 2FA.
If you are already paying for O365 Business Premium (or otherwise have an Azure AD Plan 1 license for said users) you could leverage an NPS server using the Azure NPS Extension to proxy MFA requests to Azure and use the existing MFA methods configured for each user.
Biggest caveat: in order to have “Code from App” / “SMS Code” options you HAVE to use unencrypted/weak (IIRC PAP) protocols for authentication requests between your VPN device (FortiGate / Barracuda / whatever) and your NPS Server.
Usually we tell users you HAVE to either use the MS Authenticator with Push notifications OR the phone call approve option as your default for this to work.
You can then use MSChapV2 for the encryption.
Other biggest catch is you CAN’T do password resets during this authentication process.
You COULD alternatively use the Self-Service Password Reset (also included in Azure AD Plan 1) with password writeback to on-prem DC via Azure AD Connect (this is what we do for remote password changes for clients using this method)