NPS on DC or file server?

Forums › IT Pro and developers › NPS on DC or file server?

Paul1977

5039 posts

Uber Geek

#289009 6-Aug-2021 12:34

Configuring a new network with 3 servers. DC, file/print server (plus some management functions), RDS.

Needing Network Policy Server with RADIUS for VPN access etc, but not sure if I should put it on DC or the file server?

I'm trying to keep the DC and RDS as clean as possible, the idea being to throw everything else on the file server, but not sure of the security implications of having RADIUS on the file server instead of the DC?

Home: Work:
Home Work

mentalinc

3225 posts

Uber Geek

Trusted

#2756131 6-Aug-2021 13:09

What happens if each gets compromised?

What does Microsoft recommend?

Sounds like you need to do some threat modeling (hint, Mitre Attack may help)

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

Paul1977

5039 posts

Uber Geek

#2756147 6-Aug-2021 13:23

mentalinc:

What does Microsoft recommend?

As with everything Microsoft says put it on it's own server. The constraints are those 3 servers are it, so impossible to follow by-the-book best practice - so it's a question of best practice within those constraints.

Varkk

643 posts

Ultimate Geek

#2756210 6-Aug-2021 15:27

What is the licensing model you are using? Are these physical servers or virtual?

If using Server Standard licenses you are allowed up two 2 guest servers per for each licensed host. In theory you can't really just have 3 server, you should have 4.

If you have 3 physical hosts each with standard licenses you should be able to use hyper-V to have up to 6 virtual servers.

chevrolux

4962 posts

Uber Geek
Inactive user

#2756211 6-Aug-2021 15:28

My thoughts for RADIUS is its more at home on the DC as that's the thing doing all the other auth anyway.

Security wise, my thoughts are just the same as exposing any other service - just have it available to only thing that need it. So for us that's only the router and wireless controller, so I just have appropriate firewall rules in place for the RADIUS ports.

Edit: Depending on load, having RADIUS on it's own server seems rather wasteful.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2756411 7-Aug-2021 10:00

+1 for what Microsoft said, every role should be a separate VM.

If you can't follow that, my logic goes:

1. Anything but the DC. DC is the keys to the kingdom, should have the lowest attack surface possible.

2. That leaves RDS and File/Print/Management. RDS box is a bigger risk if it's taking inbound RDP from the internet, so that leaves File/Print/Management.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

Paul1977

5039 posts

Uber Geek

#2756996 9-Aug-2021 09:41

Cheers guys.

It's IaaS with site-to-site link back to office where workstations/thin clients are, so when I refer to "servers" I'm talking about VMs. IaaS is great for disaster recovery, but the downside is that every VM/vCPU/GB is an additional monthly cost. They wanted to do it with only 2 servers and make the DC the file/print/mgmt server as well, but I managed to get them to increase the budget in order to avoid this.

My initial thought was what @Lias suggested - keep everything except AD off the DC. I'm treating the RDS very much like a workstation (since that's essentially what it is), so I guess I'll put NPS/RADIUS on the file/print/management server.

There's a legacy database app that needs the RDS that will hopefully no longer be required in 12-18 months, which gives us time to replace thin clients with workstations and laptops. At that point we may be able to get rid of the DC and the IaaS requirement entirely.

Paul1977

5039 posts

Uber Geek

#2756997 9-Aug-2021 09:45

chevrolux: Depending on load, having RADIUS on it's own server seems rather wasteful.

The load would be extremely low, it's only for VPN authentication for a handful of users.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

jhsol

102 posts

Master Geek

#2758199 10-Aug-2021 20:41

3 Server Design

Are you exposing the RDS environment to the internet? If not, then the following design would work (however feel free to put the NPS on either the File Server or the DC). I personally would put it on the DC over the file server as NPS = Authentication (as Chev says). That way an outage (ie maintenance) on the DC is only ever affecting itself (whether its NPS or DC).

