Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
The Routing and Remote Access Service (RRAS) on the ISA Server firewall/VPN server uses Remote Access Service Policies to determine what VPN connections should be allowed or denied. If an incoming VPN connection attempt doesn’t match the parameters contained in one of the Remote Access Policies configured on the ISA Server firewall/VPN server, the connect attempt will be blocked.
Remote Access Policies have three main components:
Remote Access Policy conditions are a set of attributes that are compared to the properties of the connection attempt made by the remote access client. There can be one or more Remote Access conditions applied to a single Remote Access Policy. Examples of Remote Access conditions include Windows Groups (the group membership of the caller trying to authenticate with the ISA Server firewall/VPN server) NAS Port Type (such as a VPN connection) and Tunnel Type (PPTP or L2TP). If the conditions of the connection attempt do not match the conditions of the Remote Access Policy, the connection will not be allowed by the policy.
If all the conditions for a Remote Access Policy are met, then Remote Access Permission is either granted or denied. Remote Access Permission can be controlled via Remote Access Policy, or via the properties of the caller’s user account. You can always control Remote Access Permission on a per user account basis. However, if you want to control access via Remote Access Policy, the domain the user account belongs to must run at the Windows 2000 Native or Windows Server 2003 functional mode. If the user doesn’t have permission, the connection attempt it denied.
If the user is granted Remote Access Permission, then the connection’s properties are compared to the settings in the Remote Access Profile configured for that policy. A Remote Access Profile includes components such as the level of encryption required for the VPN protocol and the authentication methods supported. If the connection does not match the settings in the profile, the connect attempt is dropped. This is in spite of the fact that the connection attempt matches the Remote Access Policy Conditions and the user has Remote Access Permission.
The ISA Server firewall/VPN server can be configured with multiple Remote Access Policies. If the Remote Access Policy on the top of the list doesn’t allow access, then the second Remote Access Policy will be evaluated. If the second Remote Access Policy doesn’t allow access, then the third policy is evaluated. The connection request is denied when no policies match the request.
The following procedures are discussed in this ISA Server 2000 VPN Deployment Kit document:
Creating a VPN Client Remote Access Policy
Remote Access Policies configured on the ISA Server firewall/VPN server are enforced against all VPN clients calling the server. The Windows Server 2003 Routing and Remote Access Service has a Remote Access Policy Wizard that makes it easy to create a secure VPN client Remote Access Policy.
Perform the following steps to create a VPN client Remote Access Policy on the ISA Server firewall/VPN Server:
Perform this procedure only after the ISA Server Virtual Private Network Configuration Wizard is run. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for information on running the ISA Server Virtual Private Network Configuration Wizard
1. Click Start, point to Administrative Tools and click on Routing and Remote Access.
2. In the Routing and Remote Access console (figure 1), expand your server name and then right click on the Remote Access Policies node in the left pane. Click on the New Remote Access Policy command.
Figure 1 (fig502)
3. Click Next on the Welcome to the New Remote Access Policy Wizard page (figure 2).
Figure 2 (fig503)
4. On the Policy Configuration Method page (figure 3), select the Use the wizard to set up a typical policy for a common scenario option. In the Policy name text box, type in a name for the policy. In this example, we’ll call it VPN Access Policy. Click Next.
Figure 3 (Fig131)
5. Select the VPN option on the Access Method page (figure 4). This policy will be used for all VPN connections. However, you can create separate policies for PPTP and L2TP/IPSec VPN connections. If you wish to create separate policies for PPTP and L2TP/IPSec connections, then you will need to go back in the Wizard and create two custom policies. In this example we will apply the same policy to all VPN connections. Click Next.
Figure 4 (Fig132)
6. You can grant access to the VPN server based on user or group (figure 5). The best method of access control is via Windows groups. VPN access control via Windows groups is easier to manage and reduces administrative overhead. You can create a group such as VPN Users and allow only this group access, or you can allow all your users access. It depends on who you want to give VPN access to the network.
Figure 5 (Fig504)
7. Click the Add button on the User or Group Access page (figure 5). In the Enter the object names to select text box, type in the name of the Group requiring VPN access. Click the examples link to see examples of how to type in the Group name. You can also click the Advanced button and browse the local computer or the domain for the name of the group. Click OK in the Select Groups dialog box after selecting your group. In this example we will use the Domain Users group and give VPN access to all users in the domain.
Figure 6 (fig600)
8. Click Next in the User or Group Access dialog box (figure 7).
Figure 7 (fig601)
9. You can select the user authentication methods to allow on the Authentication Methods page (figure 8). The preferred authentication methods are
· Microsoft Encrypted Authentication version 2
· Extensible Authentication Protocol (EAP).
Select both the Extensible Authentication Protocol (EAP) and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) checkboxes. Click the down arrow in the Type (based on method of access and network configuration) drop down list box and select the Smart Card or other certificate option then click the Configure button.
Figure 8 (fig602)
10. In the Smart Card or other Certificate Properties dialog box (figure 9), select the certificate you want the server to use to identify itself to VPN clients.
Almost all small business environments will have a single certificate. This certificate is a machine certificate assigned to the ISA Server firewall/VPN server. The ISA Server firewall/VPN server uses this certificate to identify itself when the VPN client is configured to confirm the server’s validity during user certificate authentication.
Click OK in the Smart Card or other Certificate Properties dialog box and then click Next.
If you do not see the certificate in the Smart Card or other Certificate Properties dialog box, then restart the RADIUS server and start over. The certificate will then appear in this dialog box after the restart
Figure 9 (fig603)
11. Select the level(s) of encryption you want to enforce (figure 10). All Microsoft clients support the strongest level of encryption. If you have non-Microsoft VPN clients that don’t support 128 bit encryption, select lower levels However, realize that you lower the overall level of security conferred to the VPN link. We suggest that you select only the Strongest encryption (IPSec Triple DES or MPPE 128-bit) Click Next.
Figure 10 (Fig604)
12. Review your settings on the Completing the New Remote Access Policy Wizard page and click Finish (figure 11).
Figure 11 (Fig605)
Configuring Remote Access Permissions
The conditions on the new Remote Access Policy require that the connection be a “virtual” or VPN connection (either PPTP or L2TP/IPSec) and the user must belong to the Domain Users group (figure 12). In addition, the Remote Access Profile (figure 13) stipulates that the user must use MS-CHAP v2 or EAP-TLS to authenticate and the client must support the highest level of encryption available for the VPN protocol they use to connect
Figure 12 (fig606)
Figure 13 (fig607)
The VPN client connection parameters are first compared to the conditions of the policy. There are two conditions in the policy we created above: the connection must be a virtual connection and the user is a member of the Domain Users group. If the connection request matches both conditions, then the Remote Access Permission of the account is determined. Remote access permissions are can be determined differently depending on the functional level of the domain the user account belongs to.
Windows Server 2003 domains do not use the Mixed and Native Mode designations you might be familiar with in Windows 2000. Windows Server 2003 domains have different functional levels. If all the domain controllers in your domain run Windows Server 2003, the default functional level is Windows 2000 mixed.
In a Windows 2000 mixed functional level domain, all user accounts are denied VPN (Dial up) access by default. User accounts in Windows 2000 mixed functional level domains require you to configure permissions on a per user basis. User account permissions override Remote Access Policy permissions in Windows 2000 mixed functional level domains. Windows 2000 mixed functional level domains do not support assigning Windows Group Remote Access Permissions.
You must raise the domain functional level to Windows 2000 Native or Windows Server 2003 if you wish to support Remote Access Permissions controlled via Remote Access Policy. The default Remote Access Permission in Windows 2000 Native and Windows Server 2003 domains is Control access through Remote Access Policy. You can assign VPN Remote Access Permissions on a per group basis after you raise the functional level of the domain.
When a connection request matches the conditions in the Remote Access Policy and the user is granted access via either the user account settings or Remote Access Policy, the connection must match the settings defined in the Remote Access Profile. If the incoming connection doesn’t match the Remote Access Profile settings, then the Remote Access Policy denies the request. If there are more remote access policies in the list, the connection will be run against the other policies. If no policy matches the incoming connection’s parameters, the ISA Server firewall/VPN server drops the connection request.
The VPN Remote Access Policy you created includes all the settings required for a secure VPN connection. The decision now centers on how you want to control Remote Access Permissions:
The following procedures are required to allow either per user or per group based VPN client access control:
Perform the following steps if you want to control access on a per user basis:
Figure 14 (fig608)
Notice that the Control access through Remote Access Policy option is disabled. This option is available when the domain is at Windows 2000 Native or Windows Server 2003 functional level.
Figure 15 (fig609)
You need to change the domain functional level if you want to control access on a per group basis. Perform the following steps to change the domain functional level:
Changing the functional level of the Windows Server 2003 domain requires that you completely understand the implications of such a change. Please refer to the Windows Server 2003 Help file or for more information on Windows Server 2003 domain functional levels.
Figure 16 (fig513)
Figure 17 (fig514)
Figure 18 (fig515)
Figure 19 (fig516)
Figure 20 (fig517)
Figure 21 (fig518)
You can now control VPN access on a per group basis now that the domain is at a higher functional level.
Let’s take a closer look at the VPN Remote Access Policy:
Right click on the Connections to other access servers Remote Access Policy and click Delete. Repeat with the Connections to Microsoft Routing and Remote Access server Remote Access Policy.
We recommend that you do not allow inbound direct dial-up connections. Allow the ISA Server firewall/VPN server to accept only inbound VP connections via Remote Access Policy.
Figure 22 (fig610)
This dialog box informs you the user account settings override the Remote Access Permission settings. Select the Grant remote access permission to allow members of the Domain Users group access to the VPN server. Notice in the Policy conditions frame the Windows-Groups matches “INTERNAL\Domain Users” entry. Select that entry and then click the Edit button.
Figure 23 (fig519)
Figure 24 (fig611)
Configuring the ISA Server firewall/VPN Server to Support EAP-TLS Authentication for PPTP and L2TP/IPSec VPN Clients
The next step is to configure the ISA Server firewall/VPN server to support EAP/TLS authentication. Perform the following steps to configure the ISA Server firewall/VPN server:
Figure 25 (Fig612)
Figure 26 (Fig613)
The ISA Server firewall/VPN server must have a machine certificate installed before it can support EAP/TLS certificate-based user authentication. Please refer to ISA Server 2000 VPN Deployment Kit document Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain for details on how to assign a machine certificate to the ISA Server firewall/VPN server.
Figure 27 (fig614)
Figure 28 (fig615)
The ISA Server firewall/VPN server is now ready to support PPTP and L2TP/IPSec VPN connections using either MS-CHAP version 2 or certificate-based EAP/TLS authentication. Note that the VPN client must have a user certificate before it can use certificate-based EAP/TLS authentication to authenticate with the ISA Server firewall/VPN server. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication for details on how to configure the VPN client with a user certificate.