Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 3)

If you missed the first part in this article series please read:

Issue a Certificate to the VPN Client Computer

The next step is to issue a computer certificate to the VPN client computer. In this example, the VPN client machine is not a member of the domain. You will need to request a computer certificate using the enterprise CA’s Web enrollment site and then manually place the enterprise CA certificate into the client’s Trusted Root Certification Authorities machine certificate store. The easiest way to accomplish this task is to have the VPN client machine request the certificate when connected via a PPTP link.

Discuss this article

Note:
In a production environment untrusted clients should not be issued computer certificates. Only managed computers which are members of the domain should be allowed to install computer certificates. Domain members are managed clients and therefore under the organization’s administrative control. The computer certificate is a security principle and is not meant to provide free access to all clients who wish to connect via VPN.

There are several ways you can obtain a certificate from the CA. In this example we will publish the CA’s Web enrollment site and obtain the certificate from the Web enrollment site.

Perform the following steps to publish the enterprise CA’s Web enrollment site:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. In the Task Pane, click the Tasks tab. On the Tasks tab, click the Publish a Web Server link.


Figure 1

  1. Enter a name for the Web Publishing Rule in the Welcome to the New Web Publishing Rule Wizard page. In this example, we will enter the name Web Enrollment Site in the Web publishing rule name text box. Click Next.
  2. Select the Allow option on the Select Rule Action page.
  3. On the Define Website to Publish page enter the IP address of the enterprise CA’s Web site in the Computer name or IP address text box. In this example the IP address is 10.0.0.2 so we will enter that value into the text box. In the Folder text box, enter /*. Click Next.


Figure 2

  1. On the Public Name Details page, select the This domain name (type below) option in the Accept request for list box. In the Public name text box, enter the IP address on the external interface of the firewall. In this example, the main office ISA Server 2004 firewall’s external address is 192.168.1.70, so we will enter that value into the text box. Enter /* into the Path (optional) text box. Click Next.


Figure 3

  1. On the Select Web Listener page click the New button.
  2. On the Welcome to the New Web Listener page enter a name for the rule in the Web listener name text box. In this example, we will name the listener Listener70 to indicate the IP address that the listener is listening on. Click Next.
  3. On the IP addresses page put a checkmark in the External checkbox and click Next.


Figure 4

  1. On the Port Specification page accept the default settings. Confirm that there is a checkmark in the Enable HTTP checkbox and that the value 80 is in the HTTP port text box. Click Next.


Figure 5

  1. Click Finish on the Completing the New Web Listener Wizard page.
  2. Click Next on the Select Web Listener page.


Figure 6

  1. Accept the default setting, All Users, on the User Sets page and click Next.
  2. Click Finish on the Completing the New Web Publishing Rule Wizard page.
  3. Click Apply to save the changes and update the firewall policy.
  4. Click OK in the Apply New Configuration dialog box.

Perform the following steps on the VPN client machine to request a machine certificate and install the CA certificate into the VPN client machine’s Trusted Root Certification Authorities certificate store:

  1. Open Internet Explorer. In the Address bar enter http://192.168.1.70/certsrv and click OK.
  2. In the Enter Network Password dialog box enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.
  3. Click the Request a Certificate link on the Welcome page.
  4. On the Request a Certificate page click the advanced certificate request link.
  5. On the Advanced Certificate Request page click the Create and submit a request to this CA link.
  6. On the Advanced Certificate Request page select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.
  7. Click Yes in the Potential Scripting Violation dialog box.
  8. On the Certificate Issued page click the Install this certificate link.
  9. Click Yes on the Potential Scripting Violation page.
  10. Close the browser after viewing the Certificate Installed page.
  11. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
  12. In the Console1 console click the File menu and the click the Add/Remove Snap-in command.
  13. Click Add in the Add/Remove Snap-in dialog box.
  14. Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.
  15. Select the Computer account option on the Certificates snap-in page.
  16. Select the Local computer option on the Select Computer page.
  17. Click Close in the Add Standalone Snap-in dialog box.
  18. Click OK in the Add/Remove Snap-in dialog box.
  19. In the left pane of the console expand the Certificates (Local Computer) node and the expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.
  20. In the Certificate dialog box click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.
  21. In the CA certificate’s Certificate dialog box click the Details tab. Click the Copy to File button.
  22. 22.   Click Next in the Welcome to the Certificate Export Wizard page.
  23. On the Export File Format page select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.
  24. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
  25. Click Finish on the Completing the Certificate Export Wizard page.
  26. Click OK in the Certificate Export Wizard dialog box.
  27. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
  28. In the left pane of the console expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.
  29. Click Next on the Welcome to the Certificate Import Wizard page.
  30. On the File to Import page use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.
  31. On the Certificate Store page accept the default settings and click Next.
  32. Click Finish on the Completing the Certificate Import Wizard page.
  33. Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

Now that the VPN client computer has a computer certificate the next step is to obtain a user certificate that the VPN client can present to the VPN server. Perform the following steps to obtain a user certificate:

  1. Open Internet Explorer and in the Address bar enter the URL http://192.168.1.70/certsrv and press ENTER.
  2. Enter Administrator in the User Name text box. Enter the Administrator’s password in the Password text box. Click OK.
  3. On the Welcome page of the CA’s Web enrollment site click the Request a certificate link.
  4. On the Request a Certificate page click the User Certificate link.
  5. Click Submit on the User Certificate – Identifying Information page.
  6. Click Yes on the Potential Scripting Violation dialog box informing that the Web site is requesting a new certificate on your behalf.
  7. On the Certificate Issued page click the Install this certificate link.
  8. Click Yes on the Potential Scripting Violation dialog box informing that the Web site is adding one or more certificates.
  9. Close Internet Explorer.

