Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS
Certificate Authentication – Part 3
By Thomas W Shinder M.D.
In the first part of this series on configuring a calling VPN gateway to use EAP/TLS certificate-based authentication to authenticate against the answering VPN gateway, we discussed the procedures required to make the entire solution work, and then went through the details of how to enable the Router (offline request) certificate template and installing a machine certificate on the answering VPN gateway.
In the second part of this series we discussed how to obtain a user certificate that the calling VPN gateway can use to present to the answering VPN gateway for authentication. We also went over the procedure on how to export the calling VPN gateway’s certificate so that it could be copied to a domain controller. After the calling VPN gateway’s certificate was copied to the domain controller, you created a user account in the Active Directory for the calling VPN gateway. You’ll map the calling VPN router’s certificate to this user account.
In this, part 3, of the series, we’ll cover the following topics:
Once you get the certificate mapped to the user account and run the Local and Remote VPN Wizards, you’re almost done! The next part in the article, part 4, will cover the final steps which cover tuning up the settings created by the Local and Remote VPN Wizards.
Let’s get started!
Map the Router User Certificate to the User With the Same Name as the Answering VPN Gateway’s Demand Dial Interface
The next step is to map the user account you created for the calling router to the router’s certificate. Perform the following steps to create this mapping:
- Click Start, point to Administrative Tools and click on Active Directory Users and Computer. Right click on the Users node and point to View. Click on the Advanced Features command.
- In the Active Directory Users and Computers console, expand your domain name and click on the Users node in the left pane of the console. Right click on the calling VPN gateway’s user account and click the Name Mappings command.
- In the Security Identity Mapping dialog box, click on the X.509 tab. On the X.509 tab, click on the Add button.
- In the Add Certificate dialog box and select the calling VPN gateway’s certificate that you copied to the domain controller. Click Open after selecting the certificate.
- In the Add Certificate dialog box, place a checkmark in the Use Subject to alternate security identity checkbox. Click OK.
- The calling VPN gateway’s user certificate now appears in the X-509 certificates list on the Security Identity Mapping dialog box. Click OK.
The calling VPN gateway’s user certificate is now mapped to a user account in the Active Directory. When the calling VPN gateway calls and presents its certificate to the answering VPN gateway for authentication, the name on the certificate will be compared to the name in the Active Directory to confirm that the calling VPN gateway his remote access permission.
Run the Local and Remote VPN Wizards on the Answering and Calling VPN Gateways
The calling VPN gateway has its user certificate and that certificate is mapped to a user account in the Active Directory in the same domain that the answering VPN gateway belongs to. Now we’re ready to put together the gateway to gateway demand dial interfaces on the calling and answering routers.
While you could manually create the demand dial interfaces on the calling and answering routers, and then manually create the packet filters on each of the ISA Servers to support the connections, I wouldn’t recommend it. Why? Because your ISA Server firewall/VPN gateways have some powerful Wizards that you can use to do most of the dirty work in configuring the answering and calling VPN gateways.
You run the Local VPN Wizard on the answering VPN gateway and the Remote VPN Wizard on the calling VPN gateway. The remote VPN gateway always calls the local VPN gateway. The local VPN gateway never calls the remote VPN gateway? Get it? Good!
Perform the following steps on the answering VPN gateway:
- Open the ISA Management console, expand the Server and Arrays node and right click on the Network Configuration node. Click on the Set Up Local ISA VPN Server command.
Remember that the answering VPN gateway never calls the calling VPN gateway. The answering VPN gateway also answers the calls from the calling VPN gateway machine.
- Click Next on the Welcome to the Local ISA Server VPN Configuration Wizard page.
- If the Routing and Remote Access Service has not been started yet, the Wizard will ask if you want to start it now. Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box asking if you want to start the service.
- On the ISA Virtual Private Network (VPN) Identification page, you enter the names for the local network and remote network. This information is used to name the demand dial interface on the answering VPN gateway.
