Authenticating VPN Clients with RSA SecurID Authentication

Microsoft® Internet Security and Acceleration (ISA) Server 2004 introduces the ability for user authentication based on authentication credentials from the RSA SecurID® product from RSA Security Inc. ISA Server can secure Web sites and authenticate remote virtual private network (VPN) clients by requiring RSA SecurID authentication.

For additional information about RSA SecurID authentication, see the RSA Web site.

Configuring VPN with RSA SecurID Authentication

Configuring VPN for RSA SecurID authentication consists of the following steps:

  • Configure VPN client access in ISA Server. To allow remote VPN clients to access internal networks with ISA Server, you must enable VPN client access. When you enable VPN client access, ISA Server enables a system policy rule named Allow VPN clients to firewall, to allow initial access. You also need to specify the tunneling protocol clients should use for the VPN connection to the ISA Server computer, and the maximum number of remote VPN client connections allowed. You need to create a VPN clients group that contains the remote clients to whom you want to allow VPN access, and specify how those clients will be allocated IP addresses.
  • Install RSA ACE/Server®. The RSA ACE/Server is an authentication server that manages the authentication process for users. For more information, see the RSA Security site.
  • Configure ISA Server as an RSA ACE/Agent®. The RSA ACE/Agent protects your internal resources. You install the agent on each resource you want to protect with RSA ACE/Server authentication.
  • Enable the system policy rule to allow access from the ISA Server computer to the RSA ACE/Server computer. By default, the RSA SecurID system policy rule allows access from the Local Host network (ISA Server computer) to the Internal network. The rule is disabled by default. You need to enable the rule, and indicate a specific RSA ACE/Server computer instead of the entire Internal network.
  • Configure EAP (RSA SecurID) authentication. In ISA Server Management, you can configure various VPN authentication methods, including Extensible Authentication Protocol (EAP) with a smart card or other certificate. You cannot enable EAP authentication with RSA SecurID using this interface. Instead, use the Routing and Remote Access console.

Configure VPN client access in ISA Server Management

To configure VPN client access, perform the following steps:

  1. Click the Virtual Private Networks (VPN) node of ISA Server Management.

  2. In the details pane, click the VPN Clients tab.

  3. On the Tasks tab, click Configure VPN Client Access.

  4. In the VPN Clients Properties dialog box, on the General tab, click Enable VPN client access. In Maximum number of VPN clients allowed, type the maximum number of simultaneous VPN client connections.

  5. On the Protocols tab, select the tunneling protocols to be used for the VPN client connection. Select Enable L2TP/IPSec.

  6. If you are using Active Directory® directory service domain-based authentication, on the Groups tab, click Add, and add the VPN Clients domain group.

    Note

    For Active Directory authentication, create a domain group containing VPN clients on the domain controller.

  7. On the Tasks tab, click Define Address Assignments.

  8. On the Address Assignment tab, select the method that will be used to assign IP addresses to remote VPN clients. You can select to assign addresses to clients dynamically from a DHCP server, or from a static address pool.

  9. In the ISA Server details pane, click Apply to apply the changes.

Notes

  • When you enable VPN client access, a system policy rule named Allow VPN Client traffic to ISA Server is enabled.
  • For more detailed information about configuring VPN client access, see VPN Roaming Clients and Quarantine Control.

Important

You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer.

Install and configure RSA ACE/Server

Install RSA ACE/Server as described in the RSA ACE/Server documentation.

Configure the ISA Server computer as an RSA ACE/Agent

To configure the ISA Server computer as an RSA ACE/Agent, perform the following step.

  • Copy the Sdconf.rec file, located in the ACE\Data folder on the RSA ACE/Server computer, to the %windir%\system32 folder on the ISA Server computer.

If you are using a version of RSA ACE/Server earlier than RSA ACE/Server 5.0, perform the following steps:

  1. On the RSA ACE/Server computer, click Start, click Programs, click RSA/ACE Server, and then click Database Administration - Host Mode.

