Creating
Routing and Remote Access Policy and Remote Access Permissions in Windows
Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
The Routing
and Remote Access Service (RRAS) on the ISA Server firewall/VPN server uses Remote
Access Service Policies to determine what VPN connections should be allowed or
denied. If an incoming VPN connection attempt doesn’t match the parameters
contained in one of the Remote Access Policies configured on the ISA Server
firewall/VPN server, the connect attempt will be blocked.
Remote
Access Policies have three main components:
Remote Access Policy conditions
are a set of attributes that are compared to the properties of the connection
attempt made by the remote access client. There can be one or more Remote
Access conditions applied to a single Remote Access Policy. Examples of Remote
Access conditions include Windows Groups
(the group membership of the caller trying to authenticate with the ISA Server
firewall/VPN server) NAS Port Type (such
as a VPN connection) and Tunnel Type
(PPTP or L2TP). If the conditions of the connection attempt do not match the
conditions of the Remote Access Policy, the connection will not be allowed by
the policy.
If all the conditions for a Remote Access Policy are met,
then Remote Access Permission is
either granted or denied. Remote Access Permission can be controlled via Remote
Access Policy, or via the properties of the caller’s user account. You can
always control Remote Access Permission on a per user account basis. However,
if you want to control access via Remote Access Policy, the domain the user
account belongs to must run at the Windows 2000 Native or Windows Server 2003
functional mode. If the user doesn’t have permission, the connection attempt it
denied.
If the user is granted Remote Access Permission, then the
connection’s properties are compared to the settings in the Remote Access Profile configured for
that policy. A Remote Access Profile includes components such as the level of
encryption required for the VPN protocol and the authentication methods
supported. If the connection does not match the settings in the profile, the
connect attempt is dropped. This is in spite of the fact that the connection
attempt matches the Remote Access Policy Conditions and the user has Remote
Access Permission.
The ISA
Server firewall/VPN server can be configured with multiple Remote Access
Policies. If the Remote Access Policy on the top of the list doesn’t allow
access, then the second Remote Access Policy will be evaluated. If the second
Remote Access Policy doesn’t allow access, then the third policy is evaluated.
The connection request is denied when no policies match the request.
The following
procedures are discussed in this ISA
Server 2000 VPN Deployment Kit document:
Creating a VPN Client Remote Access
Policy
Remote
Access Policies configured on the ISA Server firewall/VPN server are enforced
against all VPN clients calling the server. The Windows Server 2003 Routing and
Remote Access Service has a Remote Access Policy Wizard that makes it easy to
create a secure VPN client Remote Access Policy.
Perform the
following steps to create a VPN client Remote Access Policy on the ISA Server
firewall/VPN Server:
Note:
Perform this procedure only after the ISA Server Virtual Private Network
Configuration Wizard is run. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring
the Windows Server 2003 ISA Server 2000/VPN Server for
information on running the ISA Server Virtual Private Network Configuration
Wizard
1.
Click Start, point to Administrative
Tools and click on Routing and
Remote Access.
2.
In the Routing and Remote Access console (figure 1), expand your server
name and then right click on the Remote
Access Policies node in the left pane. Click on the New Remote Access Policy command.
Figure 1
(fig502)
3.
Click Next on the Welcome to the
New Remote Access Policy Wizard page (figure 2).
Figure 2
(fig503)
4.
On the Policy Configuration Method page (figure 3), select the Use the wizard to set up a typical policy
for a common scenario option. In the Policy
name text box, type in a name for the policy. In this example, we’ll call
it VPN Access Policy. Click Next.
Figure 3
(Fig131)
5.
Select the VPN option on the Access
Method page (figure 4). This policy will be used for all VPN connections.
However, you can create separate policies for PPTP and L2TP/IPSec VPN
connections. If you wish to create separate policies for PPTP and L2TP/IPSec
connections, then you will need to go back in the Wizard and create two custom
policies. In this example we will apply the same policy to all VPN connections.
Click Next.
Figure 4
(Fig132)
6.
