• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion on PPTP EAP-TLS articles

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion on PPTP EAP-TLS articles Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion on PPTP EAP-TLS articles - 22.Jun.2003 6:05:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for disucssion of the PPTP EAP-TLS articles over at http://isaserver.org/tutorials/pptpeaptlspart1.html

and

http://www.ISAserver.org/pages/article.asp?id=1111

Thanks!
Tom

[ June 22, 2003, 08:56 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion on PPTP EAP-TLS articles - 22.Jun.2003 4:54:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

you recommend to install the ISA/VPN server in a workgroup and the IAS server as member server of the local domain. For the VPN authentication the ISA server is the Radius Client. So far so good, but how does the outbound user/group based access control in ISA fit into that picture? In a small business scenario, ISA is usual a member server of the internal domain or I'm missing something?

Thanks,
Stefaan

(in reply to tshinder)
Post #: 2
RE: Discussion on PPTP EAP-TLS articles - 22.Jun.2003 8:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Good points. We do lose out on outbound access control when we do it that way. Perhaps an excellent compromise would be to make the ISA firewall/VPN server a domain controller in its own domain create one-way trust for outbound (and sometimes inbound) access control and then use RADIUS to the trusted domain?

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion on PPTP EAP-TLS articles - 22.Jun.2003 10:59:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

do you really mean that the ISA/VPN server should be a DC as a workaround? I thought you were against such a configuration! [Confused]

Suppose for a moment ISA server is already a member server of the internal domain for the outbound access control. What extra 'danger' do we introduce by not using IAS and let the ISA verify the EAP/TLS authentication directly on the DC?

Thanks,
Stefaan

[ June 22, 2003, 11:42 PM: Message edited by: spouseele ]

(in reply to tshinder)
Post #: 4
RE: Discussion on PPTP EAP-TLS articles - 23.Jun.2003 8:36:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

There is nothing wrong if you create an explicit trust between the *dedicated ISA domain* and the internal network domain. That way, ISA is able to authenticate users on the internal network, but the user domain does not trust any accounts on the firewall.

That way we can have a machine that can utilize the user account database on the internal network for inbound and outbound access, and still have the firewall NOT be a member of the domain. If the firewall were a member of the domain, and the firewall were compromised, the level of damage could potentially be much higher than if a user from a non-trusted computer tried to access the domain. ISA trusts the internal domain, but the internal domain does not trust the firewall.

Make sense?

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion on PPTP EAP-TLS articles - 25.Jun.2003 10:58:00 PM   
montana

 

Posts: 43
Joined: 29.Aug.2002
Status: offline
Hi Tom -

As always, great articles! I was able to set things up as explained and established the vpn connection. I requested the cert and tested from an internal workstation.

My question is about the certificate issuance for those people who are members of the domain but want to make a VPN connection from their own, non-company-owned, home PC. How do they obtain and install the certificate when the certificate server is behind the ISA server on the domain controller?

Would the admin need to log in as the user, request the certificate, save it and then give it to the user to manually install?

Thanks for your help.

(in reply to tshinder)
Post #: 6
RE: Discussion on PPTP EAP-TLS articles - 25.Jun.2003 11:25:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Montana,

In this scenario, where we are using user certificate authentication, the user can request a certifiate from the standalone or enterprise CA. In the case of a user certificate, as long as the user can log on to the enterprise CA with valid user credentials, then he can obtain a user certificate. He does need to be logged on as a local adminstrator on his home machine.

The home user can access the Web Enrollment site when you publish the certificate server. I just finished that doc for the VPN Deployment Kit. I'll announce the details on how you can participate in the beta version of the VPN Deployment Kit on Monday of next week.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion on PPTP EAP-TLS articles - 26.Jun.2003 2:30:00 PM   
montana

 

Posts: 43
Joined: 29.Aug.2002
Status: offline
Thanks Tom. Looking forward to participating in beta version of the VPN deployment kit.

(in reply to tshinder)
Post #: 8
RE: Discussion on PPTP EAP-TLS articles - 26.Jun.2003 2:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Montana,

Beta-1 will be available for download on Monday. Beta-2 will be available on the Monday after that and Beta-3 the Monday after that! Final version due on July 31.

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion on PPTP EAP-TLS articles - 28.Jun.2003 7:39:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

quote:
Originally posted by tshinder:
Hi Stefaan,

There is nothing wrong if you create an explicit trust between the *dedicated ISA domain* and the internal network domain. That way, ISA is able to authenticate users on the internal network, but the user domain does not trust any accounts on the firewall.

That way we can have a machine that can utilize the user account database on the internal network for inbound and outbound access, and still have the firewall NOT be a member of the domain. If the firewall were a member of the domain, and the firewall were compromised, the level of damage could potentially be much higher than if a user from a non-trusted computer tried to access the domain. ISA trusts the internal domain, but the internal domain does not trust the firewall.

Make sense?

Thanks!
Tom

Yes that make perfectly sense. But I suppose it is better to use a small server for the DC instead of installing ISA on the DC itself?

