Hi Jim, Consider using an Enterprise CA, then you can use autoenrollment to assign computer certificates to your domain members so that they can use L2TP/IPSec. You can also use your CA to assign User Certificates if you want to further increase your security by using EAP User Certificate Authentication.
Also, you can use EAP User Certificate Authentication for your SSTP VPN server, if you're planning on upgrading your VPN server to Windows Server 2008. As for securing your Certificate Server, if you're using Win2003, check out the Security Configuration Wizard for some good suggestions (and implement those suggestions for you too). If you're using Windows 2008 for your CA, then Server Manager's Role Installation Wizard will automatically deploy security best practices and there's no need to run the SCW. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: Jim Dandy [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 30, 2008 7:14 PM > To: NT System Admin Issues > Subject: L2TP & Certificate server > > From what I've read about Windows Server 2003, you have to have a > certificate server to implement L2TP/IPSec. I don't expect > to have many > VPN clients. Is there a problem with buying certificates instead of > running a certificate server? If I was to run my own certificate > server, what best practices should I follow to keep it secure? I'm > guessing it would NOT be a good idea to have the VPN server double as > the certificate server (although that's what I'd like to do). I'm > looking at implementing L2TP instead of PPTP because of the extra > security it provides but It wouldn't do much good to have the extra > security if my certificate server wasn't secure. > > Thanks for your help. > > Curt > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
