Configuring a gateway to gateway VPN is easy using ISA Server

Procedures in this lab include: Reviewing the Lab Network Installing Certificate Server on a Domain Controller Configuring autoenrollment using Group Policy Confirming Installation of th

Configuring a gateway to gateway VPN is easy using ISA Server The reason why it’s so easy is that the Local and Remote VPN Wizards make the setup a virtual no-brainer Well,

it’s a no-brainer when you’re configuring PPTP VPN gateways But if you’re in the market for

a high security L2TP/IPSec gateway to gateway VPN, you probably have either been trying

to avoid it like the plague or you are pulling your hair out trying to figure out how to make it work!

Indeed, the certificate infrastructure configuration is a major barrier to entry for those considering L2TP/IPSec VPNs The reason for this is that’s its virtually impossible to get the straight dope on how to install the certificates! Even the highly acclaimed VPN book by Fortenberry fails to make it clear how to install machine certificates using the Web interface

for machines that are not domain members He focuses on using the Web interface to get a

user certificate for PPP EAP/TLS authentication Forget about this! We’ll handle EAP/TLS at another time What we want to do right now is to get a L2TP/IPSec link configured and working

Attention:

Configuring ISA Server 2000 : Building Firewalls for Windows 2000

By Deb and Tom Shinder

http://www.amazon.com/exec/obidos/ASIN/1928994296/isaserver http://www.a mazon.com/exec/obidos/ASIN/1928994296/isaserver

In this lab we’ll put together a five computer VMware network that includes two VPN

servers, a domain controller, a stand-alone root CA and a server on the remote network In the first part of the article, we’ll get the infrastructure put together; install the servers, configure the certificate servers, and install certificates on the Local network In the second part of the article we’ll install ISA Server, configure the gateway to gateway VPN, and install the certificates on the remote VPN server and remote file server

Procedures in this lab include:

Reviewing the Lab Network

Installing Certificate Server on a Domain Controller

Configuring autoenrollment using Group Policy

Confirming Installation of the Machine Certificate

Using the MMC Console to Request a Certificate

Installing a Stand-alone Root CA

Obtaining a Certificate from the Stand-alone Root using the Web Interface

By the end of this two part lab, you’ll be the ISA/VPN L2TP/IPSec gateway to gateway Wizard!

The Lab Network

The graphic below shows the lab network:

Service and IP configuration settings on each machine:

CLIENTDC:

Services:

WINS

DNS

Accepts dynamic updates

Configured manually, not via Active Directory Wizard

Active Directory

Domain name: internal.net

[IMAGE PROVIDED with LAB on DVD]

IP Configuration:

Windows 2000 IP Configuration

Host Name : CLIENTDC

Primary DNS Suffix : internal.net

DNS Suffix Search List : internal.net

Ethernet adapter Local Area Connection:

reverse lookup zones (reverse lookup zone for network ID 10.0.0./24)

Host Name : CERTSRV

Primary DNS Suffix : internal.net

DNS Suffix Search List : internal.net

Ethernet adapter Local Area Connection:

IP Address : 10.0.0.3

Subnet Mask : 255.255.255.0

Default Gateway : 10.0.0.1

Host Name : INTERNALVPN

Primary DNS Suffix : internal.net

DNS Suffix Search List : internal.net

Ethernet adapter Local Area Connection (internal adapter):

IP Address : 10.0.0.1

Subnet Mask : 255.255.255.0

Default Gateway :

DNS Servers : 10.0.0.2

Primary WINS Server : 10.0.0.2

Ethernet adapter Local Area Connection 2 (external adapter):

This machine is dual homed Use default settings during the Windows 2000 Advanced

Server setup in the VM, except for the manual configuration of IP addressing and joining the domain

DNS Suffix Search List :

Ethernet adapter Local Area Connection (internal adapter):

IP Address : 172.16.0.1

Subnet Mask : 255.240.0.0

Default Gateway :

DNS Servers : 172.16.0.2

Primary WINS Server : 172.16.0.2

Ethernet adapter Local Area Connection 2 (external adapter):

This machine is dual homed Use default settings during the Windows 2000 Advanced

Server setup in the VM, except for the manual configuration of IP addressing and joining the domain

EXTERNALSRV:

