Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients

 

The Routing and Remote Access Service (RRAS) on the ISA Server firewall/VPN server uses Remote Access Service Policies to determine what VPN connections should be allowed or denied. If an incoming VPN connection attempt doesn’t match the parameters contained in one of the Remote Access Policies configured on the ISA Server firewall/VPN server, the connect attempt will be blocked.

 

Remote Access Policies have three main components:

 

• Policy Conditions

Remote Access Policy conditions are a set of attributes that are compared to the properties of the connection attempt made by the remote access client. There can be one or more Remote Access conditions applied to a single Remote Access Policy. Examples of Remote Access conditions include Windows Groups (the group membership of the caller trying to authenticate with the ISA Server firewall/VPN server) NAS Port Type (such as a VPN connection) and Tunnel Type (PPTP or L2TP). If the conditions of the connection attempt do not match the conditions of the Remote Access Policy, the connection will not be allowed by the policy.

 

• Remote Access Permissions

If all the conditions for a Remote Access Policy are met, then Remote Access Permission is either granted or denied. Remote Access Permission can be controlled via Remote Access Policy, or via the properties of the caller’s user account. You can always control Remote Access Permission on a per user account basis. However, if you want to control access via Remote Access Policy, the domain the user account belongs to must run at the Windows 2000 Native or Windows Server 2003 functional mode. If the user doesn’t have permission, the connection attempt it denied.

 

• Remote Access Profiles

If the user is granted Remote Access Permission, then the connection’s properties are compared to the settings in the Remote Access Profile configured for that policy. A Remote Access Profile includes components such as the level of encryption required for the VPN protocol and the authentication methods supported. If the connection does not match the settings in the profile, the connect attempt is dropped. This is in spite of the fact that the connection attempt matches the Remote Access Policy Conditions and the user has Remote Access Permission.

 

The ISA Server firewall/VPN server can be configured with multiple Remote Access Policies. If the Remote Access Policy on the top of the list doesn’t allow access, then the second Remote Access Policy will be evaluated. If the second Remote Access Policy doesn’t allow access, then the third policy is evaluated. The connection request is denied when no policies match the request.

 

The following procedures are discussed in this ISA Server 2000 VPN Deployment Kit document:

 

• Creating a VPN client Remote Access Policy
• Configuring a VPN client Remote Access Policy and Remote Access Permissions
• Configuring the ISA Server firewall/VPN server to support EAP-TLS authentication for PPTP and L2TP/IPSec clients

 

Creating a VPN Client Remote Access Policy

 

Remote Access Policies configured on the ISA Server firewall/VPN server are enforced against all VPN clients calling the server. The Windows Server 2003 Routing and Remote Access Service has a Remote Access Policy Wizard that makes it easy to create a secure VPN client Remote Access Policy.

 

Perform the following steps to create a VPN client Remote Access Policy on the ISA Server firewall/VPN Server:

 

       Note:
Perform this procedure only after the ISA Server Virtual Private Network Configuration Wizard is run. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for information on running the ISA Server Virtual Private Network Configuration Wizard

 

1.       Click Start, point to Administrative Tools and click on Routing and Remote Access.

2.       In the Routing and Remote Access console (figure 1), expand your server name and then right click on the Remote Access Policies node in the left pane. Click on the New Remote Access Policy command.

 

Figure 1 (fig502)

 

3.       Click Next on the Welcome to the New Remote Access Policy Wizard page (figure 2).

 

Figure 2 (fig503)

 

4.       On the Policy Configuration Method page (figure 3), select the Use the wizard to set up a typical policy for a common scenario option. In the Policy name text box, type in a name for the policy. In this example, we’ll call it VPN Access Policy. Click Next.

 

Figure 3 (Fig131)

 

5.       Select the VPN option on the Access Method page (figure 4). This policy will be used for all VPN connections. However, you can create separate policies for PPTP and L2TP/IPSec VPN connections. If you wish to create separate policies for PPTP and L2TP/IPSec connections, then you will need to go back in the Wizard and create two custom policies. In this example we will apply the same policy to all VPN connections. Click Next.

 

Figure 4 (Fig132)

 

6.       You can grant access to the VPN server based on user or group (figure 5). The best method of access control is via Windows groups. VPN access control via Windows groups is easier to manage and reduces administrative overhead. You can create a group such as VPN Users and allow only this group access, or you can allow all your users access. It depends on who you want to give VPN access to the network.

