That's exactly where the FM comes into play; I've got to take recommended methods and Microsoft's examples and _attempt_ to put them into place in an infrastructure that looks nothing like a test environment.
The firewall is in place because our environment is fairly open. The only port to our Enterprise server that is open is for SQL, as it's our SQL Server that I'm using for the root CA. The thought was that we _should_ be able to implement certificate services without opening any more firewall ports. So it would appear I either need to ask the security team if I'm in trouble by opening another port, or ask for more money to gain another Enterprise server. -----Original Message----- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 10:50 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I agree. While I don't understand the reason for the firewall, you definitely need the enterprise server issuing the certs. As was previously suggested, you could set up an root CA behind the firewall (or an off line root CA) and put the subordinate CA on the other side of the firewall. .Tim From: Jon Harris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 7:38 AM To: NT System Admin Issues Subject: Re: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I think you may need to put an Enterprise server in your mix that is not behind the firewall. Jon On Wed, Dec 3, 2008 at 10:34 AM, Stephen Wimberly <[EMAIL PROTECTED]> wrote: I have figured out how to get the auto-enroll working! YEAH! Although; when it comes to SCCM the site server seems to require the same "client" certificate as the actual 'clients'. What I am finding is that the certificates I create (duplicate) are Windows Server Enterprise certificates, the domain controller on the other side of the firewall that is a subordinate CA Authority is a Windows Server Standard, not Enterprise. Each time I attempt to manually enroll or auto-enroll one of the certificates I build through the Enterprise templates (which is the reason we are using Enterprise!) the client wants to get a reply from the Enterprise server. This is not going to happen over the firewall!!! I may just have to RTFM. -----Original Message----- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2008 11:29 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I'm glad to hear that you go it figured out. ...Tim > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Monday, December 01, 2008 10:47 AM > To: NT System Admin Issues > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > It's always the simple stuff... > > I had forgotten to open the Windows Firewall to certsrv.exe on the sub > CA. > > I now have auto enrollment working like a charm!!!! > > > > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Monday, December 01, 2008 8:57 AM > To: NT System Admin Issues > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > What I'm trying to do: We are attempting to use certificates for SCCM. > In > the future we would like to extend the certificate structure for IPSEC > authentication and we are considering the use of certificates for file > encryption. > > We are utilizing the Enterprise level Windows Server in order to take > advantage of the Certificate Templates. > > The Enterprise Server is generating the root CA and the SCCM > certificates outlined in the 'step by step' sccm documentation and > publishing those to AD. > > The problem comes in when the workstation attempts to "AutoEnroll" the > certificates. Via network trace I can see that the workstation is > requesting something from the Enterprise Server, which is behind a > firewall. > The firewall blocks the traffic and the Auto Enrollment fails. > > Since the firewall was the problem, I thought that MAYBE another CA on > the same side of the firewall might be in order. So, back to my > original question; do I need a CA Server on the same side of the > firewall as the workstations? I only have two servers on the same > network as the workstations, both are domain controllers. Or MAYBE > the problem is elsewhere? > > The actual error I get is Event ID 13; "Automatic certificate > enrollment for local system failed to enroll for one Computer > certificate (0x800706ba). The RPC server is unavailable." When I > attempt to gain the certificate manually I get the same error. > > I assume the RPC server is that of the root CA server, which is the > Enterprise level server on the other side of the firewall. It's not > going to reply. _SHOULD_ the workstation gain everything it needs > from the Domain Controller rather than any CA Server??? > > > > -----Original Message----- > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 27, 2008 1:43 PM > To: NT System Admin Issues > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > Yes, an intermediate CA is the same thing as a subordinate CA. I think > subordinate CA is the correct terminology. Sorry about that. > > From your description, it's not clear to me what you are trying to do. > Why > do you have 2 CAs? For my experience, the reason why you have two is > so that the root CA can be kept off line for added security. The root > CA is used to generate the certificate for the subordinate CA, and > isn't used again except for CRL updates and to renew the cert on the > subordinate CA. The subordinate CA is the one that is used day to day > in issuing certificates. > > From you description below, you say that you have an enterprise CA > server publishing to AD. Is that your root CA? What does the > subordinate CA do? You don't need windows enterprise to issue > certificates - you only need it if you want to make changes to the > templates of the certs that are issued. > > ...Tim > > > > -----Original Message----- > > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > > Sent: Thursday, November 27, 2008 3:34 AM > > To: NT System Admin Issues > > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall > fails. > > > > Is the 'intermediate CA' the same thing as a 'subordinate CA.' I > > installed the CA services on the DC as a subordinate CA server, > > maybe it needs to be an Enterprise CA server? > > > > Overview: > > Windows Enterprise running Enterprise CA Server publishing to AD Two > > windows standard running DC ====== Firewall ========== (DCs > > replicate via IPSEC) Two windows standard running DC; one running > > Enterprise subordinate CA server Workstations. > > > > > > -----Original Message----- > > From: Tim Evans [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, November 26, 2008 4:22 PM > > To: NT System Admin Issues > > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall > fails. > > > > Our root CA is off line. I only fire it up every couple of months to > > keep it patched and update the CRL's. You will need an intermediate > CA > > online somewhere to issue certificates. The problem is that, if you > > want to use certificate templates and modify the defaults, you need > > windows enterprise for the intermediate CA that actually issues the > > certs. Our root CA is standard, but the intermediate CA is > enterprise. > > > > > > ...Tim > > > > > -----Original Message----- > > > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, November 26, 2008 1:06 PM > > > To: NT System Admin Issues > > > Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > > > > > The plan was to user our SQL Server (the only Enterprise level > > > server we > > > have) to issue the root CA, publish it to Active Directory and use > > GPO > > > to push the computer certificate to the workstations. > > > > > > The plan _almost_ works.... > > > > > > The workstation fails on auto enrollment because it is sending out > a > > > request directly to the SQL server (root CA server) to register > > > the certificate. (I see this via WireShark) The SQL server is > > > behind a firewall and we really don't want to open any more ports. > > > > > > Is there a way (that I'm obviously missing) to push the > certificates > > > directly from AD (Server 2003 R2 STANDARD) so there is no required > > > communication back to the root CA Server??? I'm wanting all the > > > communication to come directly from the domain controller that is > in > > > the same network. > > > > > > Do I need to set up the DC as a subordinate CA? > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ > > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