Services:

All IIS Services

DNS Suffix Search List :

Ethernet adapter Local Area Connection:

Installing Certificate Server on the Domain Controller

To test how to obtain a machine certificate from an Active Directory integrated Enterprise Root Certificate Server, we’ll install Certificate Server on our domain controller,

ISACLIENTDC

Perform the following steps to install Certificate Server on the domain controller:

Click Start, point to Settings and then click on Control Panel

Open the Add/Remove Programs applet

Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs applet

In the Windows Components Wizard dialog box, place a checkmark in the Certificate

Services checkbox You will get a warning dialog box telling you that you cannot rename the computer or remove or join a domain Fine Click Yes, then click Next

If the machine is a Terminal Server (and it is in this lab), you’ll see the Terminal Services Setup dialog box Select the Remote administration mode and click Next

On the Certification Authority Type page, select the Enterprise root CA option This option required Active Directory This is correct option because we want to be able to use the Certificates MMC and/or autoenrollment to install a machine certificate on our ISA/VPN servers Click Next

On the CA Identifying Information page, fill in all the fields as seen in the figure below In reality, the only field that’s required is the CA name field The other’s are optional but it’s a good idea to fill them all in so that you can easily identify the source and purpose of the Certificate Server Click Next

On the Data Storage Location page, accept the defaults for where you want to put the Certificate database and Certificate Database Log You have the option to Store

configuration information in a shared folder, but this is not required unless you want other CAs in your organization to use this information Click Next

You will get a warning dialog box informing you that IIS must be stopped before proceeding Click OK

You will be asked for the Windows 2000 CD ROM Put the Windows 2000 CD ROM into the drive and click OK

When the Wizard is complete, click Finish

The Certificate Server is now installed and can assign machine (computer) certificates Now let’s see how to configure Group Policy to autoenroll machines that are members of the domain

Configuring Autoenrollment using Group Policy

Perform the following steps to configure domain Group Policy to autoenroll domain members

so that they automatically receive a machine certificate:

Click Start, point to Programs and point to Administrative Tools Click on Active Directory Users and Computers

In the Active Directory Users and Computers console, right click on your domain and click Properties

On the domain Properties dialog box, click on the Group Policy tab

On the Group Policy tab, click on the Default Domain Policy and click Edit

Expand the Computer Configuration node, then expand the Windows Settings node, then expand the Security Settings node, and finally expand the Public Key Policies node

Right click on the Automatic Certificate Request Settings node, point to New and click on Automatic Certificate Request

The Welcome to the Automatic Certificate Request Setup Wizard begins Click Next

On the Certificate Template page, select the Computer certificate template and click Next

On the Certificate Authority page, accept the default and click Next

On the Completing the Automatic Certificate Request Setup page, click Finish

After you complete the Wizard, the Certificate Server will automatically assign machine certificates to all machines in the domain The machines will obtain a certificate during the next policy refresh, or when you restart the computer If you don’t want to wait for the policy refresh or restart the computer, you can use the secedit utility to force a policy refresh Just issue the following command at the command prompt:

secedit /refreshpolicy machine_policy /enforce

Confirming Installation of the Machine Certificate

You want to make sure that all the domain members have a machine certificate before you continue with configuring the VPN Make sure that you’ve restarted the machine or used the secedit command, and then perform the following steps to view the certificate

Click Start and click the Run command

In the Run dialog box, type mmc in the Open text box and click OK

Click the Console menu and then click the Add/Remove Snap-in command

In the Add/Remove Snap-in dialog box, click the Add button

In the Add Stand-alone Snap-in dialog box, select Certificates and click Add

On the This snap-in will always manage certificates for page box, select the Computer account option and click Next

In the Select the computer you want this Snap-in to manage page, select the Local computer option and click Finish

Click Close in the Add Standalone Snap-in dialog box

Click OK in the Add/Remove Snap-in dialog box

In the console, expand the Certificates (Local Computer) node and then expand the Personal node Click on the Certificates node Double click on the certificate in the right pane to view the certificate (this is a certificate that was assigned to the CERTSRV computer) Close the Certificate dialog box to return to the Certificates mmc

