Secure VPN connection without domain computers (specific: MAC)
Hello,we have the following situation.At a customer we had a meeting with the CEO and he was worried about the current VPN security because anyone could dial in when a user looses his credentials some how. Currently we have the following environment (therefore I hope this is the correct forum).- Active Directory 2003 Mode with 2 Windows 2003 R2 Domain Controlllers- 1 ISA Server 2006 firewall- static IP address with about 10 MBit /sIn normal case I would say this shouldn't be that problem. Normally I would use L2TP IPSec connections with domain certificates. So that the internal root certification service hands out the user and computer certificate.Now we have the situation that there are external users from a different company. These external users have got new MAC Air books (Sorry about that :)). They are not part of the domain (and I don't know weather this is possible) and they are not supposed to be member of the domain because they are not part of the company itself. So I have two problems1. non Windows client2. not member of the DomainSo what can I do? The CEO is thinking very easy about this. He has got an wireless accesspoint at home and he saw that he has got the possability to allow a specified computer via MAC-address. Of course this information does not really help me because they are subnet only. Is there a way to control which device is logging into the ISA firewall?
September 24th, 2009 4:57pm

Hi, Thanks for your post. I suggest that you confirm with MAC if the MAC computer can request a certificate from the CA server. With Windows operating system, we can enroll a computer certificate even if it does not join the domain. I think MAC computer has the similar function. The following article introduces how to enroll certificate by using the certreq.exe utility: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx If we cannot install a computer certificate in the MAC computer, you may consider using smart card (if it is supported by MAC). In this way, only the users who have the smart card and know the smart card PIN can dial in to the VPN server. Deploying PPTP-based Remote Access http://technet.microsoft.com/en-us/library/cc738114(WS.10).aspx Checklist: Deploying smart cards for logging on to Windows http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_SC_Checklist.htm As for the question Is there a way to control which device is logging into the ISA firewall?, I suggest that you post to the Forefront Edge Security Forum. The forum is a better support pool for this kind of questions: Forefront Edge Security Forums http://social.technet.microsoft.com/Forums/en-US/category/forefrontedgesecurity Hope the information is helpful. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2009 12:01pm

MAC address filtering only stops the casual user from gaining access. Regardless of the level of wireless security, one only needs to use wireless sniffer to see which MAC address are associated with an AP. Then you spoof your own address to match that of an already connected client and the address filter is rendered useless.
September 28th, 2009 3:52am

OK I started testing. I stuck at the certreq -new part.What I wanted to is to create a new certifcate for my laptop whichI use at work. This laptop is part of a different domain and is not connected to the network. So this situation is compareable to the situation it must work with.I planed to request certificates with the certreq -new command. After figuring out some things myself such as the provider name and type I stuck at the DNS name.First the error message:---------------------------Certificate Request Processor---------------------------The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)Verweigert vom Richtlinienmodul---------------------------OK ---------------------------Must the CA reach the computer for signing the certificate?The request inf file has following content (I reffered to the Technet article: http://technet.microsoft.com/en-us/library/cc737264(WS.10).aspx) (I think the [SAN] is not neccessary):[Version]Signature= "$Windows NT$" [RequestAttributes]CertificateTemplate = Machine [NewRequest]KeyUsage=0xa0KeySpec=2MachineKeySet=TrueRequestType=CMCSubject=CN=<my FQDN> [SAN]dns=<FQDN again>
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2009 11:56am

Hi,To enroll a certificate for a workgroup computer, please duplicate the certificate template Machine and select the Supply in the request option in the Subject Name tab of the new template. Thanks. Joson Zhou TechNet Subscriber Support in forum This posting is provided "AS IS" with no warranties, and confers no rights.
October 7th, 2009 10:28am

Thank you for the reply. So I assume I defenetly need the Enterprise CA. There is no way without the Enterprise CA, correct?To be correct do you mean "if you want to enroll a certificate for a computer which is not member of the CAs'-Domain"?
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2009 3:45pm

Hi, Based on the content of the inf file you provided, I think that you are using Enterprise CA: [RequestAttributes] CertificateTemplate = Machine Do you mean the CA is installed on a Standard Edition server? If so, I am afraid that you will have to install a standalone CA. Joson Zhou TechNet Subscriber Support in forumThis posting is provided "AS IS" with no warranties, and confers no rights.
October 8th, 2009 1:02pm

Hi, How’s everything going? I just want to check the current status of the issue. If you need further assistance, please feel free to respond back. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb @ microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 6:49am

Sorry for the delay. so for this request-file I would need an Enterprise Server or a Standalone CA, correct?I was thinking and testing a while. I come to the conclusion that I will use a Preshared Key. Correct me when I am wrong.1st) I need a Enterprise CA, the customer haven't got one2nd) If I use the Enterprise CA to modify the certifcate template I might need to make the private key exportable. If the key is exportable the howl thing is senseless, isn't it? If the user left the laptop for a few minutes someone could export the certificate, am I right?One question regarding to the user certificates. For example the user is away from laptop for a few minutes. The intruder goes to the laptop. Now he could export the certificate and set a password for the private key. What can he do with the certificate?Is this dangerous?
October 13th, 2009 11:18am

