If you would like to read the other parts in this article series please go to:
- Checking Out the TMG 2010 Virtual Private Network Server – Part 1: Overview of VPN Configuration.
- Checking Out the TMG 2010 Virtual Private Network Server – Part 2: Configuring the TMG Firewall as a PPTP Remote Access VPN Server
In my last article on TMG firewall remote access VPN server configuration, we discussed how to configure the TMG firewall as a PPTP remote access VPN server. As you saw in that article, configuring the TMG firewall as a PPTP VPN server is pretty easy. In fact, it was almost plug and play in terms of how easy it was to get it working. That’s why PPTP VPN servers are so popular – they just work.
In this article, we will look at how to configure the TMG firewall as an L2TP/IPsec VPN server. I would like to tell you that this is going to be plug and play like the PPTP VPN server configuration, but sadly, I cannot say that. That’s because, if you want to configure the L2TP/IPsec remote access VPN server correctly, you’re going to have to deal with certificates. Of course, you could avoid the entire certificate issue by using a pre-shared key, but pre-shared keys are not very secure and they are definitely not scalable. I will show you how to use a pre-shared key at the end of this article, but let us first look at how to do it right.
In order to get things working in the most secure manner for L2TP/IPsec, you need to make sure the following are true:
- The TMG firewall must have a server certificate with the common name that the VPN client will use to connect to the VPN server. This means that the VPN client on the Internet must be able to resolve this common name to an IP address on the external interface of the TMG firewall.
- The TMG firewall has to trust the CA that issued the server certificate used by the VPN server. In the example used in this article, the TMG firewall is a domain member and an enterprise CA is installed on the domain controller, so the CA certificate is automatically installed on the TMG firewall because it is a domain member.
- The VPN client has to trust the CA that issued the TMG firewall’s server certificate that is used by the VPN configuration. Since the VPN client in the example we’re using in this lab is a domain member, it will also have the CA certificate installed in its Trusted Root Certification Authorities store.
Configuring the Server
Let us start by looking at the Certificates MMC on the TMG firewall. The focus here is the machine certificate store, as seen in Figure 1 below. Notice that the machine seems to have a certificate installed. However, this is a machine certificate that was automatically installed because of autoenrollment. We can not use this certificate for L2TP/IPsec because the common name on the certificate is not one that we can resolve over the Internet. In addition, we really do not want to reveal the TMG firewall’s name to potential intruders, so that’s another reason to not use this certificate, even if we could.
Since we’re here, let’s try to get a certificate. Right click in the middle pane of the console and point to All Tasks and then click Request New Certificate, as seen in Figure 2 below.
Click Next on the Certificate Enrollment page, as shown in Figure 3.
On the Select Certificate Enrollment Policy page, shown in Figure 4, click Next.
Hmmm! (“Hmmm” is never a good sign when you hear it from a doctor, a plumber or a network administrator). What’s up with this? In Figure 5 below, you can see the Web Server certificate, which is the certificate template we want to use. However, this template is not available to us. At this point, you might start to suspect that maybe this is not going to be as easy as you thought.
What to do now? You might recall that we used to use the web enrollment site back in the days of Windows Server 2003. Let’s give that a try. In Figure 6 below, you can see that I entered the URL http://dc1/certsrv. Oops! It seems we did not install the Web enrollment site on the certificate server.
Okay, now we need to figure out what to do. We could go back and install the Web enrollment site, but that really would not fix the problem because of changes in Windows Server 2008 and above that prevent you from getting a server certificate from the Web enrollment site, so that option is out. We could create a new certificate template and configure the permissions on the template so that we could use the Certificates MMC to obtain a certificate. But if we do that, we will find that we would not be able to request the certificate from the TMG firewall because, by default, TMG firewall policy blocks the DCOM communications required to request the certificate through the MMC. We could change the System Policy to enable these communications and then request the certificate and then change the System Policy back, but that sounds like too much work to me. We could create an offline request using the Certutil tool, and then take that to the CA and get the certificate, but most of us haven’t memorized that command, and it’s not very typo friendly.
What we are looking for is an easy way to get a certificate using something we already have running. Fortunately, the Web server role is already installed on the domain controller, since I wanted to use the Web site to test connectivity. Ha! That’s the solution: You can use the IIS console to request a certificate for the TMG firewall and then copy it to the firewall after you’re done. It’s easy.
In Figure 7, you can see the Internet Information Services console. Click the computer name in the left pane of the console. In the middle pane of the console, you’ll see theServer Certificates icon. Double click the Server Certificates icon.
In the right pane of the console, click the Create Domain Certificate link, shown in Figure 8.
This opens the Create Certificate wizard. On the Distinguished Name Properties dialog box, the most important entry is the Common name entry. The name you enter in this text box must match the name you use to connect to the VPN server, and this name has to resolve to an IP address on the external interface of the TMG firewall (or, if the TMG firewall is behind a NAT device, it must resolve to the public address on the NAT device that’s accepting connections and forwarding them to the external interface of the TMG firewall). The rest of the entries on this page aren’t as important, but you should fill them out anyway, as shown in Figure 9. Click Next.
On the Online Certificate Authority page, shown in Figure 10, click Select.
This opens the Select Certification Authority dialog box. In Figure 11 below, you can see that we have one CA available, namedmsfirewall-DC-CA. Select the CA and click OK.
