Use a very strong RADIUS shared secret key comprising a random set of alpha, numeric, and symbols. The key length should be between 22 and 128 characters and it should be changed periodically.
When configuring the ISA VPN server, be sure to check for alerts both in the ISA Management console and in the server's event log. The RRAS service often logs descriptive messages.
Use the IPSec pre-shared key to verify VPN communication during troubleshooting; this will help identify a problem with network or certificates. Refrain from using the pre-shared key in production environments to minimize security risks.
Deploy two-factor authentication methods such as SecurID or smart cards using EAP authentication whenever possible. This provides for secured L2TP/IPSec VPN encryption.
Simplify a PKI Certificate deployment through the AD autoenrollment when possible.
Use the Connection Management Administration Kit (CMAK) to simplify client VPN rollout.
Use Layer 2 Tunneling Protocol (L2TP) with IP Security (IPSec), instead of the Point-to-Point Tunneling Protocol (PPTP) to secure VPN connections whenever possible.