RE: [NTSysADM] Windows CA Server

[Beckers, Shawn (IT Services)]

A few resources I found helpful in setting up our two-tier CA (besides the book 
from Brian Komar…would recommend that as well):


-          Two-tier PKI (3 parts): 
http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html

-          Two-tier PKI setup (2 parts): 
http://blogs.technet.com/b/yungchou/archive/2013/10/21/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-1-of-2.aspx

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Tuesday, October 14, 2014 6:51 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Windows CA Server

You know why I want to do SSL inspection?  So that my current IPS/AV-enabled 
UTM firewall works on 99+% of the traffic it sees (both inbound and outbound) 
instead of roughly 75% to 80%.  We are replacing it soon with hardware that 
will be capable of handling the increased load.  I'm with you on the technology 
-vs- behavior issue, but our use case has very little to do with behavior and 
everything to do with defense.

On Tue, Oct 14, 2014 at 3:27 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
SSL Inspection is not simple. You are basically going to use your filter to 
pull off a man in the middle attack on your desktops.  So every client will 
have to have a cert from that filter that trusts your filter. So the windows 
boxes in your domain will be easy. But Iphones, androids, chromebooks and byod 
will have to download that cert and install it and trust it.

Double check the Windows CA cert idea, many filters won’t take them for SSL 
inspection….they will only work with their own self generated cert.

Remind the powers that be that youtube blocking is not a CIPA/Erate 
requirement. So the blocking it must be a behavior issue, the students are 
sucking up your bandwidth, or they are goofing off. Those are behavioral issues 
that are seldom solved by technology. And that their attempt to solve it via 
technology is going to create a nightmare, for them. You too but they will be 
more concerned about their nightmare.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Matthew W. Ross
Sent: Tuesday, October 14, 2014 3:17 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Windows CA Server

Short answer: We don't _need_ this. Not yet, anyways.

Slightly longer answer: The powers that be are asking for me to block Youtube 
for some students, allow Youtube for Schools for the rest, and unfiltered 
Youtube for staff. It's possible with our current filter, but to get the best 
results (including https:// access to youtube, which is often the default) is 
to have SSL inspection.

I'd like to have SSL inspection anyways, as many sites are going to SSL/TLS 
encryption anyways... some without the option to for regular http access... The 
only other option is to configure a proxy instead of the current transparent 
proxy setup we have now. We have done that in the past, with mixed results.

The various responses I've received so far have halted my test deployment, as 
I'm now trying to fully understand the enormity of this. I'm a fan of keeping 
it simple, so we will wait and see what solution works best for us.


--Matt Ross
Ephrata School District
Brian Desmond <br...@briandesmond.com<mailto:br...@briandesmond.com>> , 
10/14/2014 9:00 AM:

I’d ask the question of why you need a CA for this?



Thanks,

Brian Desmond

br...@briandesmond.com<mailto:br...@briandesmond.com>



w – 312.625.1438<tel:312.625.1438> | c – 312.731.3132<tel:312.731.3132>



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Matthew W. Ross
Sent: Monday, October 13, 2014 5:58 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Windows CA Server



We have been happily getting by without doing SSL inspection on our content 
filter. Now, it seems that we may need to take that next step.



I'm making a windows CA server on our VMWare cluster now.



Before I get too deep, any "gotchas" I should be looking for? Looking into 
this, it looks like I might be diving right into the deep end. Time for a lot 
of reading...





--Matt Ross
Ephrata School District