Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1813 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

Next > Next > Finish.

Your connection request policies should look like this.

Your network policies should look like this.

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remote Access > Next.

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

Open the Getting Started Wizard > Select VPN Only.

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

VPN Access > Next > Finish > Start service.

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Accounting provider, (below).

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Add a VPN Connector.

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Change Adapter options.

Right click the VPN connection > Properties.

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

Connect your VPN to test it.

Make sure everything works.

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.


That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links

NA

VMware Workstation – Deploying Server 2012 and Windows 8 ‘Linked Clones’ from Templates

KB ID 0000953 

Problem

VMware Workstation, is a great test tool, if i need to take a look at some new software, or plan how I’m going to do a job, and I don’t have access to the ESX server, or test bench, it’s a great tool to have on my laptop.

If you build machines form scratch, every time you need one it can take a while. To address that you can create a template and deploy machines from that. To make things even more efficient you can make then ‘linked clones’. If you use VDI you will probably be aware of linked clones, they use the hard drive of the machine they were created from, and maintain a ‘delta disk’ that holds the differences, this make them very efficient at using hard drive space, (which is good if you are running on a laptop!)

Solution

1. I’ve titled this Windows 8 and Server 2012, but this process works for just about any modern version of Windows. Build the machine that will be the template, and install all the latest updates. Locate sysprep.exe uisually in C:WindowsSyste32Sysprep, and run it. Ensure the ‘Generalize’ option is selected, and the shutdown option is set to ‘Shutdown’.

2. Once finished the machine will shutdown, in VMware Workstation right click the VM > Snapshot > Take Snapshot > Give the snapshot a sensible name > Take Snapshot.

3. Once complete > Right Click the VM again > Settings > Options Tab > Advanced > Select ‘Enable Template mode (to be used for cloning) > OK.

4. Now every time you want a new VM simply right click the template > Manage > Clone > When the wizard starts > Next.

5. Choose the snapshot name you picked in step 2 > Next > Linked Clone (if you choose full clone it creates a complete new machine and will take a LOT of system resources) > Next > Give it a name > Finish.

6. Power on your new machine and it will run the mini windows setup, and behave like a completely new VM.

Related Articles, References, Credits, or External Links

NA

VMware VIM (vCenter) Where to put the sysprep files in Server 2008?

KB ID 0000420 

Problem

For newer servers I don’t really use templates anymore, but if you are deploying a lot of 2003 Windows servers in vSphere, then they can save you some time. Back in the days of vCenter 2.5 you just uploaded those sysprep files to the relevant folder in,

[box]C:Documents and SettingsAll UsersApplication DataVmwareVmware Virtual Centersysprep[/box]

But that location no longer exists (since Server 2008).

Solution

The location for sysprep files is now,

[box]C:ProgramDataVMwareVMware VirtualCentersysprep[/box]

 

Related Articles, References, Credits, or External Links

Download all the sys prep versions

Windows Server – Secure RDP Access with Certificates

KB ID 0000944

Problem

This ensures that traffic that is sent over an RDP connection to a server is protected by TLS/SSL Encryption. IT DOES NOT stop clients connecting to an RDP server if they do not have a trusted certificate. If you need that level of security, that should already be done by 802.1x.

Solution

Create an RDP Certificate Template

1. On the domain CA Launch the Certification Authority Management Console > Certificates Templates > Right click > Manage.

2. Locate, and make a duplicate of, the Computer template.

3. General tab > Set the display and template name to RemoteDesktopSecure.

4. Extensions tab > Application Policies > Edit > Add.

5. New > Name=SSL Secured Remote Desktop > Object Identifier=1.3.6.1.4.1.311.54.1.2 > OK.

6. Select the policy you have just created > OK.

7. Remove the other policies, so only the one we have just created remains > OK.

8. Security tab > Ensure that the the computer groups you want to apply the template to, are selected for Read and Enroll. (Below I’ve put three examples, firstly I create a group for my servers, secondly I just apply it to my domain controllers, or lastly I allow all Domain Computers). How you want to apply this depends on you.

9. Issue/Publish the new certificate template.

Create a GPO to secure RDP access with Certificates.

10. From the Group Policy Management Console, create (or edit) a GPO and give it a sensible name.

11. Edit that policy and navigate to;

[box]

Computer Configuration> Policies >Administrative Templates > Windows > Components > Remote Desktop Services >Remote Desktop Session Host > Security.

