Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 1)

If you would like to read the next part in this article series please go to Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 2).

Introduction

As an integrated edge security gateway, Forefront TMG 2010 can be deployed to provide Virtual Private Networking (VPN) services, enabling remote users to connect securely to the corporate network when they are out of the office. VPN protocols supported by TMG include the Layer Two Tunneling Protocol (L2TP/IPsec), Secure Sockets Tunneling Protocol (SSTP), and the Point-to-Point Protocol (PPTP). Based on my experience, PPTP is by far the most widely deployed VPN protocol on TMG and its predecessor, ISA server. This is most likely because configuring PPTP for VPN connectivity is simple and straightforward, and PPTP is widely supported across clients. However, recently discovered weaknesses in the protocol should cause you to think twice before using PPTP in its default configuration. In this article I’ll demonstrate how to deploy PPTP VPN in a more secure manner. In addition I’ll briefly discuss secure alternatives to PPTP.

Security Concerns with PPTP

The security issue with PPTP isn’t with the protocol itself. Rather, the problem lies with the MS-CHAPv2 authentication protocol, which is the default authentication method used when PPTP VPN is enabled on the TMG firewall. Earlier this year, security researches demonstrated a method to crack the MS-CHAPv2 authentication protocol with a 100% success rate. With the public availability of tools to automate the process of cracking MS-CHAPv2, PPTP communication using MS-CHAPv2 should be considered unencrypted. If PPTP is deployed for remote access VPN connectivity, security administrators should take steps to better secure their environment. Options include disabling the use of MS-CHAPv2 and using the Extensible Authentication Protocol (EAP) with smart cards or certificates, or switching to another protocol such as L2TP/IPsec or SSTP.

EAP for PPTP VPN Prerequisites

Replacing MS-CHAPv2 authentication with PPTP in favor of EAP with smart cards or certificates is not a trivial task. For many, it will be easier to simply switch to another protocol to provide secure remote access instead of implementing EAP with PPTP. Using EAP will require a working Public Key Infrastructure (PKI), which can be a barrier to entry for some organizations. PKI is required to issue machine certificates to each TMG server providing VPN services and for provisioning client certificates or smart cards for each user requiring VPN access. Enabling EAP will require changes to be made on the client side as well. This can be done individually by the user or automated with Connection Manager Administration Kit (CMAK) or group policy. This article assumes that you’ve met those requirements, and that you already have a working PPTP VPN configuration in place.

Server Certificate Provisioning

Before configuring EAP authentication with PPTP on the TMG firewall, we first need to obtain a machine certificate for the TMG firewall and a user certificate for our remote access client. Configuring the PKI is outside the scope of this article, but in my test lab I am using a Windows Server 2008 R2 Active Directory-integrated enterprise certificate authority (CA). In this scenario, before we can obtain a machine certificate from the enterprise CA we first need to configure the TMG firewall policy to allow this request to be completed. Ordinarily the certificate request process is simple on a Windows machine, but here it is complicated by the fact that the certificate request process uses DCOM, which is not supported by the TMG firewall. To enable a certificate request, you can follow this procedure which requires configuring the CA to use a static port and creating a firewall rule on TMG that uses a custom protocol. Since this process only needs to be completed once (or very infrequently, depending on the CA’s issuance policy for certificate lifetime) I suggest creating a TEMPORARY access rule that allows all outbound traffic from the TMG firewall to the CA. Once you’ve completed the certificate request successfully you can safely disable or delete the rule. You’ll also need to disable the option to enforce strict RPC compliance for RPC communication. This is done by right-clicking the Firewall Policy node in the TMG management console and choosing All Tasks | System Policy | Edit System Policy. Highlight Active Directory under the Authentication Services folder and uncheck the box next to Enforce strict RPC compliance.


Figure 1

On the TMG firewall, open a new Microsoft Management Console (MMC) by clicking Start | Run and entering mmc.exe. From the drop-down menu choose File | Add/Remove Snap-in. Highlight Certificates in the Available snap-ins column and click Add. Select Computer account and click Next, choose Local computer (the computer this console is running on) and then click Finish and Ok. Expand the Certificates node in the navigation tree and highlight the Personal folder. Right-click anywhere in the center pane and choose All Tasks | Request New Certificate. Click Next when the enrollment wizard begins, then select Active Directory Enrollment Policy and click Next. Check the box next to Computer and then click Enroll to complete the process.


Figure 2

For enterprise arrays, repeat these steps on each TMG firewall in the array. Don’t forget to disable or delete the temporary access rule you created to allow all outbound traffic from the TMG firewall to the CA, and re-enable the enforcement of strict RPC compliance in the system policy!

Client Certificate Provisioning

To provision a user certificate on the client side, click Start | Run and type mmc.exe. From the drop-down menu choose File | Add/Remove Snap-in. Highlight Certificates in the Available snap-ins column and click Add. Select My user account and click Finish and Ok. Expand Certificates – Current User in the navigation tree and highlight the Personal folder. Right-click anywhere in the center pane and choose All Tasks | Request New Certificate and click Next, and then choose Active Directory Enrollment Policy and click Next. Check the box next to User and then click Enroll.


Figure 3

Configuring TMG PPTP VPN for EAP

In the TMG management console, highlight the Remote Access Policy (VPN) node in the navigation tree, then in the Tasks pane click the link Select Authentication Methods.


Figure 4

Un-check the box next to Microsoft encrypted authentication version 2 (MS-CHAPv2) and check the box next to Extensible authentication protocol (EAP) with smart card or other certificate.


Figure 5

Note:
If you have enabled NAP integration with TMG for VPN clients, EAP must be configured on the Network Policy Server (NPS). Click the configuring EAP link on the dialog box for more information. When you select the option to enable EAP you are presented with an information dialog box indicating that EAP authenticated users belong to the RADIUS namespace and are not part of the Windows namespace. To apply user-based access rule to these users you can either define a RADIUS user set for them or you can use user mapping to map these users to the Windows namespace (this requires the TMG firewall be joined to a domain). If user mapping is enabled, access rules applied to the Windows users and groups will be applicable to EAP authenticated users.


Figure 6

Choose ok, then save and apply the configuration.

Configuring VPN Client with EAP

On the client side, open the Network and Sharing Center and click Change adapter settings. Right-click the existing PPTP VPN connection and choose Properties. Click the Security tab, then select the option to Use Extensible Authentication Protocol (EAP). From the drop-down box choose Smart card or other certificate (encryption enabled).


Figure 7

Click the Properties button and, if you are using client certificates installed on the local machine and not smart cards, select the option to Use a certificate on this computer. Next, enter the internal hostname of the TMG firewall in the Connect to these servers text box. This name must match the name on the computer certificate issued to the TMG firewall. For TMG enterprise arrays, enter the name of each firewall in the array, separated by semicolons. Lastly, select the Trusted Root Certification Authorities that issued the certificate to the TMG firewall and click Ok. Once complete you should be able to establish a secure VPN session using PPTP authenticated with the client certificate or smart card issued to the user.


Figure 8

Alternative Remote Access Protocols

If implementing EAP authentication with PPTP sounds like a lot of trouble, there are alternative remote access protocols that can be used to provide secure remote access that don’t suffer from the security concerns that PPTP does. For example, TMG supports L2TP/IPsec which is considered very secure. Ideally L2TP/IPsec should also use certificates for authentication, but it does support the use of a shared secret that, if great care is taken, can provide a high level of protection for remote access communication. If you choose to use shared secrets instead of certificates, be sure to use a very long and complex password and change this password frequently. Another excellent alternative is to use SSTP. SSTP uses SSL/TLS to encrypt communication between the client and remote access server, and it is simple to configure on the TMG firewall. SSTP has the added benefit of being very firewall friendly, as outbound access on TCP port 443 is ubiquitous. The only drawback to SSTP is that it is supported only on Windows Vista SP1 and later clients. If you still have to support Windows XP remote access clients, you’ll need to continue to rely on PPTP or L2TP/IPsec. Of course DirectAccess is another solution that mitigates the security concerns of PPTP VPN. DirectAccess uses certificates and IPsec to establish secure remote access for managed clients (domain-joined) running Windows 7 Enterprise or Ultimate, or Windows 8 Enterprise. DirectAccess can be implemented using Windows Server 2008 R2 (and enhanced with Forefront UAG 2010) or with Windows Server 2012.

Summary

Forefront TMG and ISA server are widely deployed remote access solutions. The most common protocol used in those deployments is undoubtedly PPTP, due to its easy configuration and wide client support. However, PPTP has long been considered a weak protocol, and recent discoveries and newly available automated cracking tools threaten to make PPTP as secure as the Wired Equivalent Privacy (WEP) protocol. Organizations large and small would be well advised to make changes to their existing PPTP VPN configuration, or consider moving to another more secure protocol to protect their remote access communication. Configuring EAP authentication with smart cards or certificates mitigates the security concerns of PPTP, but for many the requirement for PKI may pose a barrier to adoption. Alternatively TMG supports additional secure protocols like L2TP/IPsec and SSTP, both of which provide much more security than the default PPTP configuration.

 

If you would like to read the next part in this article series please go to Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 2).

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top