Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Fix VPN Certificate Issue since SSL installed for OMA 1

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
GB
Hi,

We have had our server support company install and set up SSL cetificate for OMA / OWA , all seemed to work fine.

HOWEVER, now VPN will allow anyone to connect without going to CertSrv downloading a user certificate, or setting VPN to use the smartcard/user certificate.

you simply enter the domain/IP , user name and password and bingo you're connected.

How do I fix what this company has broken?

Before no-one could connect without downloading a user certificate and you had to force the VPN connection to use the certificate.

By default CertSrv is blocked from ALL IP's so no-one can willy nilly try to obtain a user certificate and all worked well.

Now any tom, dick or harry can connect unsecurely without a user certificate just a username and password.

I'm beginning to wish i'd told the boss he couldn't have email on his mobile phone, it's been more hasle than it's worth.

Any help sorting this mess out is appreciated.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Sort by date Sort by votes
The basic problem is that the cert was always a server-side cert, intended to prove to the clients that the server was who it was. It was never intended to prove to the server that the clients were legit. That's what the username\password credentialing was for. You were using the difficulty of getting that cert as a security method, and now that cert provisioning has been simplified, you have lost one of your tools.

If you really care about security, you should use Remote Web Workplace, since using VPN is basically extending your LAN borders to include clients whose health you have absolutely no control over.

But if you want to get this working the way you want, do this:

1. Go into the Routing and Remote Access admin tool on the server.

2. Go into the Remote Access Policies section.

3. Get properties on the first policy on the list (Small Business Remote Policy).

4. Go to Edit Profile, and then the Authentication.

5. Click on the EAP Methods button and add an EAP type: SmartCard or Certificate.

6. Now choose the cert that you were using before, not the new public one.

This should allow you to have things be the way they were before.




Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Hello Dave,

What's "Remote Web Workplace" ?

Does that allow SSL connection to the server and secure data transmission between our SQL server and the MS access application running client side?

Also does it give access to our mapped network drives in a secure SSL environment?

I'm a little confused over your comment
It was never intended to prove to the server that the clients were legit. That's what the username\password credentialing was for.
Click to expand...

I thought that was the whole point of certificate services in IIS on SBS and the ability to get a 'User' certificate specific to accounts that have Remote Access enabled, coupled with the server only allowing connection with a valid SSL 'User' certificate to connect, forcing SSL connection for VPN.

It also enabled me, if employees left, to disable their account / logon and it would stop the 'User' certificate from connecting to the server should they try as the certificate was specific to the 'User' who downloaded it.

The server allowing Username and Password for VPN leaves our server open to hacking programs, as well as no longer seemed to force the VPN connection to only allow SSL connections to it, which compromises the data transfer being made over the VPN connection.

Anyhow, I'm just off to lunch and will try what you suggest when I get back, hopefully it will resolve my issue even if I don't fully understand what is going on.

I'll give feedback as to the results.

Regards,
1DMF





"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Well unfortunately I have not been able to test your process as the server support company is still messing around trying to fix it themselves.

They have now even removed terminal services all together and reinstalled them, but still nothing is working, infact this morining I came in to find the following not working...

Outlook Web Access - Remote users and Head of Compliance on Paternity leave could not access their email
Members Area - none of our members could use the online system stopping them from placing business and using the required regulatory web apps which allow them to trade.
Main Website - Prospective customers would have had web errors while perusing our website.
Inhouse Database - Staff could not process current pipeline applications or do normal day to day processing.
VPN - Company accounts cannot be retrieved by our accountants for processing.
Failed Backup - Last night the backup failed, so none of our SQL DB's were backed up nor standard documents and files.
Server Report - I did not receive my server report this morning via email.
Click to expand...

IIS and SQL server services were all stopped also?

I requested an update from the server support company and CC'd in the missus (who is also a client of their's), rather than a response to my obvious concerns as to the state of our server and lack of functioning company systems, instead was crossed questioned why I had coppied in the wife on the email.

I can only assume they care more about saving face infront of another client rather than accepting responsibility for their incompetence or about fixing the problem.

They fail to realise that the missus provides me and my employer various support (free of charge I might add!) and was the one who helped me find out they had screwed our system and VPN in the first place.

Besides who do they think they are questioning who us as a company send emails to , recieve support and assistance from let alone think they can tell me when I can or can't email my wife! (ok bad mistake not BCC'ing her in, it won't happen again) , but that's because we are up front , open and honest, which obviously this company is not!

I also need to look out for her interests, I only have 1 SBS server and 8 employees being looked after by this company , she has 5 servers and @ 60 users in 2 different offices, I'm concerned for her!

Oh well i've let the boss deal with them now, as i'm ready to fire their ass and complain to Microsoft, they are not fit to carry the MS certified accreditation!

I just wish I'd had a chance to try your suggestion, so I could have avoided company down time, backup failure, loss of members area, hostilities between us and the server support company , not to mention get a refund for the SSL certificate and installation costs.

If I wanted to screw it up this much, I'd have done it myself, hence the reason we hired a so called MS certified expert.

I guess these things are sent to try us, was I really this bad in a previous life?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Sorry things blew up that way. Let me know if there's a way I can help out.

When you put an SSL cert into use to protect a VPN, it doesn't necessarily mean that you have set up an SSL VPN. SBS doesn't offer native support for SSL VPN's, so if you have an SSL VPN, it's with some third-party software. Since you didn't mention any other software, I'd been assuming that you were using the native SBS PPTP or L2TP VPN capabilities.

Remote Web Workplace allows remote users to use a web browser on their home machines to access the desktops of their office workstations. So as long as the app in question is installed on their office workstations (and drives mapped) then they can do the same work from home. It's not a VPN, and there is no critical data loaded or accessed on the home computer, just a remote desktop to the office.

It's ideal because it's a better security model, and you don't have to worry about the protocol overhead of encrypted VPN to carry database traffic. Plus, their office workstation is usually already configured as the perfect environment for getting work tasks done.

But if your users all have laptops and move them between the office and home, then RWW isn't as useful, since they have no workstation in the office.

That being said, RWW allows access to ANY workstation in the office that has remote desktop enabled, so as long as there's a profile configured for the Compliance officer on a workstation in the office, that user could use that computer.

Hope that clarifies the options.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Hey Dave, thanks for the reply.

To update current situation : it's all fixed!! finally!

Apparently they had to reinstall terminal services, certificate authority and RADIUS , create a new self signed SBS cert for VPN users and now we are good to go.

We have go daddy cert for OWA & OMA and certificate services now correctly issues user SSL certificates for VPN access and only SSL user certs will allow VPN connection to the server.

Is it usually this painful to secure an SBS server?

as for RWW, the downsides I can see for this would be the fact users workstations are not left switched on, we turn all machines off at night, saves electric and cuts down on potential 'ways in' to the system.

Plus we have a policy of no data stored on C: drive, so no need for them to be switched on as they are not backed up.

I'd also be concerned about the security when userID and Password is supplied for desktop access / domain logon.

RDP sends userID and Password in plain text as I understand, I do not like people entering usernames and passwords into anything, including all web apps without SSL encryption.

Just because i'm paranoid , doesn't mean they aren't trying to hack me ;-)

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Thaks for all your time, I'll check it out when I get 5, though as I said, if none of the client machines are left on, I don't think it will help, I don't like the idea of having 'Wake on LAN' enabled either.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
498
gbaughma
gbaughma
techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
487
araheusaff
araheusaff
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
606
pomazip
pomazip
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
864
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
451
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top