 

Figure 5 (Fig504)

 

7.       Click the Add button on the User or Group Access page (figure 5).  In the Enter the object names to select text box, type in the name of the Group requiring VPN access. Click the examples link to see examples of how to type in the Group name. You can also click the Advanced button and browse the local computer or the domain for the name of the group. Click OK in the Select Groups dialog box after selecting your group. In this example we will use the Domain Users group and give VPN access to all users in the domain.

 

Figure 6 (fig600)

 

8.       Click Next in the User or Group Access dialog box (figure 7).

 

Figure 7 (fig601)

 

9.       You can select the user authentication methods to allow on the Authentication Methods page (figure 8). The preferred authentication methods are

 

·         Microsoft Encrypted Authentication version 2

·         Extensible Authentication Protocol (EAP).

 

Select both the Extensible Authentication Protocol (EAP) and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) checkboxes. Click the down arrow in the Type (based on method of access and network configuration) drop down list box and select the Smart Card or other certificate option then click the Configure button.

 

Figure 8 (fig602)

 

10.   In the Smart Card or other Certificate Properties dialog box (figure 9), select the certificate you want the server to use to identify itself to VPN clients.

 

Almost all small business environments will have a single certificate. This certificate is a machine certificate assigned to the ISA Server firewall/VPN server. The ISA Server firewall/VPN server uses this certificate to identify itself when the VPN client is configured to confirm the server’s validity during user certificate authentication.

 

Click OK in the Smart Card or other Certificate Properties dialog box and then click Next.

 

       Note:
If you do not see the certificate in the Smart Card or other Certificate Properties dialog box, then restart the RADIUS server and start over. The certificate will then appear in this dialog box after the restart

 

Figure 9 (fig603)

 

11.   Select the level(s) of encryption you want to enforce (figure 10). All Microsoft clients support the strongest level of encryption. If you have non-Microsoft VPN clients that don’t support 128 bit encryption, select lower levels However, realize that you lower the overall level of security conferred to the VPN link. We suggest that you select only the Strongest encryption (IPSec Triple DES or MPPE 128-bit) Click Next.

 

Figure 10 (Fig604)

 

12.   Review your settings on the Completing the New Remote Access Policy Wizard page and click Finish (figure 11).

 

Figure 11 (Fig605)

 

 

Configuring Remote Access Permissions

 

The conditions on the new Remote Access Policy require that the connection be a “virtual” or VPN connection (either PPTP or L2TP/IPSec) and the user must belong to the Domain Users group (figure 12). In addition, the Remote Access Profile (figure 13) stipulates that the user must use MS-CHAP v2 or EAP-TLS to authenticate and the client must support the highest level of encryption available for the VPN protocol they use to connect

 

Figure 12 (fig606)

 

Figure 13 (fig607)

 

The VPN client connection parameters are first compared to the conditions of the policy. There are two conditions in the policy we created above: the connection must be a virtual connection and the user is a member of the Domain Users group. If the connection request matches both conditions, then the Remote Access Permission of the account is determined. Remote access permissions are can be determined differently depending on the functional level of the domain the user account belongs to.

 

Windows Server 2003 domains do not use the Mixed and Native Mode designations you might be familiar with in Windows 2000. Windows Server 2003 domains have different functional levels. If all the domain controllers in your domain run Windows Server 2003, the default functional level is Windows 2000 mixed.

 

In a Windows 2000 mixed functional level domain, all user accounts are denied VPN (Dial up) access by default. User accounts in Windows 2000 mixed functional level domains require you to configure permissions on a per user basis. User account permissions override Remote Access Policy permissions in Windows 2000 mixed functional level domains. Windows 2000 mixed functional level domains do not support assigning Windows Group Remote Access Permissions.

 

You must raise the domain functional level to Windows 2000 Native or Windows Server 2003 if you wish to support Remote Access Permissions controlled via Remote Access Policy. The default Remote Access Permission in Windows 2000 Native and Windows Server 2003 domains is Control access through Remote Access Policy. You can assign VPN Remote Access Permissions on a per group basis after you raise the functional level of the domain.