  2. On the Agent Host menu, click Add Agent Host.

  3. In Name, type the name of the ISA Server computer.

  4. In Network address, type the IP address of the ISA Server computer, if it did not appear.

  5. In Agent Host, click Generate Configuration File, click One Agent Host, click OK, double-click the name of the ISA Server computer, and save the Sdconf.rec file in a folder on the computer.

  6. Copy the Sdconf.rec file to the %windir%\system32 folder on the ISA Server computer.

To verify that ISA Server can authenticate against the RSA ACE/Server computer, perform the following steps:

  1. Copy sdtest.exe from the Tools folder of the installation CD to the ISA Server installation folder. Then from a command prompt, type ISA_installation_folder\sdtest.exe.

  2. In RSA SecurID Authentication Information, click RSA ACE/Server Test Directly.

  3. In RSA SecurID Authentication, type the user name in Enter User Name and the passcode in Enter PASSCODE.

  4. Click OK when the Authentication successful message appears.

Enable the system policy rule to allow the ISA Server computer to access the RSA SecurID server

By default, the RSA SecurID system policy rule allows access from the Local Host network (ISA Server computer) to the Internal network. The rule is disabled by default.

To enable the rule, and specify a specific RSA ACE/Server computer instead of the Internal network, perform the following steps:

  1. In the Microsoft ISA Server Management console tree, right-click the Firewall Policy node, and then click Edit System Policy.

  2. In the Configuration Groups list, click RSA SecurID in the Authentication Services section.

  3. On the General tab, click Enable.

  4. On the To tab, click Add to open the Add Network Entities dialog box.

  5. To define the RSA SecurID server as a network entity, do the following:

    1. Click the New menu, and then click Computer.
    2. In the New Computer Rule Element dialog box, in Name, type a name to identify the SecurID server.
    3. In Computer IP Address, type the IP address of the server.
    4. Optionally, add a description in the Description dialog box, and then click OK.
  6. In the Add Network Entities dialog box, select the RSA SecurID server name in Computers. Click Add, and then click Close.

  7. On the To tab, select Internal, and then click Remove. Then click OK.

  8. In the ISA Server details pane, click Apply to apply the new access rule.

Configure EAP (RSA SecurID) authentication

To stop the ISA Server Control service, perform the following steps.

  1. Click Start, click Run, and then in the Run dialog box, type cmd.

  2. In the Command Prompt window, type net stop isactrl. Note that the ISA Server Firewall service (FWSRV) and other ISA Server services that depend on the isactrl service will also be stopped.

To configure Routing and Remote Access on the ISA Server computer, perform the following steps:

  1. Click Start, point to All Programs, select Administrative Tools, and then click Routing and Remote Access.

  2. In the Routing and Remote Access node, right-click the name of the ISA Server computer, and then click Properties.

  3. On the Security tab, click Authentication Methods.

  4. In the Authentication Methods dialog box, ensure that Extensible authentication protocol (EAP) is enabled. Then click OK.

  5. In the Routing and Remote Access node, click Remote Access Policies.

  6. In the details pane, double-click ISA Server Default Policy.

  7. On the Settings tab, click Edit Profile.

  8. On the Authentication tab, click EAP Methods.

  9. In the Select EAP Providers dialog box, click Add.

  10. In the Add EAP dialog box, select RSA SecurID, and close the dialog boxes.

To restart the ISA Server services, perform the following steps:

  1. Click Start, click Run, and then in the Run dialog box, type cmd.

  2. In the Command Prompt window, type the following:

    • Type net start isactrl to restart the ISA Server Control service. Type net start fwsrv to restart the ISA Server Firewall service. Type net start isasched to restart the ISA Server Job Scheduler service. You do not need to start the Routing and Remote Access service. It is started automatically when the Firewall service restarts.

Now test to try connecting the VPN client with RSA SecurID authentication.

Note

When you enable SecurID authentication on a computer running Microsoft Windows Server® 2003, the Network Service account must have read/write access to the following registry key: HKLM\Software\SDTI\ACECLIENT. In addition, the Network Service account must have read permission for the Sdconf.rec file, located in %SystemRoot%\system32.