You can grant access to the VPN
server based on user or group (figure 5). The best method of access control is
via Windows groups. VPN access control via Windows groups is easier to manage
and reduces administrative overhead. You can create a group such as VPN Users and allow only this group
access, or you can allow all your users access. It depends on who you want to
give VPN access to the network.
Figure 5
(Fig504)
7.
Click the Add button on the User or
Group Access page (figure 5). In the
Enter the object names to select
text box, type in the name of the Group requiring VPN access. Click the examples link to see examples of how to
type in the Group name. You can also click the Advanced button and browse the local computer or the domain for the
name of the group. Click OK in the Select Groups dialog box after
selecting your group. In this example we will use the Domain Users group and give VPN access to all users in the domain.
Figure 6
(fig600)
8.
Click Next in the User or Group
Access dialog box (figure 7).
Figure 7
(fig601)
9.
You can select the user
authentication methods to allow on the Authentication
Methods page (figure 8). The preferred authentication methods are
·
Microsoft Encrypted Authentication
version 2
·
Extensible Authentication Protocol
(EAP).
Select both the Extensible
Authentication Protocol (EAP) and Microsoft
Encrypted Authentication version 2 (MS-CHAPv2) checkboxes. Click the down
arrow in the Type (based on method of
access and network configuration) drop down list box and select the Smart Card or other certificate option
then click the Configure button.
Figure 8
(fig602)
10. In the Smart Card or other Certificate Properties dialog box (figure 9),
select the certificate you want the server to use to identify itself to VPN
clients.
Almost all small business environments will have a single
certificate. This certificate is a machine certificate assigned to the ISA
Server firewall/VPN server. The ISA Server firewall/VPN server uses this certificate
to identify itself when the VPN client is configured to confirm the server’s
validity during user certificate authentication.
Click OK in the Smart Card or other Certificate Properties
dialog box and then click Next.
Note:
If you do not see the certificate in the Smart
Card or other Certificate Properties dialog box, then restart the RADIUS
server and start over. The certificate will then appear in this dialog box
after the restart
Figure 9
(fig603)
11. Select the level(s) of encryption
you want to enforce (figure 10). All Microsoft clients support the strongest
level of encryption. If you have non-Microsoft VPN clients that don’t support
128 bit encryption, select lower levels However, realize that you lower the
overall level of security conferred to the VPN link. We suggest that you select
only the Strongest encryption (IPSec Triple
DES or MPPE 128-bit) Click Next.
Figure 10
(Fig604)
12. Review your settings on the Completing the New Remote Access Policy
Wizard page and click Finish (figure
11).
Figure 11
(Fig605)
Configuring Remote Access Permissions
The
conditions on the new Remote Access Policy require that the connection be a
“virtual” or VPN connection (either PPTP or L2TP/IPSec) and the user must
belong to the Domain Users group
(figure 12). In addition, the Remote Access Profile (figure 13) stipulates that
the user must use MS-CHAP v2 or EAP-TLS to authenticate and the client must
support the highest level of encryption available for the VPN protocol they use
to connect
Figure 12
(fig606)
Figure 13
(fig607)
The VPN
client connection parameters are first compared to the conditions of the policy. There are two conditions in the policy we
created above: the connection must be a virtual connection and the user is a
member of the Domain Users group. If
the connection request matches both conditions, then the Remote Access
Permission of the account is determined. Remote access permissions are can be
determined differently depending on the functional level of the domain the user
account belongs to.
Windows
Server 2003 domains do not use the Mixed and Native Mode designations you might
be familiar with in Windows 2000. Windows Server 2003 domains have different functional levels. If all the domain
controllers in your domain run Windows Server 2003, the default functional
level is Windows 2000 mixed.
In a
Windows 2000 mixed functional level domain, all user accounts are denied VPN
(Dial up) access by default. User accounts in Windows 2000 mixed functional
level domains require you to configure permissions on a per user basis. User
account permissions override Remote Access Policy permissions in Windows 2000
mixed functional level domains. Windows 2000 mixed functional level domains do
not support assigning Windows Group Remote Access Permissions.