The name of the CA appears in the Specify Online Certificate Authority text box. Enter a friendly name for the certificate in the Friendly Name text box. In this example I have assigned the friendly name L2TP Certificate, as shown in Figure 12. Click Finish.
When you are done, you will see the new certificate in the list of Server Certificates. In Figure 13 below, you can see the L2TP Certificate in the list.
To get the certificate over the TMG firewall, we must export the certificate. Right click the L2TP Certificate and click Export, as shown in Figure 14.
On the Export Certificate page, click the “…” button, shown in Figure 15.
In the Specify save as file name text box, shown in Figure 16, select a location in the left pane and then enter a name for the exported certificate file in the File name text box and click Open.
In the Export Certificate dialog box, shown in Figure 17, enter a password and confirm the password and then click OK.
Copy the certificate to the TMG firewall. After you copy the certificate to the TMG firewall, open the Certificates MMC console and navigate to the Certificates (Local Computer)\Personal\Certificates node in the left pane of the console. In the middle pane of the console, right click an empty area, point to All Tasks, and click Import, as shown in Figure 18.
This opens the Certificate Import Wizard. Click Next on the Welcome to the Certificate Import Wizard page, shown in Figure 19.
On the File to Import page, shown in Figure 20, click the Browse button and locate the certificate. The path and name of the certificate will then appear in the File name text box. Click Next.
On the Password page, shown in Figure 21, enter the password you created when you exported the certificate. In this example, I’ve selected to Mark this key as exportable. This will allow you to back up or transport your key at a later time. I’m doing this as a convenience; it’s not required for the solution to work. Click Next.
On the Certificate Store page, shown in Figure 22, select the Place all certificates in the following store option. Click Next.
On the Completing the Certificate Import Wizard page, shown in Figure 23, click Finish.
Now click OK in the dialog box informing you that the import was successful, as shown in Figure 24.
After you finish, you will see the certificate in the middle pane of the console, as shown in Figure 25.
Now open the TMG firewall console and click the Remote Access Policy (VPN) node in the left pane of the console. In the right pane of the console, click Configure VPN Client Access, as shown in Figure 26.
On the VPN Clients Properties page, shown in Figure 27, put a checkmark in the Enable L2TP/IPsec checkbox and then click OK.
Click Apply to save changes to the firewall policy, as shown in Figure 28. Remember that you always must apply your changes for them to take effect.
Configuring the Client
The server is now ready to go and we are halfway there. We will now turn our attention to the client. The first thing we should do is check to make sure that the CA certificate of the CA that was issued by VPN server’s certificate is included in the Trusted Root Certification Authorities page. In Figure 29 below, you can see that msfirewall-DC-CA is in the list, so we are all good there.
In this example, we will use the same VPN connectoid that we used in the last article. However, we have to make a change to it so that it will use L2TP/IPsec instead of PPTP. Open the Network Connections windows on the Windows 7 client and click Properties, as shown in Figure 30.
In the VPN Connection Properties dialog box, click the Security tab. On the Security tab, in the Type of VPN drop down list, select the Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) option and then click OK, as shown in Figure 31. This will force the client to use L2TP/IPsec and no other VPN protocol. Click OK to save the changes.
Okay! Now establish the VPN connection. After the connection is established, we can check to see the details of the connection by right clicking on the VPN connectoid and clicking Status, as shown in Figure 32.
In the VPN Connection Status dialog box, click the Details tab. In Figure 33 you can see that L2TP/IPsec is being used, and that 128-bit AES encryption is being used.
When we return to the TMG firewall console, you can see in the Sessions section in the Dashboard, shown in Figure 34, that there is 1 VPN Remote Client connection.
Click the Monitoring node in the left pane of the console. Here in Figure 35, you can see the VPN client connection. Notice that the type of VPN connection is listed, as well as the name of the logged-on user. This also includes information on whether or not NAP was used for the connection. In a future article, I will show you how to configure NAP and the TMG firewall so that VPN clients will have to pass NAP policy before being allowed on the network.
L2TP/IPSec without Certificates
I mentioned earlier that the best way to deploy L2TP/IPsecis to use certificates. However, if you are in a hurry, or you just can not get a PKI set up, then you can use a pre-shared key instead. In Figure 36 below, you can see the Authentication tab in the Remote Access Policy (VPN) Properties dialog box. At the bottom of this dialog box is a checkbox that saysAllow custom IPsec policy for L2TP connection and a text box labeledPre-shared key. Notice that the pre-shared key is shown in clear text, just to remind you that this isn’t the most secure option and that you should be using certificates instead!!
The client also has to be configured to use a pre-shared key. In the Properties dialog box of the VPN connectoid, click the Security tab, as shown in Figure 37. Then click the Advanced settings button. Here you can select the Use preshared key for authentication option and enter the same pre-shared key in the Key text box. That’s all there is to it – it will just work. Almost as easy as PPTP.
In this article, we covered how to configure the TMG firewall as an L2TP/IPsec VPN server. We went over the various options on how to obtain a server certificate for the TMG firewall, and then installed the certificate into the firewall’s computer certificate store. We made the required changes to the firewall configuration to support L2TP/IPsec and made the required changes on the VPN client. We then established the connection and confirmed that L2TP/IPsec was used. The project was a success! In the next article in this series, I’ll show you how to use NAP to increase the security of your TMG firewall based remote access VPN server. See you then! –Deb.
If you would like to read the other parts in this article series please go to: