Only systems that host client facing roles need the server auth certs because this only concerns client to site communication.
Other internal site traffic (between site systems and site servers) can be secured in other ways that do not involve certs. J From: [email protected] [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Tuesday, February 18, 2014 5:26 PM To: [email protected] Subject: RE: [mssms] Configuring site systems to use HTTPS One last stupid question. :) Does this mean I will need to enroll the Primary Site system with the certs as well as my MP/DP/SUP in the DMZ? Thanks, Brian ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Configuring site systems to use HTTPS Date: Tue, 18 Feb 2014 22:02:49 +0000 I won't say "best" but I will say that's generally what folks do to control the MP affinity and ensure that DMZ clients only talk to the MP in the DMZ and internal clients only talk to the internal MP. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Tuesday, February 18, 2014 3:43 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Configuring site systems to use HTTPS You're correct. I created certs based off the templates described below. So, it sounds like the best course of action would be to configure my Primary Site (DP to use HTTP) and my DMZ Site System DP to use HTTPS, correct? Thanks, Brian ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Configuring site systems to use HTTPS Date: Tue, 18 Feb 2014 21:12:01 +0000 A couple of semantic corrections first, yes these are minor but saying the wrong thing can have big implications: - The list at the top looks more like cert templates, not certs. Certs are generated from these templates. - You don't enroll certs, you enroll systems; enrollment is the process of a system getting a cert. On to the questions: - Yes, each site system with a client facing role like the DP, must have its own unique server auth cert (beware that the MP also requires a client auth cert so that it can self-check availability). - Site systems, or more accurately their roles, can listen on either HTTP or HTTPS, not both. The Site itself can allow both, but the actual roles on a site system are restricted to one or the other. Generally, folks will only configure their non-internal serving site roles with HTTPS; that could vary though because of things like Mac support, internal security, etc. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Tuesday, February 18, 2014 2:37 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Configuring site systems to use HTTPS My company is in the process of implementing a PKI infrastructure in effort to support IBCM. So, far we have created the following certs: - Workstation Authentication - Workgroup - Web Server - Distribution Point Currently working on enrolling the workstation authentication GPO. The question I have is should I enroll the Web Server cert on all my DPs (e.g. Primary and remote DP)? My curiosity around this is determining whether I should configure my Primary site to use both HTTP/HTTPS communication as well as my DMZ Site System (DP/MP/SUP)? OR should I only have my DMZ Site System Configured for HTTPS communications? Thanks, Brian
