Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS In the first part of this series on configuring a calling VPN gateway to use EAP/TLS certificate-based authentication to authenticate against the answering VPN gateway, we discussed the procedures required to make the entire solution work, and then went through the details of how to enable the Router (offline request) certificate template and installing a machine certificate on the answering VPN gateway. In the second part of this series we discussed how to obtain a user certificate that the calling VPN gateway can use to present to the answering VPN gateway for authentication. We also went over the procedure on how to export the calling VPN gateway’s certificate so that it could be copied to a domain controller. After the calling VPN gateway’s certificate was copied to the domain controller, you created a user account in the Active Directory for the calling VPN gateway. You’ll map the calling VPN router’s certificate to this user account. In this, part 3, of the series, we’ll cover the following topics: Once you get the certificate mapped to the user account and run the Local and Remote VPN Wizards, you’re almost done! The next part in the article, part 4, will cover the final steps which cover tuning up the settings created by the Local and Remote VPN Wizards. Let’s get started! Map the Router User Certificate to the User With the Same Name as the Answering VPN Gateway’s Demand Dial Interface The next step is to map the user account you created for the calling router to the router’s certificate. Perform the following steps to create this mapping: The calling VPN gateway’s user certificate is now mapped to a user account in the Active Directory. When the calling VPN gateway calls and presents its certificate to the answering VPN gateway for authentication, the name on the certificate will be compared to the name in the Active Directory to confirm that the calling VPN gateway his remote access permission. Run the Local and Remote VPN Wizards on the Answering and Calling VPN Gateways The calling VPN gateway has its user certificate and that certificate is mapped to a user account in the Active Directory in the same domain that the answering VPN gateway belongs to. Now we’re ready to put together the gateway to gateway demand dial interfaces on the calling and answering routers. While you could manually create the demand dial interfaces on the calling and answering routers, and then manually create the packet filters on each of the ISA Servers to support the connections, I wouldn’t recommend it. Why? Because your ISA Server firewall/VPN gateways have some powerful Wizards that you can use to do most of the dirty work in configuring the answering and calling VPN gateways. You run the Local VPN Wizard on the answering VPN gateway and the Remote VPN Wizard on the calling VPN gateway. The remote VPN gateway always calls the local VPN gateway. The local VPN gateway never calls the remote VPN gateway? Get it? Good! Perform the following steps on the answering VPN gateway: Note: In the type a short name to describe the local network text box, type a five or six character name for the local network. In the type a short name to describe the remote network text box, type a five or six character name for the remote network. This is the name of the demand dial interface on the answering VPN gateway. This is a critical step and you must name the local and remote networks correctly, or your gateway to gateway VPN connection will not work properly. Recall the name of the account you created for the calling VPN gateway. In this example, the calling VPN gateway users the account local1_remote1. You must name the local and remote networks in this dialog box in the same way. Because the name of the account is local1_remote1, the local network must be named local1 and the remote network must be named remote1. The Wizard will automatically put the underscore character between the names of the local and remote networks. Let’s look at another example just to make this is perfectly clear. Suppose the local network is named dallas and the remote network is named houston. The user account created for the calling VPN gateway to use when calling the local gateway is dallas_houston. This is the name on the router’s user certificate and this is the name for the Active Directory account. Click Next. In this example, the only network ID on the remote network that we want to be able to reach from the local network is network ID 192.168.10.0/24. This creates a static routing table entry on the answering VPN gateway that routes packets to this network ID through the demand dial interface to the remote network via the VPN gateway interface. Repeat the process for each network ID you need to reach from the local network to the remote network. Then click Next. In the lower part of this page you see a list of network IDs on the local network. This list is drawn from the Local Address Table (LAT). This is a list of all the network IDs on the local network that can be reached from the remote network. If there are more network IDs on the local network that you want accessible from the remote network, then click the Add button and add them. Click Next after entering all the local network IDs that you want accessible to users on the remote network. Now we can take this file to the calling VPN gateway and run the Remote VPN Wizard: Summary In this, part 3 of our 4 part series on using EAP/TLS certificate-based authentication with gateway to gateway VPNs, we went over the procedures required to map the router’s user certificate to an account in the Active Directory. We also discussed the details of the Local and Remote VPN Wizards and how to run each of them to insure that demand dial interfaces are named correct and that only the calling VPN gateway initiates the demand dial connection. I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to
Certificate Authentication – Part 3
By Thomas W Shinder M.D.
Remember that the answering VPN gateway never calls the calling VPN gateway. The answering VPN gateway also answers the calls from the calling VPN gateway machine.
J . Confirm that the file name appears in the File name text box. Type in the password for the file in the Password text box. Click Next.