[DomainController/NPS] [FileServer] [RDS/SH/GW/CB]

Alot of environments do combine the NPS and DC roles, especially in small environments where the number of VMs is limited. The risk increase by having the NPS role on the DC is minimal and is usually accepted if they cant stomach the extra $$$ to pay for an additional license.

Public Facing RDS

If you need to expose the RDS environment to the public internet, then use a 4 server design where the Gateway/RDWeb role is split out from the connection broker/session hosts. Expose this server to the internet on port 443, and DMZ it off as best as possible.

[PublicIP:443] -> [FW] -> [RDWeb/GW] -> [FW] -> [LAN] = [DomainController/NPS] [FileServer] [RDS/SH/GW/CB]

(hope this all makes sense hahaha)

Best Design

If security is paramount and you are looking for the optimal design then as this thread is highlighting, you will need to separate out the roles as much as possible. This would have you looking at an 6 server design.

[DC] [FileServer] [NPS] [RDGW/RDWeb] [RDCB/RDLic] [RDSH]

Although once again, the NPS role is overkill on its own server, and I would still combine it with the DC in this scenario. If anything Id go for this design

[DC1/NPS1] [DC2/NPS2] [FileServer] [RDGW/RDWeb] [RDCB/RDLic] [RDSH]

Redundant, and Highly available DC and NPS roles as well as giving you the flexibility to add more RDSH boxes if you need to scale at speed. It also allows you to upgrade each role independantly of other servers and without too much downtime (using in-place migrations rather than in-place upgrades)

Jas

Paul1977

5039 posts

Uber Geek

#2759498 13-Aug-2021 09:20

jhsol:

3 Server Design

Are you exposing the RDS environment to the internet? If not, then the following design would work (however feel free to put the NPS on either the File Server or the DC). I personally would put it on the DC over the file server as NPS = Authentication (as Chev says). That way an outage (ie maintenance) on the DC is only ever affecting itself (whether its NPS or DC).

[DomainController/NPS] [FileServer] [RDS/SH/GW/CB]

Alot of environments do combine the NPS and DC roles, especially in small environments where the number of VMs is limited. The risk increase by having the NPS role on the DC is minimal and is usually accepted if they cant stomach the extra $$$ to pay for an additional license.

Public Facing RDS

If you need to expose the RDS environment to the public internet, then use a 4 server design where the Gateway/RDWeb role is split out from the connection broker/session hosts. Expose this server to the internet on port 443, and DMZ it off as best as possible.

[PublicIP:443] -> [FW] -> [RDWeb/GW] -> [FW] -> [LAN] = [DomainController/NPS] [FileServer] [RDS/SH/GW/CB]

(hope this all makes sense hahaha)

Best Design

If security is paramount and you are looking for the optimal design then as this thread is highlighting, you will need to separate out the roles as much as possible. This would have you looking at an 6 server design.

[DC] [FileServer] [NPS] [RDGW/RDWeb] [RDCB/RDLic] [RDSH]

Although once again, the NPS role is overkill on its own server, and I would still combine it with the DC in this scenario. If anything Id go for this design

[DC1/NPS1] [DC2/NPS2] [FileServer] [RDGW/RDWeb] [RDCB/RDLic] [RDSH]

Redundant, and Highly available DC and NPS roles as well as giving you the flexibility to add more RDSH boxes if you need to scale at speed. It also allows you to upgrade each role independantly of other servers and without too much downtime (using in-place migrations rather than in-place upgrades)

Jas

Thanks @jhsol. That all makes sense.

Ended up putting it on the file server based on the rationale offered by @Lias. I can see merit in either approach to be honest, but had already installed the role by the time I read your reply.

None of the servers will be directly exposed to the internet (not even the RDS). All remote access is via VPN established with the perimeter firewall, which I've configured as a RADIUS client and have installed the extension to enable Azure MFA when establishing the VPN connection (MFA will be enforced for all users).