You can significantly enhance the security of your ISA firewall's VPN remote access client connections by using EAP user certificate authentication. User certificate authentication requires that the user possess a user certificate issued by a trusted certificate authority.

Both the ISA firewall and the remote access VPN client must have the appropriate certificates assignment to them. You must assign the ISA firewall a machine certificate that the firewall can use to identify itself. Users must be assigned user certificates from a certificate authority that the ISA firewall trusts. When both the remote access client machine presenting the user certificate and the ISA firewall contain a common CA certificate in their Trusted Root Certification Authorities certificate stores, the client and server trust the same certificate hierarchy.

The steps required to support user certificate authentication for remote access client VPN connections to the ISA firewall include:

• Issuing a machine certificate to the ISA firewall

• Configuring the ISA firewall software to support EAP authentication

• Enabling User Mapping for EAP authenticated users

• Configuring the Routing and Remote Access Service to support EAP authentication

• Issuing a user certificate to the remote access VPN client machine

We have discussed the procedures for issuing a machine certificate to the ISA firewall in other chapters in this book and in the ISA Deployment Kits at www.isaserver.org, so we will not reiterate that procedure here. Instead, we'll start with configuring the ISA firewall software to support EAP authentication, and then...