Test a L2TP/IPSec VPN Connection

Now that both the ISA Server 2004 firewall and the VPN client machines have machine certificates, you can test a secure remote access client VPN connection to the firewall. The first step is to restart the Routing and Remote Access Service so that it registers the new certificate.

Perform the following steps to restart the Routing and Remote Access Service:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node.
  2. In the Details pane, click on the Services tab. Right click on the Remote Access Service entry and click Stop.


Figure 7

  1. Right click Remote Access Service entry again and click Start.


Figure 8

Discuss this article

The next step is to start the VPN client connection:

  1. In the Dial-up and Network Connections window on the external network client, create a new VPN connectoid. Configure the connectoid to use the IP address 192.168.1.70 as the address of the VPN server.
  2. When you complete the connection Wizard, you will see the Connect dialog box. Click the Properties button.
  3. In the connectoid’s Properties dialog box, click the Security tab. On the Security tab, select the Advanced (custom settings) option. Click Settings.


Figure 9

  1. In the Advanced Security Settings dialog box, select the Use Extensible Authentication Protocol (EAP) option. Click the Properties button.


Figure 10

  1. In the Smart Card or other Certificate Properties dialog box, select the Use a certificate on this computer option. Place a checkmark in the Validate server certificate checkbox. Place a checkmark in the Connect only if server name ends with checkbox and enter the domain name of the authentication server in the text box. In this example, the domain name of our Active Directory domain controller (which is the authentication server on the certificate) is msfirewall.org, so we will enter that name in the text box. In the Trusted root certificate authority list, select the name of the CA that issued the certificates. In this example, the CA name is EXCHANGE2003BE, so we will select that option. Click OK in the Smart Card or other Certificate Properties dialog box.


Figure 11

  1. Click OK in the Advanced Security Settings dialog box.
  2. Click OK in the connecoid’s Properties dialog box.
  3. A Connect dialog box appears which contains the name on the user certificate you obtained from the CA. Click OK.


Figure 12

  1. Click OK in the Connection Complete dialog box informing you that the connection is established.
  2. Double click on the connection icon in the system tray.
  3. In the ISA VPN Status dialog box click the Details tab. You will see an entry for IPSEC Encryption, indicating that the L2TP/IPSec connection was successful.


Figure 13

  1. Click Close in the ISA VPN Status dialog box.

Monitor VPN Clients

The ISA Server 2004 firewall allows you to monitor the VPN client connections. Perform the following steps to see how you can view connections from VPN clients:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console expand the computer name in the left pane of the console and click the Virtual Private Networks (VPN) node. In the Task Pane click the Tasks tab. Click the Monitor VPN Clients link.


Figure 14

  1. You are moved to the Sessions tab in the Monitoring node. Here you can see that the sessions have been filtered to show only the VPN Client connections.


Figure 15

  1. Click on the Dashboard tab. Here you can see in the Sessions pane the VPN Remote Client connections.


Figure 16

  1. You can also use the real-time logging feature to see connections made by the VPN clients. Click on the Logging tab and then click the Tasks tab in the Task Pane. Click the Start Query link. Here you see all communications moving through the firewall. You can use the filter capabilities to focus on specific VPN clients or only the VPN clients’ network.


Figure 17

Test a PPTP VPN Client Connection

All the elements are in place to support EAP certificate-based RADIUS authentication for PPTP VPN clients. You can configure the VPN client to use PPTP instead of L2TP/IPSec by configuring the VPN client software to force a PPTP connection. In the following walkthrough you will force a PPTP connection while still using EAP certificate-based user authentication.

Perform the following steps to connect to the VPN server via PPTP certificate-based user authentication using RADIUS:

  1. In the Network and Dial-up Connections window right click on the VPN connectoid you created earlier and click Properties.
  2. In the connectoid’s Properties dialog box click the Networking tab. In the Type of VPN server I am calling list select the Point to Point Protocol (PPTP) option. Click OK in the connectoid’s Properties dialog box.
  3. Double click the VPN connectoid. The user name on the certificate appears in the User name or certificate list. Click OK.


Figure 18

  1. Click OK in the dialog box informing you that the VPN connection is established.
  2. Double click on the VPN connection icon in the system tray. In the Virtual Private Connection Status dialog box click the Details button. Notice the Authentication type is EAP.


Figure 19

  1. At the domain controller machine click Start and point to Administrative Tools. Click Event Viewer.
  2. In the Event Viewer click on the System node in the left pane of the console. Double click on the Information entry with the source as IAS.


Figure 20

  1. In the Event Properties dialog box you will see a Description of the log on request. The information indicates that the RADIUS server authenticated the request and includes the RADIUS specific information sent to the domain controller. Review this information and close the Event Properties dialog box.


Figure 21

  1. At the ISA Server 2004 firewall/VPN server machine you can see log file entries specific to this VPN connection. Note the PPTP and the RADIUS connection.


Figure 22

  1. At the ISA Server 2004 firewall/VPN server, you can see the VPN client session in the Sessions tab in the Monitoring node of the Microsoft Internet Security and Acceleration Server 2004 management console.


Figure 23

At the VPN client computer, disconnect the VPN connection.

Discuss this article

Conclusion

In this article we finished up our three part series on how to enable EAP-TLS user certificate authentication to the ISA Firewall’s VPN server. I hope you’ll be able to use this information to configure your ISA Firewall for high security VPN connections. Thanks! –Tom.

If you missed the first part in this article series please read:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top