Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy (Part 2)

[13 November 2008]

If you missed the first part in this article series please read Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy (Part 1).

In part 1 of this series on how to use IPsec enforcement with NAP heath policies, I described the example network and called out the major steps required to get the NAP with IPsec enforcement policy working. As a refresher, here is the list of the high level steps required to reach a working solution:

  • Configure the Domain Controller
  • Install and Configure the Network Policy Server, Health Registration Authority and Subordinate CA
  • Configure the NAP IPsec Enforcement Policy on the Network Policy Server
  • Configure VISTASP1 and VISTASP1-2 for Testing
  • Test the Health Certificate and Auto-remediation Configuration
  • Verify NAP Policy Enforcement on VISTASP1
  • Configure and Test IPsec Policies

In the first article in the series, we began with the steps required to configure the domain controller in our NAP with IPsec enforcement environment. In this, part 2 of the article series, well move on to the second step, which is to install and configure the Network Policy Server, the Health Registration Authority and the subordinate CA.

Install and Configure Network Policy Server, Health Registration Authority and Subordinate CA

Now well move our attention to the Network Policy Server. The Network Policy Server or NPS machine takes on the RADIUS server role. NPS is the new name for the former Microsoft Internet Access Server (IAS). There are actually two components to the new NPS server: the RADIUS component (which includes new support for NAP) and the RRAS component. Were not interested in the RRAS component in this scenario so we wont install or configure RRAS.

We will need to do the following to get the NPS server, along with the co-located Health Registration Authority and subordinate CA installed and configured on this machine:

  • Add the network policy server to the NAP Exempt Group
  • Restart the Network Policy Server
  • Request a computer certificate for the Network Policy Server
  • View the computer and health certificate installed on the Network Policy Server
  • Install the Network Policy Server, Health Registration Authority and Subordinate CA
  • Configure the Subordinate CA on the Network Policy Server
  • Enable Permissions for the Health Registration Authority to request, issue and manage certificates
  • Configure the Health Registration Authority to use the subordinate CA to issue health certificates

Lets now get into the details of each of these steps.

Add the Network Policy Server to the NAP Exempt Group

We need to make the WIN2008SRV1 computer a member of the NAP Exempt Group so that it autoenrolls the Health Certificate we created for it. This will allow this computer, which will act as the NAP policy server and Health Registration Authority to communicate with machines that are in the secure network, even though this machine isnt subject to NAP requirements.

Perform the following steps on the WIN2008DC domain controller:

  1. On WIN2008DC, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left pane of the Active Directory Users and Computers console, expand msfirewall.org. Click on the Users node.
  3. Double click on the NAP Exempt group in the right pane of the console.
  4. Click the Members tab, click Add, click Object Types, select the Computers check box, and then click OK.
Figure 1 Figure 1
  1. Under Enter the object names to select (examples), type WIN2008SRV1, and then click Check Names. Click OK, and then click OK in the NAP Exempt Properties dialog box..
Figure 2 Figure 2
Figure 3 Figure 3
  1. Close the Active Directory Users and Computers console.

Restart the Network Policy Server

To activate the new domain membership and security group membership settings, restart WIN2008SRV1.

  1. Restart WIN2008SRV1.
  2. After the computer has been restarted, log on as Administrator.

Request a Computer Certificate for the Network Policy Server

The WIN2008SRV1 machine will need a computer certificate to support SSL connections to the server. The SSL connections will come from NAP clients when they connect to the Health Registration Authority Web server on the NPS server machine. Note that in this example the NPS server and the Health Registration Authority are on the same machine. You dont have to do it that way you can put the Health Registration Authority and the NPS server on different machines. In that scenario, you would need to install the NPS service on the HRA machine and configure that machine was a RADIUS proxy, since the HRA is the network access server in this scenario and the NAS needs to be able to inform the NPS service of the clients status.

Perform the following steps on the WIN2008SRV1 NPS machine:

  1. On WINS2008SRV1, click Start, click Run, type mmc, and then press ENTER.
  2. Click File, and then click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add. In the Certificates snap-in dialog box, select the Computer account option and click Next.
Figure 4 Figure 4
  1. In the Select Computer dialog box, select the Local Computer option and click Finish.
Figure 5 Figure 5
  1. Click OK in the Add or Remove Snap-ins dialog box.
Figure 6 Figure 6
  1. In the Certificates console, expand the Certificates (Local Computer) node and then expand the Personal node. Click on the Certificates node, then right click on it and point to All Tasks and then click Request New Certificate. .
Figure 7 Figure 7
  1. Click Next on the Certificate Enrollment page.

On the Request Certificates page, you can see a list of certificate templates that are available to this computer. Note that while there are many more certificate templates available, these are the only ones available to this computer, based on the permissions configured on the certificate templates. Put a checkmark in the Computer checkbox and click Enroll. Note that you can get full and complete details of this certificate by clicking on the Properties button.

Figure 8 Figure 8
  1. Click Finish in the Certificate Installation Result dialog box .
Figure 9 Figure 9
  1. Leave the console window open for the following procedure.
Figure 10 Figure 10

View the Computer and Health Certificate Installed on the Network Policy Server

Next, verify that WIN2008SRV1 has an SSL certificate and a NAP exemption certificate.