Thanks,
Stefaan

(in reply to tshinder)
Post #: 10
RE: Discussion on PPTP EAP-TLS articles - 1.Jul.2003 1:56:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Agreed! However, you will need to configure the machine as a basion host on the DMZ segment.

Thanks!
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion on PPTP EAP-TLS articles - 3.Jul.2003 10:03:00 AM   
aselicean

 

Posts: 260
Joined: 7.Dec.2002
From: Romania
Status: offline
Hi Tom

I just read the article and it's very usefull, especially for myself because we allow VPN connections thru ISA and we're using PPTP for the moment.

There was a question during one of the wizards stating that (quoting from memory): "Activating ASP is a potential risk, etc". I know that having ASP activated induces some risks and I am aware of some of them. Is anything special that we should look for other than using MBSA to scan for ASP vulnerabilities and patching the holes as indicated by MBSA ? Any useful links ?

Thank you.

Regards,

[ July 03, 2003, 10:05 AM: Message edited by: Alin Selicean ]

(in reply to tshinder)
Post #: 12
RE: Discussion on PPTP EAP-TLS articles - 3.Jul.2003 3:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alin,

I think with URLScan on the ISA Server and IIS 6.0, you'll be fairly safe. I'm no IIS security guru, but you'll just need to take the standard advise, such as that included in the IIS security section in ISA Server and Beyond (Mark Burnett wrote that chapter and it was great!)

Thanks!
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion on PPTP EAP-TLS articles - 3.Jul.2003 6:18:00 PM   
aselicean

 

Posts: 260
Joined: 7.Dec.2002
From: Romania
Status: offline
Hi Tom

I already have URLScan and IISLockDown ran on my ISA box (which is the only exposed at the moment) so I am current with these tools. If these should be enough, I think I'll be safe-enough. of course, periodic scans will confirm that. [Smile]

One can never tell...

As always, your input is much appreciated.

Regards,

[ July 03, 2003, 06:19 PM: Message edited by: Alin Selicean ]

(in reply to tshinder)
Post #: 14
RE: Discussion on PPTP EAP-TLS articles - 5.Jul.2003 6:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alin,

Thanks!
Tom

(in reply to tshinder)
Post #: 15
RE: Discussion on PPTP EAP-TLS articles - 10.Jul.2003 7:34:00 PM   
Steve.Lunn

 

Posts: 11
Joined: 30.Jan.2002
From: N. Yorks, UK
Status: offline
Great pair of Articles Tom, but they use Win2k3 Server. I tried following on a Win2k server, but I can't get it to work, some of the options are missing.
Have you (or can you [Big Grin] ) alter the article for Win2k server usage please, or offer some advice.

Cheers

Steve

(in reply to tshinder)
Post #: 16
RE: Discussion on PPTP EAP-TLS articles - 11.Jul.2003 3:07:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steve,

Thanks! Can you point me in the right direction on the things that you found were different? Most everything should be similar. Maybe I can figure it out quick if you can identify the differences you found.

Thanks!
Tom

(in reply to tshinder)
Post #: 17
RE: Discussion on PPTP EAP-TLS articles - 18.Jul.2003 9:16:00 PM   
Steve.Lunn

 

Posts: 11
Joined: 30.Jan.2002
From: N. Yorks, UK
Status: offline
Tom,
Thanks for your quick response.
Unfortunatley I've been away from my test servers so I've only just had chance to have another go.

1)The place where I get hung up on is in part 2, Configure RRAS step 5. There is no VPN option on win2k, so I think I've managed to string one together. I've given it a group, connected it to the issuing server, but I can't see anywhere of choosing the authentication level.

2) Part 2 Config RRAS for RADIUS step 4 and part 1 setup clent step 10, both show a "Message Authenticator attribute" check box, but Win2k shows a "use digital signature" box on the RRAS server and Message Authentication in the Client. Are these the same and should they be ticked?

I didn't get any further than this. Can you help?

Cheers

Steve

(in reply to tshinder)
Post #: 18
RE: Discussion on PPTP EAP-TLS articles - 19.Jul.2003 6:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steve,

I'll put this on top of the list and see if I can figure out what the issues are.

Thanks!
Tom

(in reply to tshinder)
Post #: 19
RE: Discussion on PPTP EAP-TLS articles - 15.Aug.2003 7:51:00 PM   
Quickdraw

 

Posts: 23
Joined: 19.Sep.2002
From: Canada
Status: offline
Good day Tom, Others,

I'd like to thank you first, for being my online mentor for ISA as your site pretty much taught me everything I know about ISA.

Your article on OWA 2k3 through ISA worked using a Win2k Domain and Win2k ISA box, but I can't seem to get The Certificate EAP Authentication to go...

I've got My ISA Box on the domain with the DC/IAS Server. all configured correctly, to accept incoming calls through MSCHAP V2,

Dialed in and accessed the /certsrv/ site with my client off site, and got the certificate, (windows xp)

Configured the connectiod to use the User Cert, but I cannot get authenticated...

No errors in the event logs except time outs..

Are there any special services that need to deffinately be on for EAP that I might have shut off on one of the Servers?

I'm just not quite sure why It will not authenticate..

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion on PPTP EAP-TLS articles Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts