Hi,
Without granting access to my ca server to external PC's, how can I get
certificates to them and configure them for l2tp / ipsec?
Gavin
For non-domain member computers you must enroll certificates manually --
users must install off of a floppy. Certificate enrollment methods are
covered in fairly good detail in the WS03 Help -- see "Network access
authentication and certificates" in Windows Server 2003 IAS or VPN Help, or
on the web at
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
ocs/en-us/sag_VPN_und15.asp.
Here's an excerpt from that topic:
Non-domain member certificate enrollment
Certificate enrollment for computers that are not domain members cannot be
done with auto-enrollment. When a computer is joined to a domain, a trust
is established that allows auto-enrollment to occur without administrator
intervention. When a computer is not joined to a domain, trust is not
established and a certificate is not issued. Trust must be established
using one of the following methods:
An administrator (who is, by definition, trusted) must request a computer
or user certificate using the CA Web enrollment tool.
An administrator must save a computer or user certificate to a floppy disk
and install it on the non-domain member computer. Or, when the computer is
not accessible to the administrator (for example, a home computer
connecting to an organization network with an L2TP/IPSec VPN connection), a
domain user whom the administrator trusts can install the certificate.
An administrator can distribute a user certificate on a smart card
(computer certificates are not distributed on smart cards).
Many network infrastructures contain VPN and IAS servers that are not
domain members. For example, a VPN server in a perimeter network might not
be a domain member for security purposes. In this case, a computer
certificate with the Server Authentication purpose contained in the EKU
extensions must be installed on the non-domain member VPN server before it
can successfully negotiate L2TP/IPSec-based VPN connections with clients.
Note that if the non-domain member VPN server is used as an end point for a
VPN connection with another VPN server, EKU extensions must contain both
the Server Authentication and Client Authentication purposes.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
