Lesson 3: Configuring IPSec on Internet Servers
Certificates are the perfect mechanism for distributing the secret keys required to establish IPSec security associations. IPSec security associations can be established by using certificates that have secret keys attached to them and that are rooted in a CA trusted by all parties.
To complete this lesson, you will need
Domain controller dc01
Member server ms01
Domain controller gdi-dc-01
Distribute IPSec keys using certificates
Configure an enterprise CA to deploy IPSec certificates
Deploy IPSec certificates automatically by using Group Policy
Deploy IPSec certificates manually by using the Certificate Services Web site
Using Certificates to Distribute IPSec Secret Keys
IPSec was originally designed to provide secure, authenticated communications between hosts on the Internet, where security is often required but relationships are not necessarily strict. On the Internet, any communication might be allowed as long as identity is verified, or where, for example, a public service provider provides services to a vast array of clients and cannot create manual keys for each of them.
Internal networks, which have a single administrative authority, present an entirely different set of administrative challenges. So do associations between business partners where protocols and keys can be mutually agreed on.
In private networks, Kerberos provides a mechanism for distributing secret keys, which are required by IKE to prove that two computers should trust one another. In simple configurations, administrators can manually enter these secret keys. But in situations where a large number of parties are involved, where security is paramount, or where the participants are not necessarily known in advance, certificates provide the ideal solution.
Certificates provide an IKE trust mechanism when they contain private keys and are rooted in the same CA. IKE negotiates trust using the public/private key pair contained in the certificates. Once trust is established, an IPSec security association can be negotiated automatically in the same way as any trust relationship would be.
You can use certificates designed for any purpose so long as they contain a private key. It is not necessary to use certificates specifically created for IPSec, although they are more likely to work without requiring troubleshooting.
You can use the Certificates snap-in to determine whether certificates stored on the local machine contain the necessary private key.
Practice: Using Certificates to Exchange IKE Secret Keys
Fabrikam has extended its security requirements to encompass all partner companies. To avoid creating excessive administrative burden, partners will be given access to the Fabrikam Enterprise Root Certifier to request and install a certificate that will enable Fabrikam hosts to securely access their extranet servers.
In this scenario, you will modify the IPSec security association created in the previous lesson to use certificates rather than manual keys to provide secret keys. This method is far more scalable and secure than manually keying secrets.
Exercise 1: Configuring the Enterprise CA to Deploy IPSec Certificates
In this exercise, you configure the Fabrikam Enterprise Root Certifier to issue IPSec certificates and then configure the domain GPO to automatically deploy them to domain participants.
To enable the CA to issue IPSec certificates
Perform this exercise on the Fabrikam Enterprise Root Certifier.
Click Start, point to Programs, point to Administrative Tools, and click Certification Authority. The Certification Authority management console appears, as shown in Figure 8.22.
Figure 8-22. The Certification Authority configured to issue IPSec certificates
Expand Fabrikam Enterprise Root Certifier.
Right-click Policy Settings, point to New, and click Certificate To Issue. The Select Certificate Template dialog box appears.
In the Select Certificate Template dialog box, select IPSEC, and click OK.
Right-click Policy Settings, point to New, and then click Certificate To Issue. The Select Certificate Template dialog box appears.
Select IPSEC (Offline Request), and then click OK.
Close the Certification Authority management console.
To configure Group Policy to automatically deploy IPSec certificates
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
Right-click domain.fabrikam.com, and click Properties. The domain.fabrikam.com Properties dialog box appears.
Click the Group Policy tab, and double-click Domain Security Policy. The Group Policy management console appears.
Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
Right-click Automatic Certificate Request Settings, point to New, and click Automatic Certificate Request. The Automatic Certificate Request Setup Wizard appears.
Click Next to open the wizard. Your wizard page will be similar to the one shown in Figure 8.23.
Figure 8-23. The Automatic Certificate Request Setup Wizard
In the Certificate Template drop-down list, click IPSEC and then hold down Shift and click IPSEC (Offline Request). Both policies should be selected.
Click Next.
On the Certification Authority page, accept the default Fabrikam Enterprise Root Certifier as the certificate authority, and click Next.
Click Finish. IPSEC will appear in the list of Automatic Certificate Requests.
Close the Group Policy management console.
Click OK to close the domain.fabrikam.com Properties dialog box.
Close the Active Directory Users And Computers management console.
Exercise 2: Deploying Certificates for IPSec Encryption
In this exercise, you request a certificate from the Fabrikam Enterprise Root Certifier of the foreign domain. By requesting the certificate directly from the root CA for the target enterprise, you guarantee that both parties have certificates rooted in the same CA.
To request a certificate from a foreign certification authority
Perform this procedure on the gdi-dc-01.extranet.graphicdesigninstitute.com server.
Open Internet Explorer and browse to http://dc01/certsrv/. The Microsoft Certificate Services Web site appears.
On the Welcome page, select Request A Certificate, and click Next.
On the Choose Request Type page, select Advanced Request, and click Next.
On the Advanced Certificate Requests page, select Submit A Certificate Request To This CA Using A Form, and click Next.
On the Advanced Certificate Request page, select IPSEC (Offline Request) in the Certificate Template drop-down list.
Type Fabrikam IPSEC Administrator in the Name box.
Type rootca@fabrikam.com in the E-Mail address box.
Select Microsoft Enhanced Cryptographic Provider in the CSP drop-down list.
Select Exchange in the Key Usage group. The Web page should appear as shown in Figure 8.24.
Figure 8-24. Requesting a certificate using the Microsoft Certificate Services Web site
Type 1024 in the Key Size box.
Select Use Local Machine Store, and click Submit.
After waiting for the certificate to be issued, the Certificate Issued Web page appears, as shown in Figure 8.25.
Figure 8-25. Installing an issued certificate
Click the Install This Certificate link.
Close Internet Explorer.
To convert an existing IPSec filter to use certificate-based IKE authentication
Perform this procedure on server gdi-dc-01.graphicdesigninstitute.com while logged on as Administrator.
Click Start, point to Programs, point to Administrative Tools, and click IP Security (Local). The IP Security (Local) management console appears.
Double-click Encrypted Link To Fabrikam. The Encrypted Link To Fabrikam Properties dialog box appears, as shown in Figure 8.26.
Figure 8-26. Encrypted link properties
Double-click Fabrikam Servers in the IP Security Rules list. The Edit Rule Properties dialog box appears, as shown in Figure 8.27.
Figure 8-27. The Edit Rule Properties dialog box
Click the Authentication Methods tab.
With the Preshared Key method selected, click Edit. The Edit Authentication Method Properties dialog box appears.
Select Use A Certificate From This Certificate Authority, and click Browse. The Select Certificate dialog box appears.
Click Issued By to sort the certificates in alphabetical sequence by issuer.
Double-click the certificate issued by Fabrikam Enterprise Root Certifier.
Click OK to close the Select Certificate dialog box.
Click OK to close the Edit Authentication Method Properties dialog box.
Click OK to close the Edit Rule Properties dialog box.
Click Close to close the Encrypted Link To Fabrikam Properties dialog box.
Close the IP Security (local) management console.
To modify Group Policy-based IPSec configuration to use certificates
Perform this procedure on the dc01.domain.Fabrikam.com domain controller.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
Right-click the Secure Servers OU, and click Properties. The Secure Servers Properties dialog box appears.
Click the Group Policy tab, and click the New button. A new GPO appears in the Group Policy Object Links list.
Type Secure Servers IPSec Policy as the name of the GPO, and press Enter.
Double-click Secure Servers IPSec Policy. The Group Policy management console appears.
Expand Computer Configuration, Windows Settings, and Security Settings, and click IP Security Policies On Active Directory.
Double-click Encrypted Link To Graphic Design Institute. The Encrypted Link To Graphic Design Institute Properties dialog box appears.
Double-click GDI Servers. The Edit Rule Properties dialog box appears.
Click the Authentication Methods tab.
Ensure that Preshared Key is selected, and click Edit. The Edit Authentication Method Properties dialog box appears.
Select Use A Certificate From This Certificate Authority, and click Browse.
When a warning message appears stating that Active Directory does not contain a shared certificate store, click Yes.
Select any certificate issued by Fabrikam Enterprise Root Certifier, and click OK.
Click OK to close the Edit Authentication Method Properties dialog box.
Click OK to close the Edit Rule dialog box.
Click Close to close the Encrypted Link To Graphic Design Institute Properties dialog box.
Close the Group Policy management console.
Click OK to close the Secure Servers Properties dialog box.
Close the Active Directory Users And Computers management console.
To test connectivity with certificate-based IKE negotiation
Perform this procedure on the member server ms01.domain.Fabrikam.com.
Restart the server.
Restarting the server is not necessary. However, domain policy refresh needs to occur, a certificate must be downloaded from the Certification Authority, and you may have to restart the policy agent service for the modification of the IPSec filter policy to take effect. The easiest way to accomplish these tasks is simply to restart the server.
Log on as Administrator, and open a command prompt.
Type ping 192.168.241.60, replacing the IP address with the address of gdi-dc-01.graphicdesigninstitute.com.
Initially, the ping tool will report that IP Security is being negotiated. In a few seconds, reply messages will appear, indicating that encrypted communications have been successfully established between servers.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
When would it be appropriate to use certificates to distribute IKE secrets?
What are the two requirements for certificates to work correctly for IKE negotiation?
What two portions of a GPO apply to certificate deployment?
Lesson Summary
Certificates are the most secure way to distribute IKE secrets for servers that do not have a domain trust relationship.
You can configure trust between any two servers that have certificates rooted in the same certificate authority. You specify the specific trusted certificate authority when you create the IPSec filter policy.
Certificates must contain a private key in order to work with IKE. IKE uses the private key to negotiate trust between the two intermediate systems. Certificates don't need to be created for IPSec specifically.
Certificate-based authentication is configured based on Group Policy either locally or through Active Directory based Group Policy. The machine component of the GPO's IP Security namespace defines IPSec policies and allows administrators to apply them to the GPO.
You can configure Group Policy to automatically deploy machine certificates suitable for IPSec to members of an OU or domain. Use the Automatic Certificate Request feature to create and deploy certificates to all machines in the domain or OU the next time the policy is applied to the machine in question.