Using EAP User Certificate Authentication for ISA Firewall Site to Site VPNs (2004)

Using EAP User Certificate Authentication for ISA Firewall Site to Site VPNs (2004)

by Thomas W Shinder MD, MVP

Got Questions?
Discuss this article at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000286

We talked about using the ISA firewall as a remote access VPN server and VPN gateway in Chapter 9 of our book Dr. Tom Shinder’s Configuring ISA Server 2004. But because of limitations on the number of pages we could put into the book, we weren’t able to include the instructions for how to configure a site to site VPN connection using EAP user authentication for the calling VPN gateway account. Therefore, we’ll put the instructions on how to get this setup here on www.isaserver.org.

Since the ISA firewall represents the industry standard for Unified Threat Management (UTM) devices, it only makes good sense that you replace those stateful filtering firewall/VPN gateways with an UTM device that sports both stateful filtering and stateful application layer inspection engines. We always recommend that you switch over from your third-party VPN gateways and use the ISA firewall’s advanced stateful filtering and advanced stateful application layer inspection features.

Most organizations using an ISA firewall as a VPN gateway have them configured to use MS-CHAPv2 authentication and PPTP and L2TP/IPSec site to site links. While this setup provides an acceptable level of performance and security, you can do better. The highest level of security for the gateway to gateway link is attained by requiring the calling VPN gateway to use EAP certificate-based authentication and the L2TP/IPSec VPN protocol.

You need to perform the following tasks to get the calling VPN gateway to present a user certificate to the answering VPN gateway and establish the VPN gateway to gateway link:

The answering VPN gateway must be a member of the internal network domain. Non-domain VPN gateways can not use EAP certificate-based authentication.
 

The enterprise CA will issue a machine certificate to the answering VPN gateway. This is done via the Certificates MMC or via Group-policy autoenrollment. Our lab network has already installed and configured the enterprise CA.

After the enterprise CA is installed and configured, issue the answering VPN gateway a machine certificate using either the Certificates MMC or Group Policy-based autoenrollment. We discussed the details of this procedure in Chapter 9.
 

The calling VPN gateway needs to obtain a router certificate that it presents as its user credentials. The easiest way to accomplish this is to publish the enterprise CA’s autoenrollment site. You will also need confirm that the enterprise CA’s Root CA certificate is contained in the Trusted Root Certificate Authorities node in the calling VPN gateways machine certificate store. Note that in contrast to the answering VPN gateway, the CA certificate isn’t automatically placed in the calling VPN gateway’s Trusted Root Certification Authorities certificate store because the calling VPN gateway is not a member of the Internal network domain. You can leverage the current MS-CHAPv2 authenticated site to site VPN to request the certificate.
 

Export the router user certificate installed on the calling VPN gateway to a .cer file. This file will be used to map the account on the answering VPN gateway to an Active Directory user account.
 

VPN gateway in Active Directory Users and Computers
A user account for the demand dial interface on the answering VPN gateway is created automatically when you run the Local VPN Wizard. You need to create a user account with the same name in the Active Directory so that the calling router’s certificate can be mapped to this account.
 

The .cer file containing the exported certificate is copied to a domain controller on the internal network. Map this certificate to the user account by has the same name as the answering router’s demand dial interface.
 

We need to tweak the branch office’s ISA firewall’s settings so that it will use EAP user certificate authentication instead of MS-CHAPv2.
 

We will have to make a couple of tweaks to the answering VPN gateway’s configuration to support EAP user certificate authentication before it will work.

We will assume that you have already configured a PPTP site to site VPN link between the main office and branch office ISA firewalls. The details of this configuration are included in Chapter 9 of our book. We’ll use this site to site VPN to allow the branch office ISA firewall to obtain the router certificate. This removes the requirement of publishing the CA and also prevents you from needing to allow Web connections from the branch office firewall itself (which you obviously want to avoid to maintain the security on the branch office ISA firewall).

The answering ISA firewall at the main office must be a member of an Active Directory domain in order to support EAP user certificate authentication for the branch office ISA firewall. Standalone Windows 2000/Windows Server 2003 computers cannot accept certificates from calling routers for authentication because the answering ISA firewall must be able to authenticate the user account against the account’s certificate mapping in the Active Directory.

You can join the ISA firewall to any domain and not worry about attacks against the firewall compromising the domain. If an attacker were ever able to compromise the firewall to the extent that they could leverage the firewall’s domain membership, the fact that the machine is a member of the domain would be moot, since that machine would be “owned”. The chance of an attacker owning the ISA firewall is remote at worst and infinitesimal at best.

In this case, the main office ISA Server firewall belongs to the Internal network domain. Certificates are obtained from an enterprise CA installed in this domain. The user account mapped to the router’s certificate is configured in this domain.

An enterprise Microsoft Certificate Server allows you to issue certificates using the following methods:

• Domain member computers can use the Certificates MMC to request and install certificates using a simple, fail-proof Certificate Request Wizard
• Domain member computers can leverage Active Directory Group Policy to automatically obtain machine certificates via autoenrollment
• All computers (domain members and non-domain members) can obtain certificates from the Web enrollment site on the enterprise CA.

The most efficient method of deploying both user and machine certificates is to configure Group Policy to automatically assign them via autoenrollment. The only limitation to this approach is that machines must be members of a Windows 2000 or Windows Server 2003 domain.

The calling router is not a member of the Active Directory domain. For this reason it cannot obtain a certificate via autoenrollment or by using the Certificates standalone MMC snap-in. Non-domain members can use the Web enrollment site to obtain a certificate. However, you will need to configure the enterprise CA to issue Router (offline) certificates before this option becomes available on the Web enrollment site.

Perform the following steps to configure the CA to issue Router (offline) certificates:

1. Click Start point to Administrative Tools and click on Certification Authority. In the Certification Authority console, expand you server name.
2. Right click on the Certificate Templates node in the left pane of the console, point to New and click on Certificate Template to Issue.

3. Select the Router (Offline request) certificate template in the Enable Certificate Templates dialog box. Click OK.

3. The Router (Offline request) certificate template now appears in the right pane of the Certification Authority console. The calling VPN gateway will now be able to obtain a router certificate from the enterprise Certificate Server using the Web enrollment site.

4. Close the Certification Authority console.

The answering VPN gateway needs a machine certificate so that it can create the L2TP/IPSec connection with the calling router. The machine certificate allows the answering VPN gateway to identify itself to the calling VPN gateway. In addition, the Certificate Server’s CA certificate is automatically placed in the Trusted Root Certification Authorities node in the answering VPN gateways machine certificate store.

Because main office ISA firewall is a member of the Internal Network domain and the Internal Network domain hosts an enterprise CA, the CA certificate is automatically placed in the ISA firewall’s Trusted Root Certification Authorities machine certificate store.

We have described the procedure on how to assign a machine certificate to the main office ISA firewall in Chapter 9. You will need a machine certificate installed on the main office ISA firewall so that the calling ISA firewall can identify the main office ISA firewall via the common name on the main office ISA firewall’s machine certificate.

The calling VPN gateway needs to obtain a router certificate from the enterprise CA. You don’t need to make any configuration changes to the ISA Server firewall/VPN gateway at the local site if the calling router is being prepared on the local network prior to being shipped to the remote office.

In this example we’ll assume that the calling ISA firewall is already configured with a site to site VPN that allows it to connect to the branch office. You will need to create an Access Rule on the calling VPN gateway that allows the Local Host Network access to the main office Network using TCP port 80. You can delete or disable this rule later if you obtain the router certificate from the Web enrollment site.

Perform the following steps to obtain the router certificate for the calling VPN gateway:

1. Enter the URL at which the enterprise CA can be reached. In this example the calling VPN gateway connects via a Server Publishing Rule, so we type in the http://10.0.0.2/certsrv, where the 10.0.0.2 is the address of the certificate server on the main office network. Enter an administrator’s username and password in the authentication dialog box and click OK.
2. Click the Request a certificate link on the Welcome page of the enterprise CA’s Web enrollment site.
3. Click the advanced certificate requests link on the Request a Certificate page
4. Click the Create and submit a request to this CA link on the Advanced Certificate Request page
5. On the Advanced Certificate Request page, click the down arrow for the Certificate Template drop down list box. Select the Router (Offline request) option. In the Name text box under the Identifying Information For Offline Template, type in the name of the demand dial interface you will created using the Remote Site Network wizard at the main office. In this example, the demand-dial interface at the main office will be named Branch, so the name on the certificate will also need to be named Branch. Put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down to the bottom of the page and click the Submit button.
6. Click Yes on the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.
7. Click the Install this certificate link on the Certificate Issued page.
8. Click Yes on the Potential Script Violation dialog box warning you that the Web site is adding one or more certificates to the computer.
9. Close Internet Explorer after you see the Certificate Installed page.

