Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 2)

If you missed the other parts in this article series please read:

In the first article in this series on using EAP-TLS certificate authentication for VPN client connections, we began our discussion by configuring the RADIUS server and finished up by setting up Remote Access Policies and changing the domain functional level. In this article, we’ll look at how to configure the ISA Firewall’s VPN server to support our EAP/TLS VPN client connections, and then request a certificate for the ISA Firewall.

Discuss this article

Enable the VPN Server on the ISA Server 2004 firewall and configure RADIUS Support

With the RADIUS configuration and Remote Access Policies in place, we can now start configuring the ISA Server 2004 VPN server. We will first enable the VPN server and then configure the VPN server to support RADIUS authentication.

Perform the following steps to enable the VPN server and configure it for RADIUS support:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Virtual Private Networks (VPN) node.
  2. Click the Tasks tab in the Task Pane. Click the Enable VPN Client Access link.


Figure 1

  1. Click the Configure VPN Client Access link.
  2. In the VPN Clients Properties dialog box, click the Groups tab. On the Groups tab, click the Add button.
  3. In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.
  4. In the Select Groups dialog box, enter Domain Users in the Enter the object names to select dialog box. Click the Check Names button. The group will become underlined when it is found in the Active Directory. Click OK.


Figure 2

  1. The domain group appears on the Group tab.


Figure 3

  1. Click the Protocols tab. Put a checkmark in the Enable L2TP/IPSec checkbox.


Figure 4

  1. Click the User Mapping page. Put a checkmark in the Enable User Mapping checkbox. Put a checkmark in the When username does not contain a domain, use this domain checkbox. In the Domain Name text box, enter the Internal network domain, msfirewall.org. Click Apply and then click OK.


Figure 5

  1. Click the Specify RADIUS Configuration link on the Tasks tab.


Figure 6

  1. On the RADIUS tab, put a checkmark in the Use RADIUS for authentication checkbox.


Figure 7

  1. Click the RADIUS Servers button. In the RADIUS dialog box, click the Add button.


Figure 8

  1. In the Add RADIUS Server dialog box, enter the name of the IAS server machine in the Server name text box. In this example, the name of the IAS server is EXCHANGE2003BE.msfirewall.org. Enter a description of the server in the Server description text box. In this example, enter the description IAS Server. Click the Change button.


Figure 9

  1. In the shared secret dialog box, enter a New Secret and then Confirm new secret. Make sure this is the same secret that you entered in the IAS server configuration at the IAS server machine. Click OK.

Discuss this article


Figure 10

  1. Click OK in the Add RADIUS Server dialog box.
  2. Click OK in the RADIUS Servers dialog box.


Figure 11

  1. Click the Authentication tab in the Virtual Private Networks (VPN) Properties dialog box. Remove the checkmark from the Microsoft encrypted authentication version 2 (MS-CHAPv2) checkbox. Place a checkmark in the Extensible authentication protocol (EAP) with smart card or other certificate checkbox.


Figure 12

  1. Click Apply in the Virtual Private Networks (VPN) Properties dialog box. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote Access Service may restart. Click OK in the Virtual Private Networks (VPN) Properties dialog box.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.
  4. Restart the ISA Server 2004 firewall machine and log on as Administrator.

Create an Access Rule Allowing VPN Clients Access to the Internal Network

The ISA Server 2004 firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network. In contrast to other combined firewall VPN server solutions, the ISA Server 2004 firewall VPN server applies access controls for network access to VPN clients.

In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resources they require.

Perform the following steps to create an unrestricted access VPN clients Access Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right click the Firewall Policy node, point to New and click Access Rule.
  2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule VPN Client to Internal. Click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the All outbound protocols option in the This rule applies to list. Click Next.


Figure 13

  1. On the Access Rule Sources page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on VPN Clients. Click Close.


Figure 14

  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on Internal. Click Close.
  3. On the User Sets page, accept the default setting, All Users, and click Next.


Figure 15

  1. Click Finish on the Completing the New Access Rule Wizard page.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.


Figure 16

Issue Certificates to the ISA Server 2004 Firewall and VPN Clients

You can significantly improve the level of security provided to your VPN connection by using the L2TP/IPSec VPN protocol. The IPSec encryption protocol provides a number of security advantages over the Microsoft Point to Point Encryption (MPPE) protocol used to secure PPTP connections. While the ISA Server 2004 firewall VPN supports using a pre-shared key to support the IPSec encryption process, this should be considered a low security option and should be avoided if possible. The secure IPSec solution is to use computer certificates on the VPN server and VPN clients.

By default, the ISA Server 2004 firewall is locked down with strong access controls. You will need to enable a System Policy Rule that allows the back-end firewall to communicate with the enterprise CA on the internal network.

Perform the following steps to enable the System Policy Rule on the back-end ISA Server 2004 firewall:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. Right click the Firewall Policy node, point to View and click Show System Policy Rules.
  3. In the System Policy Rule list, double click on the Allow HTTP from ISA Server to all networks for CRL downloads System Policy Rule.


Figure 17

  1. In the System Policy Editor dialog box, put a checkmark in the Enable checkbox on the General tab. Click OK.


Figure 18

  1. Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box

Issue a Certificate to the ISA Server 2004 Firewall/VPN Server

The next step is to issue a computer certificate to the ISA Server 2004 firewall VPN server. Perform the following steps on the ISA Server 2004 firewall to request a certificate from the enterprise CA on the Internal network:

  1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
  2. In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.
  3. Click the Request a Certificate link on the Welcome page.
  4. On the Request a Certificate page, click the advanced certificate request link.
  5. On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
  6. On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.
  7. Click Yes in the Potential Scripting Violation dialog box.
  8. On the Certificate Issued page, click the Install this certificate link.
  9. Click Yes on the Potential Scripting Violation page.
  10. Close the browser after viewing the Certificate Installed page.
  11. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
  12. In the Console1 console, click the File menu and the click the Add/Remove Snap-in command.
  13. Click Add in the Add/Remove Snap-in dialog box.
  14. Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.
  15. Select the Computer account option on the Certificates snap-in page.
  16. Select the Local computer option on the Select Computer page.
  17. Click Close in the Add Standalone Snap-in dialog box.
  18. Click OK in the Add/Remove Snap-in dialog box.
  19. In the left pane of the console, expand the Certificates (Local Computer) node and then expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.
  20. In the Certificate dialog box, click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.
  21. In the CA certificate’s Certificate dialog box, click the Details tab. Click the Copy to File button.
  22. Click Next in the Welcome to the Certificate Export Wizard page.
  23. On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.
  24. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
  25. Click Finish on the Completing the Certificate Export Wizard page.
  26. Click OK in the Certificate Export Wizard dialog box.
  27. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
  28. In the left pane of the console, expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.
  29. Click Next on the Welcome to the Certificate Import Wizard page.
  30. On the File to Import page, use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.
  31. On the Certificate Store page, accept the default settings and click Next.
  32. Click Finish on the Completing the Certificate Import Wizard page.
  33. Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

Note:
You will not need to manually copy the enterprise CA certificate into the ISA Server 2004 firewall’s Trusted Root Certification Authorities certificate store because the CA certificate is automatically installed on domain members. If the firewall were not a member of the domain, then you would need to manually place the CA certificate into the Trusted Root Certification Authorities certificate store.

Discuss this article

Summary

In this article we continued our series on how to use EAP-TLS authentication for remote access VPN client connections. We started with configuring the ISA Firewall to use the RADIUS server. Then we configured the ISA Firewall’s remote access VPN client server component and created access rules to support the VPN clients. Then we finished up by requesting a certificate for the ISA Firewall and installing the certificate into the ISA Firewall’s machine certificate store. Next week we’ll finish up by installing the certificates on the VPN clients and testing the L2TP/IPSec and PPTP connections.

If you missed the other parts in this article series please read:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top