Creating a Public Key Infrastructure (PKI) for L2TP with IPSec Support

As previously mentioned, it is wise to deploy a certificates-based approach to L2TP VPN connections to maintain the highest levels of security and control over VPN access. To deploy this type of environment, a Public Key Infrastructure (PKI) must be set up. PKI provides a mechanism by which individual encrypted certificates are distributed to individual computers to validate their identity.

NOTE

Remember that L2TP/IPSec requires the ISA Server's public interface to be directly addressednot behind any type of Network Address Translation (NAT)for this type of VPN connection using PKI certificates to take place. The one exception to this case is if the systems providing the network address translation capability are compliant with the recent RFCs for NAT traversal (RFCs 3947 and 3948). Because this is a relatively new technology, it may take a few years for common acceptance of this practice, however.

PKI environments can be set up in a number of ways, with Microsoft and third-party products providing for robust implementations. The Microsoft implementation of PKI is installed on Windows Servers and involves the deployment of a Windows certificate authority. The two primary configurations for a Windows certificate authority (CA) are enterprise and stand-alone.

It is recommended that an organization with an existing Active Directory infrastructure implement an enterprise CA primarily because of the integration with Active Directory. By leveraging group policies with the enterprise CA, an administrator can automatically provision certificates to domain members, certificates being the key element in a L2TP/ IPSec VPN configuration. With a stand-alone or commercial CA, the certificate provisioning process is manual, requiring a specific process to be performed for each VPN client and server.

NOTE

A PKI design process is complex, and should not be taken lightly. In addition, a Windows certificate authority implementation can be utilized for numerous applications and services in addition to VPN support, so it is recommended that you put careful thought into the design and implementation of a PKI infrastructure.

Installing the Enterprise Root Certificate Authority (CA)

If a PKI Infrastructure is not already in place, the Microsoft implementation can be set up and configured in the internal environment. The following steps can be used to install Microsoft Internet Information Services (IIS) and the certificate authority on a domain member. Note that a CA should not be setup on the ISA Server itself, and IIS should never be set up on ISA (with the possible exception of the SMTP component of IIS in certain circumstances). IIS is required to support the certificate enrollment website and must be installed on the same system as the CA to provide for web certificate enrollment.

1.	Open Add or Remove Programs from the Control Panel.
2.	Select the Add/Remove Windows Components button.
3.	Click the check box beside Application Server. The check box is enabled, with a gray background, as shown in Figure 9.21. This installs minimal IIS components, perfect for the CA website. Click Next. Figure 9.21. Installing IIS on a domain member to provide for certificate web enrollment.
4.	Press Finish after IIS has been installed to return to the Add or Remove Programs window.
5.	Select the Add/Remove Windows Components button.
6.	Click the Certificate Services check box.
7.	Read the warning dialog box, and then click the Yes button. Click Next.
8.	On the CA Type page, select the appropriate option for the environment (enterprise root CA, in most cases). Click Next to continue.
9.	On the CA Identifying Information page, enter the common name for the CA. This can be any descriptive name. Click Next.
10.	On the Certificate Database Settings page, accept the defaults and click Next. For redundancy and scalability it is recommended to separate the log file from the database.
11.	Read the IIS warning dialog box, and then click the Yes button.
12.	Read the ASP warning dialog box when it is displayed, then click the Yes button.
13.	Click Finish after the CA has completed the installation.

Configuring the Enterprise Root CA

If using an enterprise certificate authority, and supporting non-domain members, such as an ISA Server that is a member of a workgroup, then a template to allow machine certificates should be added and configured to allow provisioning through the web enrollment page. This is common when supporting a mix of domain members and non-domain members.

The following steps can be used to configure the existing enterprise certificate authority with a new computer certificate template.

CAUTION

This process is not required and is not possible with a stand-alone certificate authority because the Client Authentication and Server Authentication certificates are already available by default.

1.	From a member server in the domain that has been configured with the enterprise certificate authority in the previous steps (not the ISA server) click Start, Run, type in `CertTmpl.msc`, and press OK.
2.	Right-click Computer from the list of available certificates and select Duplicate Template from the context menu.
3.	In the properties windows, enter a descriptive name in the Template Display Name field.
4.	On the Request Handling tab, enable the Allow Private Key to Be Exported check box, as shown in Figure 9.22. Figure 9.22. Configuring the enterprise certificate authority.
5.	On the Subject Name tab, select Supply in the Request.
6.	On the Security tab, review the security. By default only administrators can enroll new systems; this responsibility can be delegated if required.
7.	Click the OK button to save the changes and close the window.

CAUTION

The previous steps enable machine certificates to be issued through the web enrollment page, using the default settings. This is required when certificates need to be installed on non-domain members. It is highly recommended to research and configure the remaining options as required by company policy.

Now that the template has been created it must be added to the list of templates available to the enterprise CA. The following process can be used to accomplish this:

1.	Open the Certification Authority management console (Start, Administrative Tools, Certification Authority).
2.	Expand the CA, right-click Certificate Templates, and select New, Certificate Template to Issue from the context menu.
3.	Select the certificate template created in the previous steps and click OK to continue.

The enterprise certificate authority is now ready to provision machine certificates through web enrollment.

Requesting a Certificate for the ISA VPN Server

The process of requesting a certificate from a private internal certificate authority or a public certificate authority generally follows the same principles when the ISA server has been implemented as a stand-alone workgroup member.

Before starting the certificate enrollment process, it is important to add the certificate server to the trusted Internet security zone of the web browser on the ISA Server. In addition, there must not be any rules set up on the ISA server that block access from the local host to the web server with the CA installed on it.

The following process can be used to request a certificate for the ISA server. This can be performed from the system that will have the certificate installed on it, but that is not a requirement. If this is performed on a different system, after the certificates have been created they need to be exported and then imported to the correct system.

NOTE

For this process to work properly, the certificate web enrollment server must be accessible via ISA's system policy rules, which normally restrict the ISA Server's capability to read web pages on servers. For more information on the system policy, refer to Chapter 5, "Deploying ISA Server 2004 as a Firewall."

The following procedure can be used to create the initial certificate request:

1.	From the ISA Server, open Internet Explorer, and browse to the certificate web enrollment page. By default this is http://<certificateserver>/certssrv.
2.	Select the Request a Certificate task.
3.	Select Advanced Certificate Request.
4.	Select Create and Submit a Request to This CA.
5.	From the Certificate Template drop-down, select Configuring the Enterprise Root CA.
6.	Enter the name of the ISA VPN server for which the certificate is being issued in the field provided. This name must match the actual machine name. Fill in the remaining descriptive details as needed.
7.	Make sure the Mark Keys as Exportable check box is enabled.
8.	Enable the Store Certificate in the Local Computer Certificate Store option.
9.	Click the Submit button.
10.	Click Yes to acknowledge the Potential Scripting Violation dialog box.
11.	On the Certificate Issued page, click Install This Certificate.
12.	Click Yes to acknowledge the Potential Scripting Violation dialog box.

A certificate has now been installed in the system's local computer certificate store. The process to move this certificate to another system is discussed later in this chapter.

Requesting a Certificate for the VPN Client

The same process can be used to generate a certificate for a VPN client. Although a certificate can be generated for both a member and a non-member, it is not recommended to configure domain members this way. It is much more efficient to configure the group policy Autoenrollment, which automatically distributes the proper certificates to computers that are members of an Active Directory domain. To manually add the certificate to the client, perform the following steps:

1.	From the VPN Client, open Internet Explorer, and browse to the certificate web enrollment page. By default this is http://<certificate server>/certssrv. NOTE The VPN Client must access the web enrollment page from a network that has access to it, that is, is not being blocked by a firewall. Because web enrollment is a particularly sensitive service, it is not common to make it available through the Internet or through untrusted networks.
2.	Select the Request a Certificate task.
3.	Select Advanced Certificate Request.
4.	Select Create and Submit a Request to This CA.
5.	From the Certificate Template drop-down, select Configuring the Enterprise Root CA.
6.	Enter the name of the VPN client. This name must match the actual machine name. Fill in the remaining descriptive details as needed.
7.	Make sure that Mark Keys as Exportable is enabled.
8.	Enable the Store Certificate in the Local Computer Certificate Store option.
9.	Click the Submit button.
10.	Click Yes to acknowledge the Potential Scripting Violation dialog box.
11.	On the Certificate Issued page, click Install This Certificate.
12.	Click Yes to acknowledge the Potential Scripting Violation dialog box.

A certificate for the VPN client has now been installed in the local computer certificate store of the VPN client. The process to move this certificate to another system is discussed later in this chapter.

Downloading the CA Certificate

After the client(s) and ISA Server have been enrolled and a certificate has been generated, it must then be downloaded and added to the Trusted Root Certification Authorities local store on each device.

An advantage to using an enterprise CA is that the CA certificate is automatically added to the local certificate store on all domain members; only nondomain members are required to add the certificate. A stand-alone CA certificate is added to the local certificate store on domain members only if it is installed on a domain controller. Otherwise this certificate needs to be added to all systems that will establish a L2TP/IPSec VPN tunnel.

1.	Open Internet Explorer, and browse to the certificate web enrollment page. By default this is http://<certificate server>/certssrv.
2.	Select Download a CA Certificate, Certificate Chain, or CRL.
3.	Select Download CA Certificate, and save the file to removable media.

This file is not required to be protected and can be freely distributed via any method including email. This is only the CA's public keynot the private key. For example, many commercial CAs' public keys are distributed with Internet Explorer.

Exporting and Importing Certificates

If all the certificates were created through the certificate enrollment page, either with the enterprise CA or the stand-alone CA, from the same computer, they must then be exported to removable media and imported into the local certificates store.

To view the local certificate store on a client or a server, a Microsoft Management Console (MMC) session must be set up. Follow the steps outlined here to perform this function:

1.	Click Start, Run, type `MMC`, and click OK.
2.	Select File, Add/Remove Snap-in.
3.	Click the Add button.
4.	Select Certificates from the snap-in list, as shown in Figure 9.23, and then click Add. Figure 9.23. Adding the Certificates MMC Snap-in.
5.	Select Computer Account, click Next, then Finish.
6.	Select Certificates from the snap-in list and click Add.
7.	Select My User Account, click Finish, then click Close.
8.	Save the MMC.

One MMC console can be set up to manage all the different systems that require certificates. This option is usually not available because the VPN server is protected with a firewall, so the certificates may have to be transferred on portable, erasable media.

CAUTION

The certificates that are to be exported contain both the private and public key. It is extremely important to make sure the process that is used to transfer the certificates from one system to another is secure and the media is destroyed afterwards. Compromising the private key can render the encryption used in the VPN tunnel useless. In many cases, this transfer takes place at a trusted location, such as a laptop staging area of a help desk, to avoid compromise of the key.

To export the certificate, perform the following steps:

1.	From the system where the certificate web enrollment form was created, open the MMC (Start, Run, MMC.exe).
2.	Navigate to Certificates (Local Computer) from the Scope pane.
3.	Navigate to Personal, Certificates.
4.	Right-click the first certificate that was created. This should be the name of the ISA VPN server, with the intended purposes listed as Server Authentication. Select All Tasks, Export from the context menu.
5.	On the Welcome page, click Next.
6.	On the Export Private Key page, select Yes, Export the Private Key, and click Next.
7.	On the Export File Format page, make sure the Enable Strong Protection option is enabled. Click Next.
8.	On the Password page, type and confirm a strong password. This should be a random combination of alphanumeric and special characters. Click Next.
9.	On the File to Export page, browse to the location of the removable media to which the file will be saved, and click Next.
10.	On the Completion page, click Finish.

Repeat the previous process for each of the server and client certificates created. Use the following process to import the certificates to the required systems.

1.	Insert the removable media in the ISA VPN server or VPN client system.
2.	Open the MMC created in the previous process.
3.	Expand Certificates (Local Computer) from the Scope pane.
4.	Right-click on Personal and select All Tasks, Import.
5.	On the Welcome page, shown in Figure 9.24, click Next. Figure 9.24. Importing client certificates.
6.	On the File to Import page, browse to locate the certificate created for the ISA VPN server. Click Next.
7.	Enter the password in the field provided and enable the option to mark the key as exportable.
8.	On the Certificate Store page, the Personal store should already be selected. Click Next.
9.	On the Completing page, click Finish.
10.	Right-click on Trusted Root Certificate Authorities and select All Tasks, Import.
11.	On the Welcome page, click Next.
12.	On the File to Import page, browse to locate the CA certificate previously saved. Click Next.
13.	The Trusted Root Certificate Authorities should already be the selected store. Click Next to continue.

Repeat the entire process of importing the certificate and the CA certificate for the remaining VPN servers and client systems.

Using Active Directory Autoenrollment

When VPN clients are members of the internal domain and a PKI infrastructure has been deployed, the easiest and most secure method to get certificates on a workstation is through the process of group policy autoenrollment. The autoenrollment process automatically requests and maintains a certificate for the computers and servers.

As beneficial as autoenrollment may be, many prerequisites must be in place for it to work. These prerequisites are as follows:

All VPN clients must be Windows XP Professional.
The AD Domain must be running Windows Server 2003 functional level (Native Mode).
The certificates must be provisioned from a CA server running Windows Server 2003 Enterprise or Data Center Edition.

If these prerequisites are satisfied, the following process can be used to configure auto enrollment.

NOTE

The following steps describe autoenrollment configuration steps using the Group Policy Management Console (GPMC) tool, which is a downloadable add-on to Windows Server 2003. Although the same settings can be accomplished with the built-in tool, it is highly recommended to download and install GPMC. It greatly extends the management capabilities of group policies. The tool can be downloaded at the following URL:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

1.	Open the GPMC tool (Start, Administrative Tools, Group Policy Management).
2.	Either create and link a new group policy or edit an existing group policy.
3.	Expand Computer Configuration and choose Windows Settings, Security Settings, Public Key Policies from the Scope pane.
4.	Double-click on Autoenrollment Settings.
5.	On the Autoenrollment Settings Properties windows, enable Enroll Certificates Automatically and enable both check boxes to renew and update certificates, as shown in Figure 9.25. Click OK. Figure 9.25. Configuring AD certificate autoenrollment.
6.	Right-click Automatic Certificate Request Settings from the Scope pane. Select New, Automatic Certificate Request from the context menu.
7.	On the Welcome page, click Next.
8.	On the Certificate Template page, select Computer, click Next.
9.	On the Completing page, click Finish.

The machine requests the certificate during login or during the next group policy refresh cycle. Use the GPUPDATE.EXE command to refresh the group policy. The simplest method to invoke the autoenrollment process is just to restart the system. Look for event 19, from source Autoenrollment, in the event log of the local system to see whether the process was successful. The Certificates snap-in can also be used to view the newly acquired certificate on the client, and the Certification Authority console can be used to view newly provisioned certificates.

Installing the Enterprise Root Certificate Authority (CA)

Figure 9.21. Installing IIS on a domain member to provide for certificate web enrollment.

Configuring the Enterprise Root CA

Figure 9.22. Configuring the enterprise certificate authority.

Requesting a Certificate for the ISA VPN Server

Requesting a Certificate for the VPN Client

Downloading the CA Certificate

Exporting and Importing Certificates

Figure 9.23. Adding the Certificates MMC Snap-in.

Figure 9.24. Importing client certificates.

Using Active Directory Autoenrollment

Figure 9.25. Configuring AD certificate autoenrollment.