Now you need to export the Root CA certificate to a file and import this CA certificate into the Trusted Root Certification Authorities node on the calling VPN gateway. Unlike the situation when you use the Certificates MMC snap-in to obtain a certificate, the Root CA certificate is not automatically added to Root Authorities node when you obtain the certificate from the Web enrollment site.

Perform the following steps to export the Root CA certificate and then import it into the Trusted Root Certification Authorities node in the calling VPN gateway’s machine certificate store:

1. Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command
2. Click the Add button in the Add/Remove Snap-in dialog box.
3. In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add.
4. Select the Computer account option on the This snap-in will always manage certificates for page. Click Next.
5. Select the Local computer option on the Select the computer you want this snap-in to manage page. Click Finish.
6. Click Close on the Add Standalone Snap-in dialog box.
7. Click OK on the Add/Remove Snap-in dialog box.
8. Click on the Certificate Path tab on the Certificate dialog box. Notice that the Root CA certificate has a red “x” on it. This indicates that the Root CA certificate is not trusted. Click on the Root CA certificate with the red “x” on it and then click the View Certificate button.
9. Click on the Details tab of the Root CA’s Certificate dialog box. Click the Copy to File button.
10. Click Next on the Welcome to the Certificate Export Wizard page.
11. On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificate (.P7B) option. Put a checkmark in the Include all certificate in the certification path if possible checkbox. Click Next.

12. On the File to Export page, type in a path and file name for the certificate file in the File name text box. Click Next.
13. Review you settings in the Completing the Certificate Export Wizard page and click Finish.
14. Click OK on the Certificate Export Wizard dialog box informing you that the export was successful.
15. Close all of the Certificate dialog boxes.
16. Now that the Root CA certificate has been exported to a file on the local hard disk, you can import it into the Trusted Root Certification Authorities certificate store. Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Right click on the Certificates node, point to All Tasks and click on Import
17. Click Next on the Welcome to the Certificate Import Wizard page.
18. Use the Browse button on the File to Import page to find the exported Root CA certificate file. Click Next.
19. Use the default setting, Place all certificates in the following store option on the Certificate Store page. Click Next.
20. Review your settings and click Finish on the Completing the Certificate Import Wizard page
21. Click OK on the Certificate Important Wizard dialog box informing you that the import was successful.
22. If you open the machine certificate again and look at the certificate path, you’ll find that the red “x” no longer appears on the Root CA certificate.

Now we need to export the router user certificate to a file. Perform the following steps to export the router user certificate to a file:

1. Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command
2. Click the Add button in the Add/Remove Snap-in dialog box.
3. In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add.
4. Select the Computer account option on the This snap-in will always manage certificates for page. Click Next.
5. Select the Local computer option on the Select the computer you want this snap-in to manage page. Click Finish.
6. Click Close on the Add Standalone Snap-in dialog box.
7. Click OK on the Add/Remove Snap-in dialog box.
8. Click on the Personal\Certificates node. Right click on the router certificate in the right pane of the console, point to All Tasks and click on Export.
9. Click Next on the Welcome to the Certificate Export Wizard page. Click Next.
10. The only option available to you on the Export Private Key page is the No, do not export the private key. This is because when we requested the certificate we did not mark the key as exportable. This is a good security decision because you don’t want the key on the gateway to be exportable in the event that someone should obtain physical access to the firewall. Click Next.
11. Select the Base-64 encoded X.509 (.CER) option on the Export File Format page. Click Next.

12. Enter a path and file name for the exported router user certificate in the File name text box. Click Next.
13. Review your settings on the Completing the Certificate Export Wizard page and click Finish.
14. Click OK on the Certificate Export Wizard dialog box informing you that the export was successful

Use the Active Directory Users and Computers console to add a new user account that has the same name as demand-dial interface on the answering ISA firewall. In this example, the name of the demand-dial interface on the answering ISA firewall at the main office is Branch, and a user account with the exact same name will be created in the Active Directory.

You can use any strong password you like for this account. The calling VPN gateway presents the certificate to the answering VPN gateway. You will not need to configure a password for the calling VPN gateway to use when it connects to the answering gateway; on the certificate is required.

Note that you must configure this account to have Remote Access Permissions in the Active Directory, as seen in the figure below. After creating the account, the next step will be to bind the router certificate to this account.

The next step is to map the user account you created for the calling router to the router’s certificate. Perform the following steps to create this mapping:

1. Click Start, point to Administrative Tools and click on Active Directory Users and Computer. Right click on the Users node and point to View. Click on the Advanced Features command.
2. In the Active Directory Users and Computers console, expand your domain name and click on the Users node in the left pane of the console. Right click on the calling VPN gateway’s user account (Branch in this example) and click the Name Mappings command.
3. In the Security Identity Mapping dialog box, click on the X.509 tab. On the X.509 tab, click on the Add button.
4. In the Add Certificate dialog box and select the calling VPN gateway’s certificate that you copied to the domain controller. Click Open after selecting the certificate.
5. In the Add Certificate dialog box, place a checkmark in the Use Subject to alternate security identity checkbox. Click OK.

6. The calling VPN gateway’s user certificate now appears in the X-509 certificates list on the Security Identity Mapping dialog box. Click OK.

The calling VPN gateway’s user certificate is now mapped to a user account in the Active Directory. When the calling VPN gateway calls and presents its certificate to the answering VPN gateway for authentication, the name on the certificate will be compared to the name in the Active Directory to confirm that the calling VPN gateway his remote access permission.

Now that the remote router’s user certificate is mapped to it’s Active Directory account, we can get down to the business of configuring the branch office ISA firewall to use EAP user certificate authentication for its demand-dial interface.

Perform the following steps in the Microsoft Internet Security and Acceleration Server 2004 management console on the branch office ISA firewall:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Virtual Private Networks (VPN) node in the left pane of the console.
2. On the Virtual Private Networks (VPN) node, click the Remote Sites tab in the Details pane.
3. On the Remote Sites tab, double click the Remote Site Network. In this example, the Remote Site Network is named Main.
4. In the Main Properties dialog box, click the Authentication tab. On the Authentication tab select the Extensible authentication protocol (EAP). Examples, user certificates, RSA SecurID option. Click Apply and then click OK.

5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.

The next step is to configure the demand-dial interface at the branch office ISA firewall to use the router certificate for the demand-dial connection:

1. At the branch office ISA firewall, open the Routing and Remote Access console.
2. In the Routing and Remote Access console, expand the server name and then click the Network Interfaces node in the left pane of the console.
3. Right click the Main entry in the right pane of the console (where Main is the name of the demand-dial interface) and click Properties.
4. In the Main Properties dialog box, click the Security tab. On the Security tab, select the Advanced (custom settings) option and then click the Settings button.
5. In the Advanced Security Settings dialog box, select the Use Extensible Authentication Protocol (EAP) option and click the Properties button.
6. In the Smart Card or other Certificate Properties dialog box, select the Use a certificate on this computer option. Put a checkmark in the Validate server certificate checkbox and put a checkmark in the Connect to these servers checkbox. Enter the name on the certificate assigned to the main office ISA firewall. The name on the main office’s ISA firewall is isalocal.msfirewall.org, so we enter this into the text box. In the list of Trusted Root Certification Authorities, select the enterprise CA on the main office network. Click OK.

7. Click OK in the Advanced Security Settings dialog box.
8. Click OK in the Main Properties dialog box.
9. Click OK in the Network Connections dialog box that you may see if the demand-dial connection is currently active.
10. Right click on the demand-dial interface and click Set Credentials. In the Select Certificate dialog box, select the router certificate and click OK.

Now we need to enable the main office ISA firewall to support EAP authentication. Perform the following steps to enable the main office ISA firewall to accept EAP user certificate authentication:

1. At the main office ISA firewall, open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Virtual Private Network (VPN) node.
2. While in the Virtual Private Networks (VPN) node, click the Tasks tab in the Task Pane and then click the Select Authentication Methods link.
3. In the Virtual Private Networks (VPN) Properties dialog box, click the Authentication tab. Put a checkmark in the Extensible authentication protocol (EAP) with smart card or other certificate (ISA Server must belong to a domain) checkbox. Click Apply and then click OK.

At this point the branch office ISA firewall is configured to use EAP user certificate authentication to call the main office and the main office ISA firewall is configured to accept incoming EAP user certificate authentication requests. You should now disable and delete the user account you created on the main office ISA firewalls that the branch office ISA firewall used to authenticate to the main office ISA firewall’s demand-dial interface.

Restart both the main and branch office ISA firewalls.

From a host on the branch office network, ping a host on the main office network. Once the connection is established you’ll see the connection in the Sessions tab on the Monitoring node.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000286 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.