[/box]

Locate the ‘Server authentication certificate template’ policy.

12. Enable it and set the template name to RemoteDesktopSecure > Apply > OK.

13. In the same location, locate the ‘Require use of specific security layer for remote (RDP) connections’ policy.

14. Enable the policy and set the security layer to SSL (TLS 1.0) > Apply > OK > Exit the policy editor.

15. Link the GPO to an OU that contains the servers you want to apply the policy to.

16. You may need to wait a short while, but eventually the servers will get their certificates.

Note: This view is simply ‘Microsoft Management Console’ with the ‘Certificates (Local Computer)’ snap-in added.

17. To prove it’s working, try connecting from a client that does not trust your Domain CA, and you should see an error something like this.

Check What Certificate RDP Is Using

You can check the thumbprint of the certificate the server is using. Windows Key+R > Regedit {Enter} > Navigate to;

[box]

HKEY_LOCAL_MACHINE
> SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > TemplateCertificate

[/box]

You can check this with the actual Certificate> Windows Key+R > mmc {enter} > File > Add/Remove Snap-in > Certificates > Local Computer > Open Certificates > Personal > Certificates > Locate the certificate you ‘Think’ RDP is using and you can compare its thumbprint with the registry key you found above.

Or you can execute the following PowerShell command to get the RDP certificates thumbprint;

[box]

Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

KB ID 0000970

Problem

I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following;

[box]

crypto pki trustpoint PNL-TRUSTPOINT
enrollment url http://123.123.123.130/CertSrv/mscep/mscep.dll
usage ike
serial-number
ip-address 123.123.123.90
enrollment mode ra
revocation-check none
enrollment retry count 100
enrollment retry period 5
fqdn RTR2hr.testbench.local
rsakeypair PNL-TRUSTPOINT 2048
auto-enroll 80 regenerate

[/box]

However, there is a problem, if you are using Server 2008 there’s a hot-fix (and you need to make the following change as well) I’m on Server 2012 and mine was failing.

Solution

1. On the server running the NDES Server role > Open the registry editor and navigate to;

[box]
HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEP
[/box]

Create a new 32bit DWORD Value called DisableRenewalSubjectNameMatch and set its value to 1 (one).

2. Also ensure the certificate that you are using or NDES, has the following settings, here I’m using a custom template called NDESTemplete, If you are using the default one it will be called ‘IPSec (Offline request)‘. On the Subject Name tab make sure ‘Supply in the request’ is selected.

3. On the ‘Issuance Requirements’ tab, ensure ‘CA certificate manager approval’ is NOT selected.

 

Related Articles, References, Credits, or External Links

NA

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’

KB ID 0001029

Problem

Server: Windows Server 2012 R2
Client: Windows 8 Enterprise

I was setting auto-enrollment this morning, and the computer certificates were getting issued but not the user ones. The policies were correct, the registry keys on the clients were correct, even RSOP told me the users ‘should’ be getting certificates.

However nothing was working so I decided to ‘manually enroll’ and this happened;

The Email name is unavailable and cannot be added to the Subject or Subject Alternate name. Denied by Policy Module the request ID is {number}

As I could see it was denied, I went and looked in failed requests, sure enough, here was where my auto enrollment had been failing.

Event ID Logs

A look in the event log on the Certificate Server also gave me this.

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 03/02/2015 13:31:07
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: PETENETLIVEpetelong
Computer: PNLWin800v.petenetlive.com
Description:
Certificate enrollment for PETENETLIVEpetelong failed to enroll for a PNL-User
 certificate with request ID 23 from PNLPKI00v.petenetlive.competenetlive-CA 
(The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name. 0x80094812 (-2146875374)).

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 03/02/2015 13:28:52
Event ID: 6
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PNLWin800v.petenetlive.com
Description:
Automatic certificate enrollment for PETENETLIVEpetelong failed (0x80094812) 
The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name.

Solution

The certificate template I was using needed the following option removing (WARNING: Don’t do this if you are going to use these certs to sign emails – I was not). I also removed the include E-mail name option below.

Or (as a quick fix -I was on my test network with one user) I simply gave that user an entry in their Email field in Active Directory.

Another Option: Give all users an email address using PowerShell, see the following article;

PowerShell – Update All Domain Users With Email Address From UPN

Related Articles, References, Credits, or External Links

NA

Cisco ISE – Replace the Self Signed Certificate

KB ID 0001068 

Problem

Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).

Solution

Step 1: Import the CA Certificate into ISE

Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.

1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.

2. Select DER encoding > Download CA Certificate.

3. Save the certificate where you can find it, with a sensible name.

4. Log into ISE > Administration > System > Certificates > Certificate Store > Import.

5. Import the certificate you just saved and tick the ‘Trust for client authentication or secure Syslog services’ option > Submit.

Step 2: Generate a New Certificate for Cisco ISE

6. Whilst still in the certificate section > Local Certificates > Add > Generate Certificate Signing Request.

7. Enter the FQDN of the ISE appliance > Submit.

8. Certificates > Certificate Signing Requests > Export.

9. Again save it somewhere you can find it easily.

10. Open the PEM file you just created, and copy all the text to the clipboard.

11. Back at you web enrollment portal > Request a certificate.

12. Advanced certificate request.

13. Submit a certificate request by using…

14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.

15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.

16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.

17. Browse to the new cert > Select EAP and HTTPS > Submit.

18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)

At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Securing with Microsoft Certificate Services

Part 1 (How to Configure Microsoft Certificate Services for AnyConnect)

KB ID 0001030 

Problem

I’ve done a lot of AnyConnect deployments, and I’ve even done them with certificates in the past. I’ve seen plenty of articles and blogs that say ‘It would be better to use a PKI deployment like Microsoft Certificate Services’, but there’s very little info out there on how to set it up.

I have a client that was going to deploy Microsoft Direct Access, but due to unforeseen circumstances has changed their requirements and wants to use AnyConnect instead, (with the following requirements).

  • The connection should be ‘always on’ for their remote clients.
  • It should use certificate based authentication that would use their existing PKI deployment.
  • They should be able to control the remote clients from their corporate location (if required).
  • They should be able to roll out the software using Microsoft SCCM.

So I disappeared with an ESXi server, a spare firewall, and a large mug of coffee.

Solution

I am going to send out both user and computer certificates, and I’m going to get the machines to ‘Autoenroll’ for the certificates with group policy. (You could just use ‘User’ certificates, but that would be too easy).

1. Remember certificates are time specific, make sure your Windows domain is keeping good time, I’ve written about this before, but to cut a long story short carry out the following on your PDC emulator at an elevated command prompt.

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync

[/box]

2. I’m assuming you have certificate services setup and have certificates setup for computers and users, if not see Installing Microsoft Certificate Services. Ensure you have templates published and they are configured correctly, like so;

User Certificate Template

Computer Certificate Template

3. Publish the Certificates.

4. Set up a Group Policy for Certificate Auto-enrolment.

5. For User certificate auto-enrollment go to:

[box]

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

6. For Computer certificate auto-enrollment go to:

[box]

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

7. Ensure your target machines have their certificates,(user and computer).

***OPTIONAL STEP***

I’m using NDES to put the certificates on my Cisco ASA, and I want to use that same certificate on the ‘outside’ interface of my ASA. Now I could just manually get
a cert by creating a CSR and giving that to my certificate authority. Then use the ‘Web Server’ template and everything would be peachy. However I want NDES to do ‘EVERYTHING’ for me so I need to make a change to the certificate that NDES uses, (by default ‘IPSEC (Offline request)’). I need to add in the ‘Server Authentication’ Key usage, or when I enable the cert on the outside interface I will get an error. To that end, I need to create a new certificate template, and then get NDES to use that template instead.

1. Open the Certification Authority management console > Right click Certificate Templates > Manage.

2. Locate ‘IPSEC (Offline request)’ template and clone it.

3. Give the cert a name (in the ‘template name’ section leave no spaces or special characters). Then copy the template name to notepad, (you’ll find out why in a minute).

4. Extensions Tab > Application Policies > Edit.

5. Add > Locate and add ‘Server Authentication’ > OK > OK.

6. If you had NDES set up correctly your NDES service account should have enroll rights to this template already, but check to be on the safe side.

7. Save and publish the new template.

8. Remove the original IPSEC (Offline request) template.

9. To get NDES to use the new template you need to edit three registry values. Open ‘regedit’ an navigate to;

[box]HKLM > Software > Microsoft > Cryptography > MSCEP[/box]

Change the following keys to the new template name;

  • EncryptionTemplate
  • GeneralPurposeTemplate
  • SignatureTemplate

10. At this point you need to restart IIS, though in my case I just rebooted the server.

 

Related Articles, References, Credits, or External Links

In Part 2 – We will configure the ASA and AnyConnect.