Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS Certificate Authentication – Part 2


Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS Certificate Authentication – Part 2



By Thomas W Shinder, M.D.


In the first part of this series on configuring a calling VPN gateway to use EAP/TLS certificate-based authentication to authenticate against the answering VPN gateway, we discussed the procedures required to make the entire solution work, and then went through the details of how to enable the Router (offline request) certificate template and installing a machine certificate on the answering VPN gateway.


In this, part 2, of the series, we’ll cover the following topics:



  • Have the Calling VPN gateway Use the Enterprise CA’s Web Enrollment Site to Obtain a Router (offline) Certificate and Install the Root CA Certificate
  • Export the Router User Certificate to a .cer File
  • Create a User Account with the Same Name as the Gateway to Gateway Demand Dial Interface n the Answering VPN Gateway in Active Directory Users and Computers

Let’s continue with our mission of creating the ultimately secure VPN gateway to gateway link!


Get the Book!


Have the Calling VPN gateway Use the Enterprise CA’s Web Enrollment Site to Obtain a Router (offline) Certificate and Install the Root CA Certificate


The calling VPN gateway needs to obtain a router certificate from the enterprise CA. You don’t need to make any configuration changes to the ISA Server firewall/VPN gateway at the local site if the calling router is being prepared on the local network prior to being shipped to the remote office.


However, you will need to make some changes to the ISA Server firewall/VPN gateway if the calling VPN gateway is already at the remote office. There are several options available to you:



  • Create a Web Publishing Rule that publishes the Web enrollment site and allow the calling VPN gateway to obtain a certificate via the Web enrollment site
  • Create a Server Publishing rule that publishes the Web enrollment site and allow the calling VPN gateway to obtain a certificate via the Web enrollment site
  • Establish a VPN link between the calling ISA Server firewall/VPN gateway and the answering gateway and connect to the Web enrollment site via the VPN link.

  • You can use any of these methods to accomplish the goal of connecting to the enterprise CA’s Web enrollment site. In this example we created a simple Server Publishing Rule that used an HTTP Server (inbound TCP 80) Protocol Definition to publish the enterprise CA’s Web enrollment site. IIS was not installed on the firewall and all Incoming Web Requests listeners were removed.



    Note:
    Confirm that the browser on the calling VPN gateway is configured as a Web Proxy client. Alternatively, you can create a packet filter that allows outbound TCP port 80. Remember to disable the packet filter after you obtain the certificate from the Web enrollment site.


    Perform the following steps to obtain the router certificate for the calling VPN gateway:



    1. Type in the URL at which the enterprise CA can be reached. In this example the calling VPN gateway connects via a Server Publishing Rule, so we type in the http://<public_address/certsrv, where the public address is the address on the external interface of the ISA Server firewall/VPN gateway listening for incoming connections for the enterprise CA. Enter an administrator’s username and password in the authentication dialog box and click OK.
    2. Click the Request a certificate link on the Welcome page of the enterprise CA’s Web enrollment site.
    3. Click the advanced certificate requests link on the Request a Certificate page
    4. Click the Create and submit a request to this CA link on the Advanced Certificate Request page



    1. On the Advanced Certificate Request page, click the down arrow for the Certificate Template drop down list box. Select the Router (Offline request) option. In the Name text box under the Identifying Information For Offline Template, type in the name of the demand dial interface you will create with the Local VPN Wizard.


    For example, in the Local VPN Wizard you will be asked to name the local network and the remote network. If you name the local network local1 and the remote network remote1, then the name of the demand dial interface will be local1_remote1. This is the name you type in the Name text box on the Advanced Certificate Request page.


    Put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down to the bottom of the page and click the Submit button.






    1. Click Yes on the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.
    2. Click the Install this certificate link on the Certificate Issued page.



    1. Click Yes on the Potential Script Violation dialog box warning you that the Web site is adding one or more certificates to the computer.
    2. Close Internet Explorer after you see the Certificate Installed page.

    Now you need to export the Root CA certificate to a file and import this CA certificate into the Trusted Root Certification Authorities node on the calling VPN gateway. Unlike the situation when you use the Certificates MMC snap-in to obtain a certificate, the Root CA certificate is not automatically added to Root Authorities node when you obtain the certificate from the Web enrollment site.