Using the MMC Console to Request a Certificate

Since we’re in the Certificates mmc right now, let’s see how you can request a certificate from an Enterprise Root CA using the mmc You can use this method if you don’t want to, or can’t, use the autoenrollment Group Policy Be aware that the machine making the request must be a member of the same domain as the Enterprise Root Certificate Server You

cannot use this method if the requesting machine is not in the same domain

In the Certificates mmc console, right click on the certificate that was obtained via

autoenrollment and click Delete

You will see a dialog box warning you that you will not be able to decrypt data using this certificate (if you remove it) Click Yes

The certificate should now be removed Right click on the Certificates node in the left pane

of the console, point to All Tasks and click on Request New Certificate

The Welcome to the Certificate Request Wizard page appears Click Next

On the Certificate Template page, select the Computer certificate (should be the only one you see) and click Next

On the Certificate Friendly Name and Description page, you can type something like machine cert for the Friendly name and click Next

Review the settings on the Completing the Certificate Request Wizard page and click Finish Click OK in the dialog box that informs you that the request was successful

Close the Certificates mmc In the dialog box that if you want to save the console settings, click Yes

Save the console on the desktop with the name Certificates

Installing a Stand-alone Root CA

In this section we’ll install a standalone root CA on the CERTSRV computer The reason for the standalone root CA is that we need to install a certificate on the remote ISA/VPN server

We might also want a certificate so that the remote file server can use IPSec through the L2TP/IPSec tunnel (VPN IPSec pass-through) We will need to use the Web interface to obtain a certificate for the remote ISA/VPN server because the remote ISA/VPN server is not a member of the domain The remote ISA/VPN server in this lab is configured as a standalone server that is a member of a workgroup

Note that it is not required that the remote ISA/VPN server be a standalone server that is a member of a workgroup and obtain a machine certificate later We could easily make the remote ISA/VPN server a member of the same domain as our domain controller

(CLIENTDC) However, we would have to install the remote ISA/VPN server when it was connected to the local network Then we would make the machine a member of the domain

After making the machine a member of the domain, we could take advantage of

autoenrollment, or use the Certificates mmc Then we leave the machine as a member of the same domain, or remove the machine from the domain and move it to the remote site The certificate will see be in place even if the machine is removed from the domain

On the CERTSRV machine, perform the following steps to install the standalone root CA Certificate Server:

Click Start, point to Settings and then click on Control Panel

Open the Add/Remove Programs applet

Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs applet

In the Windows Components Wizard dialog box, place a checkmark in the Certificate

Services checkbox You will get a warning dialog box telling you that you cannot rename the computer or remove or join a domain Fine Click Yes, then click Next

If the machine is a Terminal Server (and it is in this lab), you’ll see the Terminal Services Setup dialog box Select the Remote administration mode and click Next

On the Certification Authority Type page, select the Stand-alone root CA option This type of

CA does not require Active Directory Click Next

Enter the identifying information on the CA Identifying Information page The only required field is the CA name, but you should include the rest of the information to make it easier to figure out what the CA is for Click Next

On the Data Storage Location accept the defaults in this lab You do not need to create a shared folder for storage configuration (I do this out of habit, but it is not required for this lab) Click Next Click OK in the dialog box that informs you that IIS must be stopped

Insert the CD ROM into the drive when asked Click Finish when the installation is complete Close Close to close the Add/Remove Programs dialog box

Obtaining a Certificate from the Standalone Root using the Web Interface

The INTERNALVPN, EXTERNALVPN and EXTERNALSRV computers are all going to need a certificate from the standalone root CA We won’t be able to obtain a certificate for the EXTERNALVPN and EXTERNALSRV computers until we have the gateway to gateway VPN configured But we can install the certificate on the INTERNALVPN computer now

On the INTERNALVPN machine, open up the browser

On the Welcome to the Internet Connection Wizard page, select the last option as seen in the figure

On the Setting up your Internet connection page, select the I connect through a local area network (LAN) option and click Next

On the Local area network Internet configuration page, remove the checkmark from the Automatic discovery checkbox Click Next

On the Set UP Your Internet Mail Account page, select No and click Next

On the Completing the Internet Connection Wizard page, click Finish

In the Address bar of Internet Explorer type http://certsrv/certsrv and press [ENTER]

On the Welcome page, select the Request a certificate option and click Next