Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS Certificate Authentication – Part 2

The calling VPN gateway needs to obtain a router certificate from the enterprise CA. You don’t need to make any configuration changes to the ISA Server firewall/VPN gateway at the local site if the calling router is being prepared on the local network prior to being shipped to the remote office.

However, you will need to make some changes to the ISA Server firewall/VPN gateway if the calling VPN gateway is already at the remote office. There are several options available to you:

You can use any of these methods to accomplish the goal of connecting to the enterprise CA’s Web enrollment site. In this example we created a simple Server Publishing Rule that used an HTTP Server (inbound TCP 80) Protocol Definition to publish the enterprise CA’s Web enrollment site. IIS was not installed on the firewall and all Incoming Web Requests listeners were removed.

Perform the following steps to obtain the router certificate for the calling VPN gateway:

1. Type in the URL at which the enterprise CA can be reached. In this example the calling VPN gateway connects via a Server Publishing Rule, so we type in the http://<public_address/certsrv, where the public address is the address on the external interface of the ISA Server firewall/VPN gateway listening for incoming connections for the enterprise CA. Enter an administrator’s username and password in the authentication dialog box and click OK.
   
2. Click the Request a certificate link on the Welcome page of the enterprise CA’s Web enrollment site.
   
3. Click the advanced certificate requests link on the Request a Certificate page
   
4. Click the Create and submit a request to this CA link on the Advanced Certificate Request page

5. On the Advanced Certificate Request page, click the down arrow for the Certificate Template drop down list box. Select the Router (Offline request) option. In the Name text box under the Identifying Information For Offline Template, type in the name of the demand dial interface you will create with the Local VPN Wizard.

For example, in the Local VPN Wizard you will be asked to name the local network and the remote network. If you name the local network local1 and the remote network remote1, then the name of the demand dial interface will be local1_remote1. This is the name you type in the Name text box on the Advanced Certificate Request page.

Put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down to the bottom of the page and click the Submit button.

6. Click Yes on the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.
   
7. Click the Install this certificate link on the Certificate Issued page.

8. Click Yes on the Potential Script Violation dialog box warning you that the Web site is adding one or more certificates to the computer.
   
9. Close Internet Explorer after you see the Certificate Installed page.

Now you need to export the Root CA certificate to a file and import this CA certificate into the Trusted Root Certification Authorities node on the calling VPN gateway. Unlike the situation when you use the Certificates MMC snap-in to obtain a certificate, the Root CA certificate is not automatically added to Root Authorities node when you obtain the certificate from the Web enrollment site.

Perform the following steps to export the Root CA certificate and then import it into the Trusted Root Certification Authorities node in the calling VPN gateway’s machine certificate store:

1. Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command
   
2. Click the Add button in the Add/Remove Snap-in dialog box.
   
3. In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add.
   
4. Select the Computer account option on the This snap-in will always manage certificates for page. Click Next.
   
5. Select the Local computer option on the Select the computer you want this snap-in to manage page. Click Finish.
   
6. Click Close on the Add Standalone Snap-in dialog box.
   
7. Click OK on the Add/Remove Snap-in dialog box.
   
8. Click on the Certificate Path tab on the Certificate dialog box. Notice that the Root CA certificate has a red “x” on it. This indicates that the Root CA certificate is not trusted. Click on the Root CA certificate with the red “x” on it and then click the View Certificate button.

9. Click on the Details tab of the Root CA’s Certificate dialog box. Click the Copy to File button.

10. Click Next on the Welcome to the Certificate Export Wizard page.

11. On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificate (.P7B) option. Put a checkmark in the Include all certificate in the certification path if possible checkbox. Click Next.

12. On the File to Export page, type in a path and file name for the certificate file in the File name text box. Click Next.

13. Review you settings in the Completing the Certificate Export Wizard page and click Finish.
    
14. Click OK on the Certificate Export Wizard dialog box informing you that the export was successful.
    
15. Close all of the Certificate dialog boxes.
    
16. Now that the Root CA certificate has been exported to a file on the local hard disk, you can import it into the Trusted Root Certification Authorities certificate store. Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Right click on the Certificates node, point to All Tasks and click on Import

17. Click Next on the Welcome to the Certificate Import Wizard page.
    
18. Use the Browse button on the File to Import page to find the exported Root CA certificate file. Click Next.

19. Use the default setting, Place all certificates in the following store option on the Certificate Store page. Click Next.

20. Review your settings and click Finish on the Completing the Certificate Import Wizard page
    
21. Click OK on the Certificate Important Wizard dialog box informing you that the import was successful.

If you open the machine certificate again and look at the certificate path, you’ll find that the red “x” no longer appears on the Root CA certificate.

The calling VPN gateway now has a certificate it can use to present to the answering VPN gateway for authentication. The next step is to export this certificate to a file that you will copy to a domain controller. The exported router certificate will be mapped to a user account created for the calling VPN gateway.

Perform the following steps to export the router’s user certificate to a file:

1. Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command
   
2. Click the Add button in the Add/Remove Snap-in dialog box.
   
3. In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add.
   
4. Select the Computer account option on the This snap-in will always manage certificates for page. Click Next.
   
5. Select the Local computer option on the Select the computer you want this snap-in to manage page. Click Finish.
   
6. Click Close on the Add Standalone Snap-in dialog box.
   
7. Click OK on the Add/Remove Snap-in dialog box.
   
8. Click on the Personal\Certificates node. Right click on the router certificate in the right pane of the console, point to All Tasks and click on Export.
   
9. Click Next on the Welcome to the Certificate Export Wizard page. Click Next.
   
10. The only option available to you on the Export Private Key page is the No, do not export the private key. Click Next.

11. Select the Base-64 encoded X.509 (.CER) option on the Export File Format page. Click Next.

12. Type in a path and file name for the exported router user certificate in the File name text box. Click Next.

13. Review your settings on the Completing the Certificate Export Wizard page and click Finish.

14. Click OK on the Certificate Export Wizard dialog box informing you that the export was successful.

Use the Active Directory Users and Computers console to add a new user account that has the same name as demand dial interface on the answering ISA Server firewall/VPN gateway. In this example, the name of the demand dial interface is local1_remote1 and a user account with the exact same name is created in the Active Directory.

You can use any strong password you like for this account. The calling VPN gateway presents the certificate to the answering VPN gateway. You will not need to configure a password for the calling VPN gateway to use when it connects to the answering gateway; on the certificate is required.

Note that you must configure this account to have Remote Access Permissions in the Active Directory, as seen in the figure below.

In this, part 2 of this series on using EAP/TLS certificate-based authentication with gateway to gateway VPNs, we went over the how to issue a router certificate to the calling VPN gateway, how to export the router certificate to a file and how to create a user account in the Active Directory Users and Computers console that is used by the calling router. The router certificate will be mapped to this user account.