    Perform the following steps to export the Root CA certificate and then import it into the Trusted Root Certification Authorities node in the calling VPN gateway’s machine certificate store:



    1. Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command
    2. Click the Add button in the Add/Remove Snap-in dialog box.
    3. In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add.
    4. Select the Computer account option on the This snap-in will always manage certificates for page. Click Next.
    5. Select the Local computer option on the Select the computer you want this snap-in to manage page. Click Finish.
    6. Click Close on the Add Standalone Snap-in dialog box.
    7. Click OK on the Add/Remove Snap-in dialog box.
    8. Click on the Certificate Path tab on the Certificate dialog box. Notice that the Root CA certificate has a red “x” on it. This indicates that the Root CA certificate is not trusted. Click on the Root CA certificate with the red “x” on it and then click the View Certificate button.



    1. Click on the Details tab of the Root CA’s Certificate dialog box. Click the Copy to File button.



    1. Click Next on the Welcome to the Certificate Export Wizard page.



    1. On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificate (.P7B) option. Put a checkmark in the Include all certificate in the certification path if possible checkbox. Click Next.



    1. On the File to Export page, type in a path and file name for the certificate file in the File name text box. Click Next.



    1. Review you settings in the Completing the Certificate Export Wizard page and click Finish.
    2. Click OK on the Certificate Export Wizard dialog box informing you that the export was successful.
    3. Close all of the Certificate dialog boxes.
    4. Now that the Root CA certificate has been exported to a file on the local hard disk, you can import it into the Trusted Root Certification Authorities certificate store. Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Right click on the Certificates node, point to All Tasks and click on Import



    1. Click Next on the Welcome to the Certificate Import Wizard page.
    2. Use the Browse button on the File to Import page to find the exported Root CA certificate file. Click Next.



    1. Use the default setting, Place all certificates in the following store option on the Certificate Store page. Click Next.



    1. Review your settings and click Finish on the Completing the Certificate Import Wizard page
    2. Click OK on the Certificate Important Wizard dialog box informing you that the import was successful.

    If you open the machine certificate again and look at the certificate path, you’ll find that the red “x” no longer appears on the Root CA certificate.


    Get the New Book!


    Export the Router User Certificate to a .cer File


    The calling VPN gateway now has a certificate it can use to present to the answering VPN gateway for authentication. The next step is to export this certificate to a file that you will copy to a domain controller. The exported router certificate will be mapped to a user account created for the calling VPN gateway.


    Perform the following steps to export the router’s user certificate to a file:



    1. Click Start then click the Run command. Type mmc in the Open text box and click OK. Click the File menu in the Console1 console and click the Add/Remove Snap-in command
    2. Click the Add button in the Add/Remove Snap-in dialog box.
    3. In the Add Standalone Snap-in dialog box, click the Certificates snap-in and click Add.
    4. Select the Computer account option on the This snap-in will always manage certificates for page. Click Next.
    5. Select the Local computer option on the Select the computer you want this snap-in to manage page. Click Finish.
    6. Click Close on the Add Standalone Snap-in dialog box.
    7. Click OK on the Add/Remove Snap-in dialog box.
    8. Click on the Personal\Certificates node. Right click on the router certificate in the right pane of the console, point to All Tasks and click on Export.
    9. Click Next on the Welcome to the Certificate Export Wizard page. Click Next.
    10. The only option available to you on the Export Private Key page is the No, do not export the private key. Click Next.



    1. Select the Base-64 encoded X.509 (.CER) option on the Export File Format page. Click Next.



    1. Type in a path and file name for the exported router user certificate in the File name text box. Click Next.



    1. Review your settings on the Completing the Certificate Export Wizard page and click Finish.



    1. Click OK on the Certificate Export Wizard dialog box informing you that the export was successful.

    Get the New Book!


    Create a User Account with the Same Name as the Gateway to Gateway Demand Dial Interface n the Answering VPN Gateway in Active Directory Users and Computers


    Use the Active Directory Users and Computers console to add a new user account that has the same name as demand dial interface on the answering ISA Server firewall/VPN gateway. In this example, the name of the demand dial interface is local1_remote1 and a user account with the exact same name is created in the Active Directory.


    You can use any strong password you like for this account. The calling VPN gateway presents the certificate to the answering VPN gateway. You will not need to configure a password for the calling VPN gateway to use when it connects to the answering gateway; on the certificate is required.


    Note that you must configure this account to have Remote Access Permissions in the Active Directory, as seen in the figure below.



    Get the Book!


    Summary


    In this, part 2 of this series on using EAP/TLS certificate-based authentication with gateway to gateway VPNs, we went over the how to issue a router certificate to the calling VPN gateway, how to export the router certificate to a file and how to create a user account in the Active Directory Users and Computers console that is used by the calling router. The router certificate will be mapped to this user account.


    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001759 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    Leave a Comment

    Your email address will not be published.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top