  1. In the left pane of the Certificates console, open Certificates (Local Computer)\Personal\Certificates.In the right pane, verify that a certificate was autoenrolled by WIN2008SRV1 with Intended Purposes of System Health Authentication and Client Authentication. This certificate will be used for NAP client IPsec exemption.
Figure 11 Figure 11
  1. In the right pane, verify that a certificate was enrolled with Intended Purposes of Client Authentication and Server Authentication. This certificate will be used for server-side SSL authentication.
Figure 12 Figure 12
  1. Close the Certificates console. If you are prompted to save settings, click No.

Install the Network Policy Server, Health Registration Authority, and Subordinate Certificate Server roles

Next, install role services to make WIN2008SRV1 a NAP health policy server, NAP enforcement server, and NAP CA server.

Perform the following steps on WIN2008SRV1:

  1. In Server Manager, under Roles Summary, click Add Roles, and then click Next.
Figure 13 Figure 13
  1. On the Select Server Roles page, select the Active Directory Certificate Services and Network Policy and Access Services check boxes, and then click Next twice.
Figure 14 Figure 14
  1. On the Select Role Services page, select the Health Registration Authority check box, click Add Required Role Services in the Add Roles Wizard window, and then click Next.
Figure 15 Figure 15
  1. On the Choose the Certification Authority to use with the Health Registration Authority page, choose Install a local CA to issue health certificates for this HRA server, and then click Next.
Figure 16 Figure 16
  1. On the Choose Authentication Requirements for the Health Registration Authority page, choose No, allow anonymous requests for health certificates, and then click Next. This choice allows computers to be enrolled with health certificates in a workgroup environment. Well see an example of a workgroup computer receiving a Health Certificate later.
Figure 17 Figure 17
  1. On the Choose a Server Authentication Certificate for SSL Encryption page, choose Choose an existing certificate for SSL encryption (recommended), click the certificate displayed under this option, and then click Next.

Note: You can view the properties of certificates in the local computer certificate store by clicking a certificate, clicking Properties, and then clicking the Details tab. A certificate used for SSL authentication must have a Subject field value that corresponds to the fully qualified domain name of the HRA server (for example, NPS1.Contoso.com), and an Enhanced Key Usage field value of Server Authentication. The certificate must also be issued from a root CA that is trusted by the client computer.

Figure 18 Figure 18
  1. On the Introduction to Active Directory Certificate Services page, click Next.
  2. On the Select Role Services page, verify that the Certification Authority check box is selected, and then click Next.
Figure 19 Figure 19
  1. On the Specify Setup Type page, click Standalone, and then click Next.
Figure 20 Figure 20
  1. On the Specify CA Type page, click Subordinate CA, and then click Next. We choose to use a subordinate CA because this is a more secure option, as it gives us the option to revoke the certificate of the subordinate CA at the root CA level. The subordinate CA is responsible for issuing certificates, while the job of the root CA is to sign the certificates of the issuing subordinate CAs. This allows you to have many subordinate CAs and a single root CA. In a production environment, youll likely put the root CA offline and bring it online only to sign certificates of new subordinate CAs.
Figure 21 Figure 21
  1. On the Set Up Private Key page, click Create a new private key, and then click Next.
Figure 22 Figure 22
  1. On the Configure Cryptography for CA page, click Next.
  2. On the Configure CA Name page, under Common name for this CA, type msfirewall-WIN2008SRV1-CA, and then click Next.
Figure 23 Figure 23
  1. On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA, and then click Browse. In the Select Certification Authority window, click Root CA, and then click OK.
Figure 24 Figure 24
  1. Verify that WIN2008DC.msfirewall.org\Root CA is displayed next to Parent CA, and then click Next.
Figure 25 Figure 25
  1. Click Next three times to accept the default database, Web server, and role services settings, and then click Install.
Figure 26 Figure 26
  1. Verify that all installations were successful, and then click Close. Note that the installation results say that Attempt to configure Health Registration Authority failed. Failed to get name of the local Certification Authority. Dont worry about that. Well configure the Health Registration Authority in the next steps.
Figure 27 Figure 27
  1. Leave Server Manager open for the next procedure.

Configure the Subordinate CA on the Network Policy Server

The subordinate CA must be configured to automatically issue certificates when NAP clients who meet NAP policy requirements request a certificate. By default, standalone CAs wait for administrator approval before the certificate is issued. We dont want to wait for administrator approval, so well configure the standalone CA to automatically issue the certificates when the request comes in.

Perform the following steps on WIN2008SRV1:

  1. On WIN2008SRV1, click Start, click Run, type certsrv.msc, and then press ENTER.
  2. In the Certification Authority console tree, right-click msfirewall-WIN2008SRV1-CA, and then click Properties.
Figure 28 Figure 28
  1. Click the Policy Module tab, and then click Properties.
Figure 29 Figure 29
  1. Choose Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate, and then click OK.
Figure 30 Figure 30
  1. When you are prompted that AD CS must be restarted, click OK. Click OK, right-click msfirewall-WIN2008SRV1-CA, point to All Tasks, and then click Stop Service.
Figure 31 Figure 31
  1. Right-click msfirewall-WIN2008SRV1-CA, point to All Tasks, and then click Start Service.
Figure 32 Figure 32
  1. Leave the Certification Authority console open for the following procedure.

Enable Permissions for the Health Registration Authority to Request, Issue and Manage Certificates

The Health Registration Authority must be given security permissions to request, issue, and manage certificates. It must also be granted permission to manage the subordinate CA so that it can periodically clear expired certificates from the certificate store.

When the Health Registration Authority is installed on a computer different from the issuing CA, permissions must be assigned to the HRA machine name. In this configuration, HRA and CA are located on the same computer. In this scenario, permissions must be assigned to Network Service.

Perform the following steps on WIN2008SRV1:

  1. In the left pane of Certification Authority console, right-click msfirewall-WIN2008SRV1-CA, and then click Properties.
  2. Click the Security tab, and then click Add.
Figure 33 Figure 33
  1. Under Enter the object names to select (examples), type Network Service, and then click OK.
Figure 34 Figure 34
  1. Click Network Service, and under Allow, select the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes, and then click OK.
Figure 35 Figure 35
  1. Close the Certification Authority console.

Configure the Health Registration Authority to use the Subordinate CA to Issue Health Certificates

You must tell the Health Registration Authority which CA to use to issue Health Certificates. You can use either a standalone or enterprise CA. In this example network were using the standalone CA installed on the WIN2008SRV1 computer.

Perform the following steps on WIN2008SRV1:

  1. On WIN2008SRV1, click Server Manager;.
  2. In Server Manager, open Roles\Network Policy and Access Services\Health Registration Authority(WIN2008SRV1)\Certification Authority.

Note: If Server Manager was open when you installed the HRA server role, you might need to close it and then open it again to access the HRA console.

  1. In the left pane HRA console tree, right-click Certification Authority, and then click Add certification authority.
Figure 36 Figure 36
  1. Click Browse, click msfirewall-WIN2008SRV1-SubCA, and then click OK. See the following example.
Figure 37 Figure 37
  1. Click OK, and then click Certification Authority and verify that \\WIN2008SRV1.msfirewall.org\msfirewall-WIN2008SRV1-CA is displayed in the details pane. Next, we will configure properties of this standalone CA.

The Health Registration Authority can be configured to use either a standalone or enterprise CA. The CA properties (which we will configure next) that are configured on the Health Registration Authority must correspond to the type of selected CA.

Figure 38 Figure 38
  1. Right-click Certification Authority, and then click Properties.
Figure 39 Figure 39
  1. Verify that Use standalone certification authority is selected and that the value under The certificates approved by this Health Registration Authority will be valid for is 4 hours, and then click OK. See the following example.
Figure 40 Figure 40
  1. Close Server Manager.

Summary

In this, part 2 of our article series on how to use IPsec enforcement with NAP, we went through the procedures that needed to be carried out on the NPS server machine. On this machine we installed and configured the Windows Server 2008 Network Policy Server, Health Registration Authority and subordinate CA. With these components in place, well be ready for our next step, which is to configure NAP IPsec enforcement policy. See you then! Tom.

If you missed the first part in this article series please read Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy (Part 1).

Author: Thomas Shinder

Thomas ShinderDr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

This article has been republished with permission from: www.windowsecurity.com
Source: http://www.windowsecurity.com/...tion-Windows-Server-2008-Group-Policy-Part2.html

Additional Links

Search

SurfCop

SurfCop Software solution designed for internet usage monitoring and controlling internet traffic in companies that uses Microsoft ISA Server 2004/2006 or Microsoft Forefront TMG software products as corporate Internet gateway (Firewall).
more…

ISA Server Toolkit

ISA Server Toolkit Set of free tools making the work of a Microsoft ISA Server administrator easier.
more…

Internet Access Monitor

Software for monitoring the efficiency of your company's Internet bandwidth usage. Using this product you can easily find out who, when, where to, where from and what accessed the Internet. Works with Microsoft ISA Server and other proxy servers.
more…

Mail Access Monitor

Software for monitoring the efficiency of your company's mail server operations. Using this product, you can easily determine the who, when, where and amount of e-mail that has been sent. Works with Microsoft Exchange Server and other mail servers.
more…

Printer Activity Monitor

Software for monitoring your company's printers. Using this product you can easily find out who, when and how many pages have been printed.
more…

News

Printer Activity Monitor 4.0 is ready for download
[29 October 2012] Printer Activity Monitor 4.0 just released. Added support for x64 operating systems, improved Data Center stability.
SurfCop 2.1 is ready for download
[23 January 2012] SurfCop 2.1 just released. Added support of SP1 and SP2 of Microsoft Forefront TMG 2010. Added new features. Improved filters stability.
SurfCop 2.0 is ready for download
[30 October 2011] SurfCop 2.0 just released. Finally added Microsoft Forefront TMG 2010 support. Added new features. Improved filters stability.

All news

RSS

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news