0th, do you talk about computer IPSec certificates (which I think you do) or about user logon certificates? Both together can be used for L2TP VPN, or you can make do just with computer-certificate + user-login/password.if you want to use Preshared Key for IPSec VPN computer authentication, you do not need certificates for computer authentication at all. but PSK is not recommended solution (not secure) for running client VPN connections because any of the clients can find the key on their computers and could duplicate it to other computers as well - which would remove some of the L2TP/IPSec security advantages.1st, you do not need to have EntCA as long as you will create the certificate requests manually by using the text file and uploading them to standalone CA by using the CERTREQ -submit command2nd, if you IMPORT the exported private key to a machine, at the time of import, you can also mark the key non/exportable. so the templates settings affects just the private key when it is created. After you export it and then try to import it again to the target machine, you are free to mark it non-exportable and it will be secure on the target machine.3rd, users should lock their desktops when leaving4th, the private keys should be marked non-exportable5th, if the intruder had the private key for a computer (ipsec) certificate, he would be able only to connect to VPN, but would still be required to log on with some username/password or another user-certificate.6th, the user-certificates should preferably be stored in smart cards which the users should be required to hold on themselves when leaving the machine.ondrej.
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2009 12:55pm

OK, I will look for a appropriated server for the certification role.to 0: OK, thank you for the security adviseto 1: Would this work with my above posted ini content?to 2: OK
October 13th, 2009 4:39pm

you can have two types of CA- standalone, which does NOT use certificate templates at all- enterprise, which uses certificate templates as the only means of certificate request pre-populationBOTH types of CA can be installed on Standard and Enterprise OS editions. The Ent CA should be rather called ADIntegratedCA instead.the standalone CA can be installed on domain member computers or even on workgroup computersthe Ent CA needs to be installed only on domain member computerif you deploy STANDALONE CA, you cannot use certificate templates at all (meaning the CertificateTemplate= field in you request is either meaningless or even invalid). Every request must contain all the extensions and fields that are necessary to have in the resulting certificate.In your case then, you are missing the Enhanced Key Usage field:[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication OID=1.3.6.1.5.5.7.3.2 ; Client Authentication purposeyou can also use if you like[NewRequest]Exportable=TRUEondrej.
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2009 4:49pm

anyway, your surname has the same meaning as mine :-)
October 13th, 2009 6:13pm

Really? Interesting :).So tried a bit. I have two VMWares on my computer. One VMWare is a Windows XP with Domain membership of our company. The other is a new installed Windows XP machine without domain membership. So as I mentioned above I installed a Standalone CA at another server (customer domain). With the domain VM it looks good. I made an advanced request (type IPSec) and enrolled the certificate. From the website I installed the certificate. At the VM I exported the certificate with private key and imported it again to the local computer. I could connect to the destination system without any errors.With the non-domain VM I tried the same again. I visited the certsrv website and started an advanced request with the type IPSec again. I marked that the key is exportable and sent it to the CA and enrolled it. Then I installed the certificate over the show status of enrollment site. Again I exported ther certificate with private key and imported it again. This time he throw error 786 while connecting (No valid computer certificate found). So what's the problem?Added information:I also tried it with the certreq tool. First I used the *.inf file with the above mentioned changes. Then I made a req (request for CA) out of it using certreq -New. After this I submit the request to the CA with certreq -submit. I enrolled the certificate at the mmc and I retrieved the certificate with certreq -retrieve n. Now I saw that I can make a private key with certreq -accept *.cer. After this I could export the certificate via mmc and stored the pfx file. With the domain VMWare I could import this certificate and I could connect. With the non-domain VMWare I could not connect (same error). The root CA is in the thrusted CA
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2009 11:27am

this looks probably as the non-domain machine does not trust the issuing CA. check, whether the non-domain computer where you have imported the certificate also has the CA's certificate (the root CA's one)in the store - local computer - trusted root certificationauthorities. And if you have a structure with more CAs then put all the intermediate CAs' certs into Intermediate Certification Authorities store for the local computer.if you want to check what does the local computer thinks about the certificate, you can use PSEXEC -S -I CMD.EXECERTUTIL -VERIFYto verify the validity of the imported certificate (the PSEXEC is there to start the CERTUTIL utility under the computer's account)also, if you try to troubleshoot the IPSec connections, enable "Audit logon events" policy and you should see some details about IKE establishment in the Security log.ondrej.
October 19th, 2009 12:51pm

Thanks a lot. That helped me with the non-domain computer. After I installed the sub CA certificate it worked. But can you explain me why? I am pretty sure that the sub CA is not installed at the domain machine. There only the root CA is installed.Now I will have to figure out how this works for the MAC computers. Still don't know this. I never had touched or used a MAC before :). I will see if exporting the certificate works.
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2009 1:44pm

Hi, You do not need to import the sub CA certificate into the trusted root certification authorities container (actually, it is not recommended), but you need to ensure that the root CA certificate is imported into that container and the sub CA certificate is imported into the intermediate certification authorities container. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.
October 21st, 2009 10:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics