Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS Certificate Authentication – Part 4
By Thomas W Shinder M.D.
In the first part of this series on configuring a calling VPN gateway to use EAP/TLS certificate-based authentication to authenticate against the answering VPN gateway, we discussed the procedures required to make the entire solution work, and then went through the details of how to enable the Router (offline request) certificate template and installing a machine certificate on the answering VPN gateway.
In the second part of this series we discussed how to obtain a user certificate that the calling VPN gateway can use to present to the answering VPN gateway for authentication. We also went over the procedure on how to export the calling VPN gateway’s certificate so that it could be copied to a domain controller. After the calling VPN gateway’s certificate was copied to the domain controller, you created a user account in the Active Directory for the calling VPN gateway. You’ll map the calling VPN router’s certificate to this user account.
In the third part of this series we discussed how to map the router user certificate to a user account that had the same name as the demand dial interface on the answering router. We also ran the local and remote VPN Wizards.
In this, part 4 and the last part of the four part series, we will finish up the configuration by setting up name server and IP addressing options on the local and remote VPN gateways. We’ll also set the security parameters for the gateways so that the calling gateway uses the correct credentials to present to the answering VPN gateway.
Configure Name Server and IP Addressing Parameters on the Local and Remote ISA Server firewall/VPN gateway Routing and Remote Access Service Consoles and Security Configuration
We have almost everything in place for a functional gateway to gateway VPN configuration. Now we need to configure the local and remote gateways so that they hand out the correct IP addresses and name server addresses. This isn’t so important with the gateway to gateway configuration, but its likely that you’ll use one of both of the servers as VPN servers as well, so we might as well get things set up correctly for both the VPN gateway and VPN server configurations.
We’ll start with the calling (remote) VPN gateway. Perform the following steps on the calling VPN gateway:
- Open the Routing and Remote Access console from the Administrative Tools menu. Right click on the server name and click the Properties command.
- In the server’s Properties dialog box, click on the IP tab. In the IP address assignment frame, select the Static address pool option and click the Add button. In the New Address Range dialog box, enter a start and end address representing a range of IP addresses you want to assign to VPN clients and VPN gateways. Click OK in the New Address Range dialog box after entering the range of addresses.
- In the Adapter dialog box list box on the IP tab, select the adapter representing the internal interface of the ISA Server firewall/VPN server. Make sure this adapter is assigned a DNS server address and a WINS server address. These addresses will be assigned to VPN clients that connect to this machine.
Click Apply and the click OK.
- Click on the Network Interfaces node in the left pane of the console. In the right pane of the console, right click on the demand dial interface created by the VPN Wizard and click the Properties command.
- Click on the Options tab. In the Connection type frame, select the Demand dial option and then select the never option from the drop down list. In the Dial policy frame, set the Redial attempts to 99 and the Average redial intervals to 3 seconds.
- Click on the Security tab. On the Security tab, select the Advanced (custom settings) option and click the Settings button. In the Advanced Security Settings dialog box, select the Use Extensible Authentication Protocol (EAP) option. Select the Smart Card or other certificate (encryption enabled) option from the drop down list. Click the Properties button.
- In the Smart Card or other Certificate Properties dialog box, select the Use a certificate on this computer option. Put a checkmark in the Validate server certificate checkbox. Put a checkmark in the Connect to these servers checkbox and then enter the name on the server certificate used by the answering VPN gateway. This is the common name on the machine certificate used by the answering VPN gateway. Click OK.
- A Cannot configure EAP dialog box appears informing you that if you choose to verify the server certificate, you must choose a trusted root certification authority. Click OK on this dialog box.
- In the list of Trusted Root Certification Authorities, find the root CA on your internal network that assigned the machine certificates to the local and remote VPN gateways. Put a checkmark in the checkbox to the left of the CA’s name on the list. Click OK.
- Click OK on the Advanced Security Settings dialog box.
- Click OK on the demand dial connection’s Properties dialog box.
- Right click on the demand dial interface in the right pane of the console and click the Set Credentials command.
- In the Select Certificate dialog box, confirm that the routers user certificate is available in the User name on certificate drop down box. Click OK.
Everything is now set up correctly on the calling VPN gateway. After you get things configured correctly on the answering VPN gateway, you can issue a request from a host on the remote network for a resource on the local network and the demand dial interface on the remote network will automatically call the local VPN gateway’s interface.
Let’s finish up by configuring the VPN parameters on the local VPN gateway. Perform the following on the answering VPN gateway:
- Open the Routing and Remote Access console and right click on the server name. Click on the Properties command.
- Click on the IP tab and select the Static address pool option in the IP address assignment frame. Click the Add button. Enter a start and end IP address in the New Address Range dialog box. Click OK after entering the range of IP addresses. These addresses will be available to VPN clients and VPN gateways that call this machine.
- Click the Adapter down arrow and select the internal interface on the firewall from the drop down list. Make sure that the internal interface is assigned a WINS and DNS server that can be used to assist VPN client name resolution on your internal network. This is especially important for VPN client by wish to use NetBIOS name to connect to resource on the internal network.
Note that this setting does not have any effect on name resolution for clients on the remote network. You must set up a name resolution infrastructure like you would for any other routed or WAN network. This setting applies only to VPN clients, not to clients on a remote network that connect to the local network via the VPN gateway. The same is true for hosts on the local network who wish to connect to resources on the remote network.
- Click the Security tab. On the Security tab, select Windows Authentication from the drop down list and then click the Authentication button. In the Authentication Methods dialog box, select the Extensible authentication protocol (EAP), Microsoft encrypted authentication version 2 (MS-CHAP v2) and Microsoft encrypted authentication (MS-CHAP). Click the EAP Methods button.
- In the EAP Methods dialog box, confirm that the Smart Card or other certificate option is listed. If this option is not listed, it indicates that this machine is not a member of the internal network domain and you should join the machine to the internal network domain. Click OK.
- Click OK in the Authentication Methods dialog box.
- Click Apply.
- Click No in the Routing and Remote Access dialog box that asks if you want to read the help file.
- Click OK in the server’s Properties dialog box.
- Click on the Network Interfaces node in the left pane of the console. Right click on the demand dial interface in the right pane of the console and click the Properties command.
- Click on the Options tab. In the Connection type frame, select the Persistent connection option. In the Dialing policy frame, set the redial attempts to 0. Click OK.
In this, the last part of the four part series on how to get a calling VPN gateway use secure EAP/TLS certificate authentication to authenticate to an answering VPN gateway, we went over the procedures of how to customize the VPN server/gateway settings in the Routing and Remote Access consoles on the local and remote VPN gateways. You also saw how to configure the calling VPN gateway to use the correct user certificate to present to the answering VPN gateway.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001759 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!