Installing and Configuring a Windows Server 2003 Enterprise Certification Authority
Certification Authorities (CAs) issue certificates for a number of different purposes. In the context of your ISA Server firewall/VPN server, a CA can provide a certificate that allows:
- L2TP/IPSec VPN connections from VPN clients
VPN clients can establish L2TP/IPSec connections to the ISA Server firewall/VPN server. A machine certificate is required to create the IPSec encrypted tunnel.
- L2TP/IPSec VPN connections from VPN gateways (VPN routers)
Remote VPN gateways can call the ISA Server firewall/VPN server and establish a gateway to gateway link. VPN gateways act as VPN routers and allow packets to be routed between networks through a the VPN tunnel established between the VPN gateways.
- L2TP/IPSec VPN connections to VPN servers
The ISA Server firewall/VPN server may need to establish a VPN client connection to a VPN server. For example, some Internet Service Providers require machines to establish a VPN connection with their own VPN server to obtain a public address for the ISA Server firewall/VPN server’s external interface. In this case. the ISA Server firewall/VPN server is a VPN client to the ISP’s VPN server.
- Certificate-based user authentication using a certificate stored on the user machine
Users can obtain certificates and use those certificates to authenticate with the VPN server. The user certificate is stored on the user’s computer and a VPN connectoid (dial-up connection) can be configured to present this certificate during the PPP (in this case, EAP-TLS) user authentication process.
- Certificate-based user authentication using a certificate stored on a Smart Card
A user certificate can be stored on a Smart Card. The user certificate is stored on a Smart Card and the VPN connectoid is configured to present the Smart Card certificate during the PPP (in this case, EAP-TLS) user authentication process.
A Microsoft Certificate Server can take on one of four roles:
- Enterprise Root CA Enterprise Subordinate CA Stand-alone Root CA Stand-alone Subordinate CA
A Microsoft Enterprise CA has the following characteristics:
- The enterprise CA must be a member of a Windows 2000 or Windows Server 2003 Active Directory domain The enterprise Root CA certificate is automatically added to the Trusted Root Certification Authorities node for all users and computers in the domain User certificates can be issued that allow users to log on to the Active Directory domain using computer-stored certificates
or certificates installed on Smart Cards User certificates and the Certificate Revocation List (CRL) are stored in the Active Directory In contrast to stand-alone CAs, an enterprise CA issues certificates via certificate templates that can be added and customized by the CA administrator In contrast to the stand-alone CA, the enterprise CA confirms the credentials of the user requesting a certificate The subject name (the name of the user or computer) on the certificate can be entered manually or automatically
We recommend that you install an Enterprise CA if:
- You have an Active Directory domain, and/or You require automatic deployment of certificates to users and computers
The enterprise CA is the ideal solution for any network with a Windows 2000 or Windows Server 2003 domain. All domain members can be assigned certificates via Group Policy based certificate autoenrollment. You can limit the scope of autoenrollment by assigning permissions to the certificate template used for autoenrollment. Users and computers that are not domain members can use the Web enrollment site to obtain certificates.
If you want to support certificate enrollment via Web enrollment site, then you must install the Internet Information Services World Wide Web service before installing Microsoft Certificate Services.
In this ISA Server 2000 VPN Deployment Kit document we cover the following procedures:
- Installing the Internet Information Services 6.0 World Wide Web service (W3SVC) to support the enterprise CA Web enrollment site Installing the Windows Server 2003 Certificate Services on a domain controller. The CA is installed as an enterprise CA.
You can install an enterprise CA on any domain member. The machine does not need to be a domain controller.
Installing Microsoft Internet Information Services World Wide Web Service
Perform the following steps to install IIS 6.0 on the Windows Server 2003 member server or domain controller computer that will be the enterprise CA:
- Click Start. point to Control Panel and click Add or Remove Programs . Click the Add/Remove Windows Components button in the Add or Remove Programs window (figure 1).
Figure 1 (fig111)
- On the Windows Components window, click on the Application Server entry and click the Details button (figure 2).
Figure 2 (fig112)
- On the Application Server page, click on the Internet Information Services (IIS) entry and click the Details button (figure 3).