In the type a short name to describe the local network text box, type a five or six character name for the local network.
In the type a short name to describe the remote network text box, type a five or six character name for the remote network.
This is the name of the demand dial interface on the answering VPN gateway. This is a critical step and you must name the local and remote networks correctly, or your gateway to gateway VPN connection will not work properly.
Recall the name of the account you created for the calling VPN gateway. In this example, the calling VPN gateway users the account local1_remote1. You must name the local and remote networks in this dialog box in the same way. Because the name of the account is local1_remote1, the local network must be named local1 and the remote network must be named remote1. The Wizard will automatically put the underscore character between the names of the local and remote networks.
Let’s look at another example just to make this is perfectly clear. Suppose the local network is named dallas and the remote network is named houston. The user account created for the calling VPN gateway to use when calling the local gateway is dallas_houston. This is the name on the router’s user certificate and this is the name for the Active Directory account.
- On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP. This allows the VPN gateways to use L2TP/IPSec if both sides have a machine certificate. If both sides don’t have a machine certificate, then PPTP will be negotiated. Click Next.
- On the Two-way Communication page, do not put a checkmark in the Both the local and remote ISA VPN computers can initiate communication checkbox. I repeat, do not enable this checkbox. Only the calling VPN gateway should initiate the call. If you were to enable the checkbox (which you would never do), then both sides would try to initiate a call when needed and this can lead to unreliability of your VPN gateway connections. Click Next.
- On the Remote Virtual Private Network (VPN) Network page, click the Add button. Add a network ID that you want to be reachable from the local network. You should repeat this procedure so that all the network IDs on the remote network are included in the list on this page.
In this example, the only network ID on the remote network that we want to be able to reach from the local network is network ID 192.168.10.0/24. This creates a static routing table entry on the answering VPN gateway that routes packets to this network ID through the demand dial interface to the remote network via the VPN gateway interface.
Repeat the process for each network ID you need to reach from the local network to the remote network. Then click Next.
- On the Local Virtual Private Network (VPN) Network page, select the primary IP address on the external interface of the ISA Server/VPN gateway computer from the Select the IP address of the local ISA VPN computer. This is the IP address to which the remote ISA VPN computer will connect drop down list. Make sure this is the top listed IP address on the list of addresses bound to the external interface.
In the lower part of this page you see a list of network IDs on the local network. This list is drawn from the Local Address Table (LAT). This is a list of all the network IDs on the local network that can be reached from the remote network. If there are more network IDs on the local network that you want accessible from the remote network, then click the Add button and add them.
Click Next after entering all the local network IDs that you want accessible to users on the remote network.
- On the ISA VPN Computer Configure File page, type in a path and file name for the configuration file in the File name text box. Type in a password and confirm the password to protect the information contained in this file. Click Next.
- Click Finish on the Completing the ISA VPN Setup Wizard page.
Now we can take this file to the calling VPN gateway and run the Remote VPN Wizard:
- On the remote VPN gateway (the calling VPN gateway), open the ISA Management Console, expand the Servers and Arrays node and right click on the Network Configuration node. Click on the Set Up Remote ISA VPN Server command.
- Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.
- If the Routing and Remote Access Service has not yet been started on the calling VPN gateway, the Wizard will ask if you want to start the service. Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box that asks if you want to start the service.
- On the ISA VPN Computer Configuration File page, use the Browse button to find the configuration file. If you can’t find it, it might be because you haven’t copied it to the server yet!
- Click Finish on the Completing the ISA VPN Configuration Wizard page.
In this, part 3 of our 4 part series on using EAP/TLS certificate-based authentication with gateway to gateway VPNs, we went over the procedures required to map the router’s user certificate to an account in the Active Directory. We also discussed the details of the Local and Remote VPN Wizards and how to run each of them to insure that demand dial interfaces are named correct and that only the calling VPN gateway initiates the demand dial connection.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over tohttp://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001759 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom