Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS Certificate Authentication – Part 1
By Thomas W Shinder, M.D.
A gateway to gateway VPN allows you to connect two networks to each other using the Internet as the "cable" between the networks. Gateway to gateway VPN links have the potential to save an organization a significant amount of money by obviating the requirement for a dedicated link between the sites. All packets destined for the remote network move through the VPN gateway to gateway link and information moving over the link is protected by the encryption method used by the VPN protocol.
You should always configure ISA Server firewall/VPN gateways so that one side is the caller and the other side is the answerer. The calling VPN gateway is typically located at a remote office and the answering VPN gateway is at the main office. However, if you require a greater level of administrative control, you may wish to make the main office VPN gateway the calling router.
You can join multiple remote offices using VPN gateway to gateway links to create a hub and spoke VPN network. All gateway to gateway links should have one side be the caller and the other side be the answer. Never configure the gateway to gateway connections in a way that allows both sides to dial each other.
No matter what side does the calling, the calling VPN gateway must present credentials to the answering VPN gateway. After running the ISA Server 2000 Local VPN Wizard, a user account is created on the answering VPN gateway, and the calling VPN gateway presents a user name and password for this user. If the user name and password the calling VPN gateway presents to the answering VPN gateway matches the account on the answering VPN gateway, then the connection is allowed and the VPN gateway to gateway link is established.
Most organizations using ISA Server firewall/VPN gateways have them configured to use MS-CHAPv2 authentication and PPTP. While this setup provides an acceptable level of performance and security, you can do better. The highest level of security for the gateway to gateway link is attained by requiring the calling VPN gateway to use EAP/TLS certificate-based authentication and the L2TP/IPSec VPN protocol.
You need to perform the following tasks to get the calling VPN gateway to present a user certificate to the answering VPN gateway and establish the VPN gateway to gateway link:
- Join the answering VPN gateway to the internal network domain
The answering VPN gateway must be a member of the internal network domain. Non-domain VPN gateways can not use EAP/TLS certificate-based authentication.
- Install an enterprise Microsoft Certificate Authority on the internal network and configure the CA to use the Router (Offline) certificate template
The enterprise CA will issue a machine certificate to the answering VPN gateway. This is done via the Certificates MMC or via Group-policy autoenrollment.
- Assign a machine certificate to the answering VPN gateway using the Certificates MMC or Group Policy-based autoenrollment
After the enterprise CA is installed and configured, issue the answering VPN gateway a machine certificate using either the Certificates MMC or Group Policy-based autoenrollment.
- Have the calling VPN gateway use the enterprise CA’s Web enrollment site to obtain a Router (offline) certificate and install the Root CA certificate
The calling VPN gateway needs to obtain a router certificate that it presents as its user credentials. The easiest way to accomplish this is to publish the enterprise CA’s autoenrollment site. You will also need confirm that the enterprise CA’s Root CA certificate is contained in the Trusted Root Certificate Authorities node in the calling VPN gateways machine certificate store.
- Export the Router user certificate to a .cer file
Export the router certificate installed on the calling VPN gateway to a .cer file. This file will be used to map the account on the answering VPN gateway to an Active Directory user account.
- Create a user account with the same name as the gateway to gateway demand dial interface on the answering VPN gateway in Active Directory Users and Computers
A user account for the demand dial interface on the answering VPN gateway is created automatically when you run the Local VPN Wizard. You need to create a user account with the same name in the Active Directory so that the calling router’s certificate can be mapped to this account.
- Map the router user certificate to the user account with the same name as the answering VPN gateway’s demand dial interface
The .cer file containing the exported certificate is copied to a domain controller on the internal network. Map this certificate to the user account by has the same name as the answering router’s demand dial interface.
- Run the Local and Remote VPN Wizards on the answering and calling VPN gateways
Run the Local VPN Wizard is run on the answering VPN gateway and the Remote VPN Wizard run on the calling VPN gateway
- Configure name server and IP addressing parameters on the Local and Remote ISA Server firewall/VPN gateway Routing and Remote Access Service Consoles and Configure Security
The Local and Remote VPN Wizards do most of the work, but there is some fine-tuning of the VPN configuration that needs to be done in the RRAS console before its ready for production. Remote Access Policy on the answering VPN gateway must be configured to support EAP/TLS certificate authentication. You need to instruct the calling VPN gateway to present the router certificate to the answering VPN gateway.
In part 1 of this article we’ll go over the following steps:
- Join the answering VPN gateway to the internal network domain
- Install an enterprise Microsoft Certificate Authority on the internal network and configure the CA to use the
Let’s get started!
Join the Answering VPN Gateway to the Internal Network Domain
The answering VPN gateway needs to be a member of an Active Directory domain. Standalone Windows 2000/Windows Server 2003 computers cannot accept certificates from calling routers for authentication. The best way to address this issue is to make the ISA Server firewall/VPN gateway a member of the internal network domain on the internal network.
However, you can join the ISA Server firewall/VPN gateway to any domain if you prefer not to expose the internal network domain to any risks that might result from compromising the firewall. In this case, the ISA Server firewall/VPN gateway belongs to a domain that all the firewalls belong to and the certificate is obtained from an enterprise CA installed in this domain. The user account that maps to the router’s certificate is configured in this domain instead of the internal network domain.
In this article the answering VPN gateway is a member of the internal network domain.
Install an enterprise Microsoft Certificate Authority on the Internal Network and Configure the CA to Use the Router (Offline) Certificate Template
An enterprise Microsoft Certificate Server allows you to issue certificates using the following methods:
- Domain member computers can use the Certificates MMC to request and install certificates using a simple, fail-proof Certificate Request Wizard
- Domain member computers can leverage Active Directory Group Policy to automatically obtain machine certificates via autoenrollment
- All computers can obtain certificates from the Web enrollment site on the enterprise CA.
The most efficient method of deploying both user and machine certificates is to configure Group Policy to automatically assign them via autoenrollment. The only limitation to this approach is that machines must be members of a Windows 2000 or Windows Server 2003 domain.
The calling router is not a member of the Active Directory domain. For this reason it cannot obtain a certificate via autoenrollment. Non-domain members can use the Web enrollment site to obtain a certificate. However, you will need to configure the enterprise CA to issue Router (offline) certificates before this option becomes available on the Web enrollment site.
For more information on configuring Microsoft Certificate Authorities and issuing certificates, please refer to the following ISA Server 2000 VPN Deployment Kit documents:
You can perform the following steps if you have already installed a Microsoft enterprise Certificate Server on your internal network:
- Click Start point to Administrative Tools and click on Certification Authority. In the Certification Authority console, expand you server name (figure 1).
- Right click on the Certificate Templates node in the left pane of the console, point to New and click on Certificate Template to Issue (figure 2).
Figure 2 (fig2)
- Select the Router (Offline request) certificate template in the Enable Certificate Templates dialog box (figure 3). Click OK.
- The Router (Offline request) certificate template now appears in the right pane of the Certification Authority console (figure 4). The calling VPN gateway will now be able to obtain a router certificate from the enterprise Certificate Server using the Web enrollment site.
Close the Certification Authority console.
Assign a machine certificate to the answering VPN gateway using the Certificates MMC or Group Policy-based autoenrollment
The answering VPN gateway needs a machine certificate so that it can create the L2TP/IPSec connection with the calling router. The machine certificate allows the answering VPN gateway to identify itself to the calling VPN gateway. In addition, the Certificate Server’s CA certificate is automatically placed in the Trusted Root Certification Authorities node in the answering VPN gateways machine certificate store.
In this example we’ll go over how to use the Certificates MMC snap-in to request and install the machine certificate on the answering ISA Server firewall/VPN gateway. Please refer to the articles mentioned above for more information on how to use Web enrollment and autoenrollment to issue certificates.
Perform the following steps to assign the machine certificate to the answering VPN gateway using the Certificates snap-in.
- Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command (figure 5)
- Click the Add button in the Add/Remove Snap-in dialog box (figure 6).
- In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add (figure 7).
- Select the Computer account option on the This snap-in will always manage certificates for page (figure 8). Click Next.
- Select the Local computer option on the Select the computer you want this snap-in to manage page (figure 9). Click Finish.
- Click Close on the Add Standalone Snap-in dialog box (figure 10).
- Click OK on the Add/Remove Snap-in dialog box (figure 11).
- In the Console1 console, Right click on the Certificates node, point to All Tasks and click Request New Certificate (figure 12).
- Read the information on the Welcome to the Certificate Request Wizard page and click Next (figure 13)
- Click on the Computer certificate template in the Certificate types list on the Certificate Types list (figure 14). Click Next.
- Provide an easy to read name in the Friendly name text box and include an optional description in the Description text box on the Certificate Friendly name and Description page (figure 15). Click Next.
- Click Finish on the Completing the Certificate Request Wizard page (figure 16).
- Click OK on the Certificate Request Wizard dialog box informing you that the request was successful (figure 17).
The answering VPN gateway now has a computer certificate, and the Certificate Server’s Root CA certificate is in the Trusted Root Certification Authorities node in the machine certificate store on this computer.
Perform the following steps to confirm that the Root CA certificate is in the trusted root store:
- Click on the Personal\Certificates node in the left pane of the console. Double click on the computer certificate located in the right pane (figure 18).
- Click on the Certification Path tab on the Certificate dialog box (figure 19). You see the Root CA on the top of the list and the friendly name of this machine’s computer certificate on the bottom. The Root CA in this example is ISAROOT. It is this certificate that must be included in the Trusted Root Certification Authorities certificate store.
- Expand the Trusted Root Certification Authorities node and click on the Certificates node (figure 20). You will see the Root CA’s certificate in the right pane of the console.
In part 1 of this series on how to use EAP/TLS certificate-based authentication for gateway to gateway VPN routers, we examined all the steps required to make this configuration work and then went through the detailed step by step procedures required to obtain a machine certificate on the answering VPN gateway and making the Router (offline request) certificate template available on the enterprise CA’s Web enrollment site.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over tohttp://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001759 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom