Introduction
The remote access VPN role of Forefront Threat Management Gateway (TMG) 2010 provides essential remote network connectivity for a wide range of clients and operating systems. Remote access VPN can be vital to providing timely support by systems and network administrators, and it can be an essential tool to increase productivity for mobile users. Many years ago, remote access VPN was used primarily by IT administrators, but times have changed dramatically since then. Access to corporate resources through VPN is now a common service, but at the same time it can be an easy attack vector for cybercriminals seeking to gain unauthorized access to the network for the purpose of stealing valuable data and information. Forefront TMG supports several secure, robust remote access protocols. In addition, TMG supports the integration with Active Directory to provide user and group-based authentication for remote access users. However, simply logging with a username and password may not provide the level of protection required by many organizations today. In order to improve the security of TMG remote access, a strong, multi-factor authentication system is often leveraged. However, traditional multi-factor authentication solutions are difficult to implement and manage, and are often prohibitively expensive. In addition they require specialized skill sets to administer on an ongoing basis, further adding to the expense of the system.
Windows Azure Multi-Factor Authentication
Windows Azure Multi-Factor Authentication was recently introduced and is a simple, cost-effective way to provide strong, multi-factor authentication not only for cloud-based applications, but for on-premises solutions like Forefront TMG 2010 as well. Using Windows Azure Multi-Factor Authentication, we can leverage the power and flexibility of the cloud while greatly improving the security posture of our Forefront TMG firewall providing remote access VPN services. Windows Azure Multi-Factor Authentication supports several modes for authentication, including callback, text message, mobile app, and OATH tokens. It can be licensed on either a per-user or per-authentication basis. If you are not a Windows Azure customer today, you can sign up for a free 90-day trial at windowsazure.com.
Configuring Windows Azure Multi-Factor Authentication Provider
To begin, open the Windows Azure management console and select Active Directory in the navigation tree. Next select Mult-Factor Auth Providers and click Create a new multi-factor authentication provider.
Figure 1
Provide a descriptive name, select a usage model, and choose a subscription for the service. Since we are using our on-premises Active Directory, choose Do not link a directory. Click Create when finished.
Figure 2
Once complete, click Manage at the bottom of the screen and then click Downloads. Click Generate Activation Credentials and copy the e-mail and password listed. Next click the Download link to download the multi-factor authentication server executable.
Figure 3
Installing Windows Azure Multi-Factor Authentication Provider
The Windows Azure Multi-Factor Authentication must be installed on a separate server. It cannot be installed on the TMG firewall itself. Before we begin installing the software, we must first install the .NET Framework 3.5 using PowerShell. For Windows Server 2008 R2, from an elevated PowerShell prompt, enter the following commands:
Import-Module servermanager
Add-WindowsFeature net-framework
For Windows Server 2012 and 2012R2, enter the following commands:
Install-WindowsFeature NET-Framework-Core -Source D:\sources\sxs
Note:
The .NET Framework feature is not preloaded when Windows Server 2012/R2 is installed. To install this feature you must specify the location of the installation source, which can be the original installation media or a file share containing those files.
After completing the installation of the .NET Framework, launch the Windows Azure multi-factor authentication server executable. Select the installation folder and choose Next and then Finish.
Figure 4
Figure 5
When the Windows Azure Multi-Factor Authentication configuration wizard appears, click Next and enter the activation e-mail and password you collected earlier. It’s important to understand that the Windows Azure Multi-Factor Authentication server must have access to the Internet in order to activate and perform subsequent authentications. If this step fails, ensure that the server has Internet connectivity.
Figure 6
Windows Azure Multi-Factor Authentication supports group replication for high availability. Windows Azure Multi-Factor Authentication servers configured as a part of the same group will replicate configuration. Select an Existing group or specify a New group as required.
Figure 7
If you require high availability, select the option to Enable replication between servers.
Figure 8
Select only the RADIUS application from the list of applications.
Figure 9
Enter the RADIUS client IP and Shared secret. Be sure to use a long, complex string for the shared secret. Leave the Authentication port(s) as their defaults.
Figure 10
Choose Windows domain as the RADIUS target.
Figure 11
Choose Next and then Finish to complete the configuration.
Figure 12
Figure 13
Windows Azure Multi-Factor Authentication Server Administration
In the Windows Azure Multi-Factor Authentication Server management console, highlight RADIUS Authentication in the navigation tree, select the RADIUS client and click Edit.
Figure 14
Select the option to Require Multi-Factor Authentication user match and click Ok.
Figure 15
Highlight Users in the navigation tree and click Import from Active Directory. There are myriad different ways to specify users, but a popular way is to use an Active Directory security group. Select Security Groups from the View drop-down list and select the security group to grant access to and click Import.
Figure 16
Note:
It is possible to configure the Windows Azure Multi-Factor Authentication Server to perform synchronization with Active Directory. However, configuration of AD synchronization is beyond the scope of this article.
Configuring Forefront TMG 2010 VPN Authentication
This article assumes that you already have remote access VPN configured and working. To add multi-factor authentication, open the TMG management console, highlight Remote Access Policy (VPN) in the navigation tree, and then click Specify RADIUS Configuration in the Tasks pane.
Figure 17
Choose the option to Use RADIUS for authentication and click RADIUS Servers.
Figure 18
Click Add and enter the name or IP address of the Windows Azure Multi-Factor Authentication server. Click Change and enter the Shared secret and leave the Authentication port at its default. For the Time-out (seconds) value, enter 120. You may need to increase this value depending on how your users interact with multi-factor authentication. Using the standard callback method, a timeout value of 120 seconds is more than sufficient, and in fact could be reduced to as short as 60 seconds. However, if you select the option to use text message, mobile app, or OATH tokens, the value may need to be increased to give users time to generate a token and respond. Once complete, save and apply the configuration.
Figure 19
Remote Access VPN with TMG and Windows Azure Multi-Factor Authentication
When connecting to Forefront TMG remote access VPN configured with Windows Azure Multi-Factor Authentication, the users will connect as they normally do. However, the login process is delayed until you provide the second form of authentication, which by default is a response to a callback from the multi-factor authentication service. After receiving and answering the call, press # to verify authentication. Once complete, VPN connectivity is established.
Figure 20
Figure 21
Figure 22
Windows Azure Multi-Factor Authentication also supports using Short Message Service (SMS) text messages, a mobile app, and OATH tokens for authentication. You can make these changes on an individual or global basis on the authentication server.
Summary
Forefront TMG 2010 is an excellent remote access VPN solution. It supports a wide range of industry standard VPN protocols, and when integrated with Active Directory, management of remote access users is simple and straightforward. With remote access VPN being a common, and often easy attack vector for cybercriminals, enforcing strong authentication for this critical service is vitally important. Unfortunately the traditional multi-factor authentication providers proved to be too costly and complex for many organizations, leaving them out in the cold when it comes to providing the highest level of protection for their remote access solutions. With the introduction of Windows Azure Multi-Factor Authentication, we now have an easy-to-deploy, cost effective, cloud-based strong authentication solution that can leveraged by on-premises devices like the TMG firewall, without the need for expensive hardware and software to support it. Integrating Windows Azure Multi-Factor Authentication with TMG is not difficult at all, and improves the security of the VPN dramatically. Sign up for Windows Azure today and start taking advantage of this great service immediately. You’ll be glad you did!
