Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Certificate Infrastructure

Options
  • 25-03-2003 10:55am
    #1
    Beëlzebooze
    Closed Accounts Posts: 495 ✭✭


    Hi,

    I'm trying to understand how the MS certificate system works, it has me slightly baffled

    I have set up a testlab with a couple of machines running in it:

    1) domain controller with:
    Active directory
    DNS

    2) IAS server

    3) VPN server
    RRAS

    on a separate subnet I have a client machine.

    If I try to make a VPN connection using PPTP to the the testlab domain, all works well, I get athenticated no problem.

    If How ever I try to use L2TP, I am told (on the client) that no valid certificate has been found. So I installed a CA on the Domain controller.


    Now here is my question, how if using L2TP/IPSec which will not connect unless I have a Certificate on my client, do I request a Certificate from the domain CA, which will not let me connect as I have no Certificate?


    any help or resources welcome!


Comments

  • Options
    #2
    spongebob
    Closed Accounts Posts: 6,143 ✭✭✭spongebob


    Originally posted by Beëlzebooze

    Now here is my question, how if using L2TP/IPSec which will not connect unless I have a Certificate on my client, do I request a Certificate from the domain CA, which will not let me connect as I have no Certificate?

    try port 80 initially to GET the cert, IIS must be running for the CA to work in w2k

    once you install the cert the l2tp stuff should kick in with minimum fuss.

    M


  • Options
    #3
    Beëlzebooze
    Closed Accounts Posts: 495 ✭✭Beëlzebooze


    I understand, but how do I access my webserver which is behind the VPN server, if I cannot authenticate on the domain?

    the CA site on IIS will only allow authenticated users.

    In my mind this is a chicken egg situation, need cert to acces domain, need to access domain to request cert.


  • Options
    #4
    spongebob
    Closed Accounts Posts: 6,143 ✭✭✭spongebob


    yah

    fraid so.

    stick system on lan, pick up cert over port 80

    vpn then works remotely

    if they are 'out there' already then it is a major bother. You can nat the cert server with port 80 open, pick up cert on public internet, close port on firewall and disable nat on firewall can you ?

    M


  • Options
    #5
    Beëlzebooze
    Closed Accounts Posts: 495 ✭✭Beëlzebooze


    OMG

    I get the feeling you are not kidding..

    I suppose that would be a damn good reason to have router to router vpn's as opposed to (very) remote client to vpn's then.

    thanks Muck, for putting my poor mind at rest, I was beginning to doubt myself.


  • Options
    #6
    Beëlzebooze
    Closed Accounts Posts: 495 ✭✭Beëlzebooze


    I suppose you could pptp in to the vpn first and then pick up a cert, than just change the tunneling protocol to l2tp/ipsec


  • Advertisement
  • Options
    #7
    spongebob
    Closed Accounts Posts: 6,143 ✭✭✭spongebob


    yes, sound good. will your firewall allow that temporarily to a domain controller across the public internet?


  • Options
    #8
    Beëlzebooze
    Closed Accounts Posts: 495 ✭✭Beëlzebooze


    I don't have a firewall in place, as this is a testlab, I have simulated the internetwork by just hooking up a client to the internet nic on the vpn, which uses it's own subnet.


Advertisement