You must
raise the domain functional level to Windows 2000 Native or Windows Server 2003
if you wish to support Remote Access Permissions controlled via Remote Access
Policy. The default Remote Access Permission in Windows 2000 Native and Windows
Server 2003 domains is Control access
through Remote Access Policy. You can assign VPN Remote Access Permissions
on a per group basis after you raise the functional level of the domain.
When a
connection request matches the conditions
in the Remote Access Policy and the user is granted access via either the user
account settings or Remote Access Policy, the connection must match the
settings defined in the Remote Access
Profile. If the incoming connection doesn’t match the Remote Access Profile
settings, then the Remote Access Policy denies the request. If there are more
remote access policies in the list, the connection will be run against the
other policies. If no policy matches the incoming connection’s parameters, the
ISA Server firewall/VPN server drops the connection request.
The VPN
Remote Access Policy you created includes all the settings required for a
secure VPN connection. The decision now centers on how you want to control
Remote Access Permissions:
The
following procedures are required to allow either per user or per group based
VPN client access control:
Perform the
following steps if you want to control access on a per user basis:
Figure 14
(fig608)
Notice that the Control
access through Remote Access Policy option is disabled. This option is
available when the domain is at Windows 2000 Native or Windows Server 2003
functional level.
Figure 15
(fig609)
You need to
change the domain functional level if you want to control access on a per group
basis. Perform the following steps to change the domain functional level:
Note:
Changing the functional level of the Windows Server 2003 domain requires that
you completely understand the implications of such a change. Please refer to
the Windows Server 2003 Help file
or for more information on Windows Server 2003 domain functional levels.
Figure 16
(fig513)
Figure 17
(fig514)
Figure 18
(fig515)
Figure 19
(fig516)
Figure 20
(fig517)
Figure 21
(fig518)
You can now
control VPN access on a per group basis now that the domain is at a higher
functional level.
Let’s take
a closer look at the VPN Remote Access Policy:
Right click on the Connections
to other access servers Remote Access Policy and click Delete. Repeat with the Connections
to Microsoft Routing and Remote Access server Remote Access Policy.
Note:
We recommend that you do not allow inbound direct dial-up connections. Allow
the ISA Server firewall/VPN server to accept only inbound VP connections via
Remote Access Policy.
Figure 22
(fig610)
This dialog box informs you the user account settings
override the Remote Access Permission settings. Select the Grant remote access permission to allow members of the Domain Users group access to the VPN
server. Notice in the Policy conditions
frame the Windows-Groups matches
“INTERNAL\Domain Users” entry. Select that entry and then click the Edit button.
Figure 23
(fig519)
Figure 24
(fig611)
Configuring the ISA Server
firewall/VPN Server to Support EAP-TLS Authentication for PPTP and L2TP/IPSec
VPN Clients
The next
step is to configure the ISA Server firewall/VPN server to support EAP/TLS
authentication. Perform the following steps to configure the ISA Server
firewall/VPN server:
Figure 25
(Fig612)
Figure 26
(Fig613)
Note:
The ISA Server firewall/VPN server must have a machine certificate installed
before it can support EAP/TLS certificate-based user authentication. Please
refer to ISA Server 2000 VPN Deployment
Kit document Assigning Certificates to Domain Members via
Autoenrollment in a Windows Server 2003 Active Directory Domain for
details on how to assign a machine certificate to the ISA Server firewall/VPN
server.
Figure 27
(fig614)
Figure 28
(fig615)
The ISA
Server firewall/VPN server is now ready to support PPTP and L2TP/IPSec VPN
connections using either MS-CHAP version 2 or certificate-based EAP/TLS
authentication. Note that the VPN client must have a user certificate before it
can use certificate-based EAP/TLS authentication to authenticate with the ISA
Server firewall/VPN server. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring
the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS
Authentication for details on how to configure the VPN client
with a user certificate.