 

When a connection request matches the conditions in the Remote Access Policy and the user is granted access via either the user account settings or Remote Access Policy, the connection must match the settings defined in the Remote Access Profile. If the incoming connection doesn’t match the Remote Access Profile settings, then the Remote Access Policy denies the request. If there are more remote access policies in the list, the connection will be run against the other policies. If no policy matches the incoming connection’s parameters, the ISA Server firewall/VPN server drops the connection request.

 

The VPN Remote Access Policy you created includes all the settings required for a secure VPN connection. The decision now centers on how you want to control Remote Access Permissions:

 

• Allow Remote Access on a per group basis: this requires that you run in Windows 2000 Native or Windows Server 2003 functional level
• Allow Remote Access on a per user basis: supported by both Windows 2000 Native and Windows 2000 Mixed and Windows Server 2003 functional levels
• Allow Remote Access on both a per user and per group basis: this requires that you run in Windows 2000 Native or Windows Server 2003 functional level; granular user based access control overrides group based access control is done on a per user account basis

 

The following procedures are required to allow either per user or per group based VPN client access control:

 

• Change the Dial-in permissions on the user account in the Active Directory: this controls Remote Access Permissions on a per user basis
• Change the domain functional level to support Remote Access Permissions based on Remote Access Policy
• Change the Permissions settings on the Remote Access Policy

 

Perform the following steps if you want to control access on a per user basis:

 

1. Click Start, point to Administrative Tools and click on Active Directory Users and Computers.
2. In the Active Directory Users and Computers console (figure 14), expand your domain name and click on the User node.

 

Figure 14 (fig608)

 

3. Double click on a user account in the right pane of the console. In the user account Properties dialog box, click on the Dial-in tab (figure 15). Note the default setting on the account is Deny access. You can allow VPN access for the account by selecting the Allow access option. The per user account setting overrides permissions set on the Remote Access Policy.

 

Notice that the Control access through Remote Access Policy option is disabled. This option is available when the domain is at Windows 2000 Native or Windows Server 2003 functional level.

 

Figure 15 (fig609)

 

4. Click Apply and then click OK to commit any Dial-in permission changes you’ve made to the account.

 

You need to change the domain functional level if you want to control access on a per group basis. Perform the following steps to change the domain functional level:

 

       Note:
Changing the functional level of the Windows Server 2003 domain requires that you completely understand the implications of such a change. Please refer to the Windows Server 2003 Help file or for more information on Windows Server 2003 domain functional levels.

 

1. On a domain controller in your domain, open the Active Directory Domains and Trusts console. Click Start, point to Administrative Tools and click on Active Directory Domains and Trusts (figure 16).

 

Figure 16 (fig513)

 

2. In the Active Directory Domains and Trusts console, right click on your domain and click on the Raise Domain Functional Level command (figure 17).

 

Figure 17 (fig514)

 

3. In the Raise Domain Functional Level dialog box (figure 18), click the down arrow in the Select an available domain functional level drop down list, select either Windows 2000 native or Windows Server 2003, depending on the type of domain functional level you want to support. Click the Raise button after making your selection.

 

Figure 18 (fig515)

 

4. Click OK in the Raise Domain Functional Level dialog box (figure 19). This dialog box explains that the change affects the entire domain and after the change is made, it cannot be reversed.

 

Figure 19 (fig516)

 

5. Click OK in the Raise Domain Functional Level dialog box (figure 20) that informs you that the functional level was raised successfully. Note that you do not need to restart the computer for the changes to take effect. However, the default Remote Access Permission will not change for user accounts until Active Directory replication and completed.

 

Figure 20 (fig517)

 

6. Return to the Active Directory Users and Computers console and double click on a user account. Click on the Dial-in tab (figure 21) in the user’s Properties dialog box. Notice how the Control access through Remote Access Policy option is enabled and selected by default.

 

Figure 21 (fig518)

 

 

You can now control VPN access on a per group basis now that the domain is at a higher functional level.

 

Let’s take a closer look at the VPN Remote Access Policy:

 

1. Click Start, point to Administrative Tools and click on Routing and Remote Access.
2. Click on the Remote Access Policies node in the left pane of the console (figure 22). You will see the VPN Access Policy you created and two other, built-in Remote Access Policies. You can delete these built-in Remote Access Policies if you require only VPN connections to your ISA Server firewall/VPN server.

 

Right click on the Connections to other access servers Remote Access Policy and click Delete. Repeat with the Connections to Microsoft Routing and Remote Access server Remote Access Policy.

 

       Note:
We recommend that you do not allow inbound direct dial-up connections. Allow the ISA Server firewall/VPN server to accept only inbound VP connections via Remote Access Policy.

 

Figure 22 (fig610)

 

3. Double click on the VPN Access Policy in the right pane of the console. In the VPN Access Policy Properties dialog box (figure 23) there are two options that control access permissions based on Remote Access Policy:

 

• Deny remote access permission
  This denies to the VPN server. This setting can be overridden if the user account is configured with an explicit Allow access permission.
  
• Grant remote access permission.
  This allows access to the VPN server. This setting can be overridden if the user account is configured with an explicit Deny access permission.

 

This dialog box informs you the user account settings override the Remote Access Permission settings. Select the Grant remote access permission to allow members of the Domain Users group access to the VPN server. Notice in the Policy conditions frame the Windows-Groups matches “INTERNAL\Domain Users” entry. Select that entry and then click the Edit button.

 

Figure 23 (fig519)

 

4. You can change or add groups in the Groups dialog box. For example, you may want to create a VPN Users group and allow only that group. In that case, select the existing group and click the Remove button (figure 24). Then click the Add button to add the new group. Click OK in the Groups dialog box.

 

Figure 24 (fig611)

 

5. Click Apply and then click OK in the VPN Access Policy Properties dialog box to save the changes.

 

Configuring the ISA Server firewall/VPN Server to Support EAP-TLS Authentication for PPTP and L2TP/IPSec VPN Clients

 

The next step is to configure the ISA Server firewall/VPN server to support EAP/TLS authentication. Perform the following steps to configure the ISA Server firewall/VPN server:

 

1. Confirm that you have enabled the ISA Server firewall as a VPN Server. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for details on how to configure the ISA Server firewall as a VPN server.
2. Click Start, point to Administrative Tools and click on Routing and Remote Access. In the Routing and Remote Access console, right click on your server name and click the Properties command.
3. Click on the Security tab in the server’s Properties dialog box (figure 25). On the Security tab, click on the Authentication Methods button.

 

Figure 25 (Fig612)

 

4. On the Authentication Methods dialog box (figure 26), place a checkmark in the Extensible authentication protocol (EAP) checkbox. Leave the status of the Microsoft encrypted authentication version 2 (MS-CHAP v2) checkbox unchanged (it should be enabled). Remove the checkmark from the Microsoft encrypted authentication (MS-CHAP) checkbox. The server will attempt to negotiate the highest level of authentication first and work its way down the list of selected methods. Click the EAP Methods button.

 

Figure 26 (Fig613)

 

5. The EAP Methods dialog box (figure 27) shows what EAP methods are supported on the ISA Server firewall/VPN server. We want to be able to support certificate-based user authentication using EAP/TLS. The Smart Card or other certificate entry in the list of Methods indicates that this VPN server can support certificate-based user authentication. Click OK in the EAP Methods dialog box. Click OK in the Authentication Methods dialog box. Click Apply in the server Properties dialog box.

 

       Note:
The ISA Server firewall/VPN server must have a machine certificate installed before it can support EAP/TLS certificate-based user authentication. Please refer to ISA Server 2000 VPN Deployment Kit document Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain for details on how to assign a machine certificate to the ISA Server firewall/VPN server.

 

Figure 27 (fig614)

 

6. Click No in the Routing and Remote Access dialog box (figure 28) that informs that you selected one or more authentication methods and would you like to view the Help topic.

 

Figure 28 (fig615)

 

7. Click OK in the server Properties dialog box.
8. Right click on the server name, point to All Tasks and click the Restart command to restart the Routing and Remote Access Service.

 

The ISA Server firewall/VPN server is now ready to support PPTP and L2TP/IPSec VPN connections using either MS-CHAP version 2 or certificate-based EAP/TLS authentication. Note that the VPN client must have a user certificate before it can use certificate-based EAP/TLS authentication to authenticate with the ISA Server firewall/VPN server. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication for details on how to configure the VPN client with a user certificate.