Hello,
I'm planning to let my ASA5510 to do only the networks security (DMZ,Internet,LAN), and go to RRAS and NPS proxy for VPN (I really want to try SSTP and IKEv2) on two 2012 r2 servers to be redundant.
The two servers will be in the DMZ and configured as stand-alone. At this point there is nothing about the AD account stored on those servers.... nice !
But if someone use a zero day exploit to take the control to one of the two servers. On the RRAS server, he just needs to set a secondary IP that is configured for the VPN and he will pass the dmz.
And as an example, go to one (with the same exploit) RDSH server, and then jump to one DC.
Am I correct? Is there any best practice about ? Or Maybe this is the best way to secure the servers and I really don't need to care about?
Thx,
Ludovic