11 April 2012

Configure TMG VPN with a split personality

As corporates are moving toward Direct Access for the corporate VPN replacement it introduces a slight problem.   Direct access is awesome for a whole load of reasons, but it is not great  if you are trying to accommodate non corporate non windows devices. So if you have a mixed bag a clients and you want to provide a mixed bag of access based on the device the his is how to do it.

The key here is that we want to differentiate the access level not by the user - who is trustes - but by the device he is using.  There are two classes of devices we will cater for.

  • Windows Corporate machine with a user PKI certificate
  • Non windows machine authenticating with just a username and password

The premise is that to get a user certificate onto the Windows machine it has to belong to the corporate domain.  Because this is now a corporate managed device it is trusted and can have unrestricted access to the network via the VPN

The non windows machine catagory is one that is becoming more prevelant with tablets and BYOD schemes.  These devices are not part of the corporate domain, therefore they are less trusted.  They also do not require access to certain infrastructure that a corporate machine would.

We will configure the TMG VPN to accomodate the following

  • Allow Corporate machines to connect over SSTP with EAP authentication
  • Allow non corporate machines to connect over PPTP with MS-CHAPv2 with a more restricted VPN rule set

Configure the VPN Protocols
To accommodate the different devices I enable both PPTP and SSTP, strictly speaking if you are only needing to accommodate Vista and Win 7 machine you would not need PPTP, but it is such an open standard that it can natively be used by just about any device.

User Mapping
This is a crucial part in configuring this.  Because we want to differentiate based on the device we need to be able to tell how they are authenticating.  When authenticating with EAP the user show up as user@domain.com.  When the user authenticates with MS-CHAPv2 the user shows up as domain\user

 Enabling user mapping will effectively hide this from us.

For this to work you need to authenticate against TMG, you cannot use RADIUS.  You would of course also need to enable both the authentication methods.

 By this stage your VPN would now allow for both the authentication types.  User would also show up differently so we can apply selective rules.

Limiting user access to the VPN
There are two parts to this.  The first purely governs who is allowed to connect to the VPN.  This is controlled by the groups specified in the VPN Clients Properties Groups tab.  Typically I allow a broader scope of users.  This is because the group is an active directory group as opposed to a TMG user set.

You can of course be far more restrictive here, but bear in mind that this purely allows who is allowed to connect, this does not give access to any resources, this is allowed by the access rules.

At this point you will also need to create a TMG user set.  This set should include the users that are allowed to both connect and access internal resources through the "less secure" connection.  In this image you can see that the user set only includes an domain AD group called PPTP_MSCHAP_VPN

Creating Access rules
The order of the rules here is very important.  Rules are processed top down until an allow or deny is encountered.  Basic sequence is as follows

  1. Allow MSCHAP users
  2. Deny MSCHAP user
  3. AllowEAP users
  4. Deny EAP users

Here is a section of the allow rules for the MSCHAP users followed by the Deny rule

These are followed by a rule to allow the remaining users (those not authenticated by MS-CHAPv2 but with EAP)

You need to think about this a little bit.  Users need to be able to authenticate using EAP, This will allow them access to the VPN, but because there is no user mapping they do not match the rules configured for the MSCHAP users.  They will therefor skip past those and finally hit the VPN access rule shown above.

Testing the access rules
For this test I use a domain joined laptop with the required EAP certificate.  I configure two VPN connection for connecting to the same VPN.  the Difference between them is purely the authentication mechanism.  One is set to use EAP (using a certificate) and the other to use MS-CHAPv2

Connecting with the EAP VPN connection shows up as follows in the TMG logs

Connecting with the MS-CHAPv2 VPN connection shows up as follows

Using the method you can cater for the same user but give different levels of access based on the device type being used.  This only covers the basic mechanics of making this work.  Your final VPN configuration with regards to rules and users will be very different.

For more on setting up and configuring TMG VPN and a variety of devices check out my series on this:
Complete TMG VPN deployment guide

No comments:

Post a Comment