SOP – Secure VPN with MFA Configuration

SOP – Secure VPN with MFA Configuration for L3 Support Engineers

---

1. Objective

Define a standardized, secure, and auditable procedure for configuring and validating VPN access protected by Multi-Factor Authentication (MFA) for L3 support engineers.

---

2. Scope

This SOP applies to:

• L3 support engineers requiring privileged remote access
• Corporate-managed endpoints (Windows, macOS, Linux)
• Approved VPN gateways and identity providers (IdPs)

This SOP excludes:

• Non-privileged users
• Unmanaged or personal devices (BYOD)
• Users without approved access rights

---

3. Definitions

• VPN: Virtual Private Network enabling secure remote access
• MFA: Multi-Factor Authentication requiring two or more verification factors
• IdP: Identity Provider responsible for authentication
• SIEM: Security Information and Event Management system
• ISMS: Information Security Management System

---

4. Roles and Responsibilities

Role	Responsibility
L3 Support Engineer	Execute procedure, maintain MFA, report issues
IT Security Team	Configure VPN, enforce MFA, monitor logs
IAM Team	Manage identities and MFA enrollment
Endpoint Management	Ensure device compliance
Service Desk	Provide Level 1–2 support

---

5. Process Overview

The VPN authentication process follows these steps:

1. The engineer initiates a VPN connection using the approved client.
2. The VPN client sends an access request to the VPN gateway.
3. The VPN gateway forwards authentication to the Identity Provider (IdP).
4. The IdP validates credentials and triggers an MFA challenge.
5. The engineer completes the MFA challenge.
6. Upon successful authentication, a secure VPN tunnel is established.

---

6. Compliance Alignment (ISO/IEC 27001:2022)

Control	Description
A.5.17	Secure authentication (MFA enforcement)
A.5.18	Access rights management
A.5.19	Access control
A.8.9	Secure configuration
A.8.16	Monitoring and logging

---

7. Prerequisites

Before starting, ensure:

• Active corporate account with approved privileged access
• Device enrolled in endpoint management (e.g., Intune, JAMF)
• MFA configured with at least two factors
• Approved VPN client installed
• VPN gateway URL and credentials available
• Required certificates installed (if applicable)

---

8. Procedure

8.1 Configure VPN Client

Step 1 – Launch Client

Open the approved VPN client on the managed device.

Step 2 – Create VPN Profile

• Enter VPN gateway URL
• Select protocol:
  • SSL VPN (default)
  • IPSec (only if required)

Step 3 – Configure Authentication

• Set authentication method to SAML or RADIUS with MFA
• Enable username and password authentication
• Select certificate if required

Step 4 – Apply Security Settings

• Enable Always-On VPN (if required)
• Disable split tunneling unless explicitly approved
• Enable DNS leak protection
• Enforce TLS 1.2 or higher
• Use corporate DNS servers

---

8.2 Configure MFA

Step 5 – Enroll MFA

• Register at least two factors:
  • Authenticator app (primary)
  • Backup method (hardware token or recovery code)

Step 6 – Validate MFA

• Perform test authentication
• Confirm MFA challenge is triggered
• Confirm successful authentication

---

8.3 Establish VPN Connection

Step 7 – Initiate Connection

• Select VPN profile
• Enter credentials

Step 8 – Complete MFA

• Approve MFA request
• Wait for connection confirmation

---

8.4 Post-Connection Validation

Step 9 – Validate Network Access

• Resolve internal DNS
• Access internal systems
• Confirm VPN IP assignment

Step 10 – Validate Security Status

• Confirm endpoint compliance
• Verify split tunneling is disabled
• Confirm logs appear in SIEM

---

9. Verification Criteria

Functional

• VPN status = Connected
• MFA triggered successfully
• Internal resources accessible

Security

• Logs recorded in SIEM
• MFA enforced for all sessions
• No unauthorized attempts detected

Performance

• Latency < 100 ms
• Packet loss < 1%

---

10. Failure Handling

Issue	Action
MFA not triggered	Re-enroll MFA or check IdP
VPN connection fails	Verify DNS, certificates, compliance
Authentication failure	Reset credentials or escalate

---

11. Rollback Procedure

1. Disconnect VPN
2. Restore previous VPN configuration
3. Remove incorrect certificates
4. Revert endpoint configuration changes
5. Escalate to IT Security if unresolved

---

12. Security Risks

• Unauthorized access without MFA
• Misconfigured VPN exposing internal traffic
• Split tunneling leading to data leakage

---

13. Exceptions

Exceptions must:

• Be documented and justified
• Be approved by the CISO or delegate
• Include compensating controls
• Be reviewed annually

---

14. Records and Evidence

Record	Retention
VPN logs	12–24 months
MFA logs	Per IAM policy
Endpoint compliance reports	Per device policy
Incident tickets	Per ITSM policy

---

15. Change Management

• Submit formal change request
• Obtain approval from IT Security and IAM
• Update SOP version and revision history
• Communicate changes to stakeholders

---

16. Revision History

Version	Date	Author	Changes
1.0.0	2026-03-30	Maliki Kamara	Initial version

---

17. Appendices

Appendix A – Approved VPN Clients

• Cisco AnyConnect
• Palo Alto GlobalProtect
• Fortinet FortiClient
• OpenVPN
• WireGuard (if approved)

Appendix B – Approved MFA Methods

• Authenticator app (TOTP or push)
• FIDO2 hardware token
• Smartcard / PIV
• Backup recovery codes

Appendix C – Troubleshooting Quick Reference

Issue	Resolution
No MFA prompt	Check device or re-enroll
VPN failure	Validate certificates and DNS
Split tunneling active	Reapply policy