Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 2)

If you would like to read the first part in this article series please go to Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 1).

Introduction

Last month, in part one of this series on Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010, I explained in detail how you can still leverage PPTP for remote access VPN, yet do it much more securely than the default configuration allows by making use of the Extensible Authentication Protocol (EAP) and certificates. Here in part two I’m going to demonstrate another way to provide an additional layer of protection for PPTP by configuring the Protected Extensible Authentication Protocol (PEAP) with client certificate authentication and integrating and enforcing Network Access Protection (NAP) with VPN client quarantine.

Requirements and Assumptions

The configuration details outlined in this article assume you have configured your TMG firewall and Windows 7 client as demonstrated in my last article. In addition, to implement NAP quarantine for clients that fail health checks, a server with the Network Policy Server (NPS) role installed is required. If you have a single TMG firewall it is possible to utilize the existing NPS installed on the TMG server. However, if you have an array of TMG servers, or you wish to leverage the NPS for other enforcement points (DHCP, 802.1x, etc.) then it is recommended that you configure a separate and dedicated server running NPS. Also, the NAP configuration described in this article is specific to this deployment scenario, that being PPTP remote access VPN using PEAP. If you desire to configure NAP for basic VPN scenarios, see this article for more information. Lastly, it is outside the scope of this article to explain in detail how to set up an NPS server. More information on that can be found here.

TMG Configuration

In the TMG management console, highlight the Remote Access Policy (VPN) node in the navigation tree, then click Specify RADIUS Configuration in the Tasks pane.


Figure 1

Select the options to Use RADIUS for authentication and Use RADIUS for accounting (logging) and then click RADIUS Servers.


Figure 2

Click Add, then enter the host name or the IP address of the NPS server and optionally provide a description. Click the Change button and enter the Shared Secret to be used with the NPS server. Be sure to use a long and complex password for optimum security. Leave the Authentication port and time-out (seconds) settings as the defaults and choose the option to Always use message authenticator.


Figure 3

Next, in the Tasks pane click Configure VPN Client Access and select the Quarantine tab. Select Enable Quarantine Control and choose the option to Quarantine according to RADIUS server policies. Once complete, save and apply the configuration.


Figure 4

NPS Configuration

On the NPS server, open the Network Policy Server management console by navigating to Start | Administrative Tools | Network Policy Server. In the navigation tree, expand the Network Access Protection node, then System Health Validators and Windows Security Health Validator. Highlight Settings and then right-click Default Configuration in the center window and choose Properties. Select the security health validation checks you wish to enforce and choose Ok.


Figure 5

Next, expand the Policies node in the navigation tree. Right-click Health Policies and choose New. Name the first new health policy Compliant. Specify Client passes all SHV checks, select Windows Security Health Validator and choose Ok.


Figure 6

Repeat these steps and create a new health policy called Noncompliant. Specify Client fails one or more SHV checks, select Windows Security Health Validator and choose Ok.


Figure 7

Right-click the Network Policies node and choose New. Name the policy Compliant – Full Access and choose Next.


Figure 8

Click Add, then choose Health Policies and click Add.


Figure 9

Choose Compliant and click Ok and Next.


Figure 10

Select Access granted and choose Next.


Figure 11

Click Add and choose Microsoft: Protected EAP (PEAP), then click Edit. Under EAP Types remove Secured password (EAP-MSCHAPv2), then click Add and select Smart Card or other certificate.


Figure 12

Click Next three times and then click Finish. Repeat this process, this time naming the policy Noncompliant – No Access. Select Noncompliant for the health policy and choose Access denied.


Figure 13

Again, click Add and choose Microsoft: Protected EAP (PEAP), then click Edit. Under EAP Types remove Secured password (EAP-MSCHAPv2), then click Add and select Smart Card or other certificate. Click Next twice, then highlight NAP Enforcement and choose Allow limited access.


Figure 14

Click Next and then Finish. Next right-click Connection Request Policies and choose New. Name the policy TMG VPN and select Remote Access Server (VPN-Dial up) as the Type of network access server.


Figure 15

Click Add, then highlight Client IPv4 Address and click Add.


Figure 16

Enter the IP address of your TMG server and click Ok.


Figure 17

Click Next twice and then select the option to Override network policy authentication settings. Click Add and choose Microsoft: Protected EAP (PEAP), then click Edit. Under EAP Types remove Secured password (EAP-MSCHAPv2), then click Add and select Smart Card or other certificate. Click Next and Finish.


Figure 18

Finally, expand RADIUS Clients and Servers in the navigation tree, then right-click RADIUS Clients and choose New. Give the client a name and specify the hostname or IP address of the TMG server and enter the same shared secret configure for the RADIUS server in the TMG management console.


Figure 19

Choose the Advanced tab and choose the options Access-Request messages must contain the Message-Authenticator attribute and RADIUS client is NAP-capable.


Figure 20

Client Configuration

On the Windows 7 client, navigate to Start | Run (or Winkey + R) and enter napclcfg.msc and press Enter. Highlight the Enforcement Clients node in the navigation tree, then right-click EAP Quarantine Enforcmenet Client in the center window and choose Enable.


Figure 21

Next, open the Services console and change the Startup Type for the Network Access Protection Agent to Automatic and then start the service.


Figure 22

This can also be configured at an elevated command prompt by entering the following command:

sc config napagent start= auto && sc start napagent

Right-click the VPN connection and choose Properties. Choose the Security tab and change the option for Use Extensible Authentication Protocol (EAP) to Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties.


Figure 23

Select the options to Validate server certificate and Connect to these servers:. Here, enter the name of the NPS server that TMG is configured to use and select the appropriate Trusted Root Certification Authorities for your organization. Select the option to Enforce Network Access Protection and for the authentication method choose Smart Card or other certificate from the drop-down list and choose Configure.


Figure 24

Select the option to Use a certificate on this computer and Use simple certificate selection (Recommended). Also select Validate server certificate. Enter the hostname of the NPS server TMG is configured to use and select the appropriate Trusted Root Certification Authorities for your organization.


Figure 25

Testing

When testing this VPN connection you should not be prompted for credentials as we’ve configure PEAP authentication to use a certificate issued to the user. As long as all of the security health requirements are met we should be able to establish VPN connectivity successfully. To confirm this, temporarily disable the Windows Firewall and attempt to establish VPN connectivity. If NAP is configured correctly and working properly we should be denied access and presented with a message stating that our connection was prevented because of a policy configured on the RAS/VPN server.

Summary

Although the PPTP protocol has its issues and limitations from a security perspective, its wide adoption means that Forefront TMG firewall administrators may need to support it for remote access VPN connectivity for quite some time. The key to supporting PPTP in a secure manner relies on protecting the exchange of credentials during the authentication process. In part one of this series I demonstrated how to accomplish that using the Extensible Authentication Protocol (EAP) with certificates. In this follow-up article I outlined how to leverage Protected Extensible Authentication Protocol (PEAP) with certificates and Network Access Protection (NAP) with client quarantine in Forefront TMG to further enhance the overall security of the solution. NAP integration provides the security administrator with a powerful tool that can be used to enforce corporate remote access security policy by limiting or denying access to VPN users based on their current security configuration. If you are forced to provide continued support for PPTP VPN remote access users, consider using EAP or PEAP with certificates to provide the highest level of protection possible for your remote access users.

If you would like to read the first part in this article series please go to Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 1).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top