Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services
Microsoft Certificate Services can be installed on the Domain controller of the internal Network and provide Certificates to Hosts in the Internal Network domain, as well as Hosts that are not members of the Internal Network domain.We will use Certificates in many different scenarios, tasks to complete:
• Allow the ISA Server 2004 Firewall to provide a channel to support L2TP / IPSec VPN protocol , create site-to-site VPN links .
• Allow the ISA Server 2004 Firewall to provide a channel to support L2TP / IPSec VPN protocol , enabling the VPN client to make a connection from a Remote Location (site)
• Allow remote users to access the Outlook Web Access site, a strong SSL-to- SSL bridged connections method.
• Publish secure Exchange SMTP and POP 3 services on Internet Certificates to enable SSL / TLS security . SSL (Secure Sockets Layer) protocol, is a session layer protocol (layer) capable of encrypting data transmitted between client and server.
SSL security is currently considered the standard that provides security for remote access to websites.In addition, certificates can be used to authenticate participants to VPN connections, including VPN clients and VPN servers (this method is called mutual authentication).
In this section we will cover the following processes:
• Install Internet Information Services 6.0 to support the Certificate Authority's Web
Enrollment ( receive Certificates from the CA server through the registration form on CA'sWeb)
• Install Microsoft Certificate Services in Enterprise mode CA
Install Internet Information Services 6.0
Certificate Authority's Web enrollment site uses Internet Information Services World
Wide Publishing Service . Because we have installed IIS Web services, in Chapter 1, when installing Exchange 2003, it supports Outlook Web Access site, so there is no need to reinstall IIS service. However, you should confirm the WWW Publishing Service that has been Enabled, before proceeding to install Enterprise CA.
Execute the following steps to confirm that the WWW Publishing Service is running on the domain controller:
1. Click Start to select Administrative Tools . Click Services
2. In the Services console, click Standard tab below. Scroll down the list and double-click the World Wide Web Publishing Service.
3. In the World Wide Web Publishing Server Properties dialog box, confirm the Startup type is Automatic , and the operation status of the service is Started .
So the WWW Publishing Service is already running, the next step is to install Enterprise CA software.
Install Certificate Services in Enterprise CA mode
Microsoft Certificate Services will be installed in this mode on the domain controller itself.There are advantages when installing CA in Enterprise mode (as opposed to Standalone mode) including:
• The CA root certificate (root CA certificate) is automatically included in the Certificate storage area of Trusted Root Certification Authorities (certificate store) on all member machines of the Domain (domain member). Computer members of Domains when using transactions need Certificates to improve security, can easily find legal providers - CA servers, in Trusted Root Certification Authorities on their Computer.
• Clients also easily use the Certificates MMC snap-in (at RUN, type mmc , choose File, Add / Remove snap-in , Add , select Certificates) , and easily use this snap-in to request certificates from CA Servers or from CA's Websites
• All computers in the domain can be assigned to multiple Certificates via the Active Directory autoenrollment feature
Note that it is not necessary to install CA in Enterprise mode.You can install CA in Standalone mode, but in this Lab we will not mention standalone mode or how to get a certificate from a Standalone CA
Perform the following steps to install the Enterprise CA on the Domain Controller EXCHANGE2003BE
1. Click Start , Control Panel . Click Add or Remove Programs .
2. In Add or Remove Programs , click Add / Remove Windows Components
3. On the Windows Components page, drag the list down and check the Certificate Services checkbox. Click Yes in the Microsoft Certificate Services dialog box, notice that the informing you may not change the name of the machine or the domain member's machine when it is acting as a CA '. This is very clear. You cannot change Computer Name or change this Computer Domain membership, after you install CA service.Click Yes.
4. Click Next on the Windows Components page.
5. On the CA Type page, select Enterprise root CA option and click Next .
http://www.tacteam.net/isaserverorg/isabokit/9dnssupport/9dnssupport.htm
In this text box, you enter the NetBIOS name of the domain controller as EXCHANGE2003BE .Click
Next .
7. If this Computer previously installed a CA, you will be asked ' you wish to overwrite the existing key', overwriting existing keys . If you have deployed other CAs on the Network, you may not overwrite the current keys. And if this is the first CA, it is acceptable to overwrite the existing key .In this example we have not previously installed the CA on Computer so there is no dialog box shown above
8. In the Certificate Database Settings page, use the default storage location for Certificate Database and Certificate database log text boxes. Click Next .
9. Click Yes in Microsoft Certificate Services dialog box, you receive a message to restart the Internet
Information Services . Click Yes to stop service.Service will be restarted automatically.
10. Click OK in Insert Disk dialog box. In Files Needed dialog box, insert the I386 folder path in Copy file from text box and click OK.
11. Click Finish on the Completing the Windows Components Wizard page.
12. Close Add or Remove Programs.
At this point Enterprise CA can issue certificates to other Computers in the Domain through autoenrollment , Certificates mmc snap-in , or through the Web enrollment site.In the ISA Server 2004 configuration guide
We will allocate a Web site certificate to the OWA Web site and also allocate Computer certificates for ISA Server 2004 Firewall computer and for external VPNs.
client and VPN gateway (VPN router) machine.
Conclude:
In this section we discussed the use of a CA- Certificate Authority and how to install an Enterprise CA on the Domain controller in the internal Network .And then we will use the Enterprise CA to grant Computer Certificates to VPN clients and servers, and also provide an Exchange Server's Web site for Outlook Web Access Web site.
Released: Installing and configuring the 2004 ISA Server Firewall - Chapter 1
Ho Viet Ha - Owner
Network Information Security Vietnam, Inc.
http://nis.com.vn
- Installing and configuring the 2004 ISA Server Firewall - Chapter 3
- Installing and configuring the 2004 ISA Server Firewall - Chapter 4
- How to protect DNS server from hackers
- Use a firewall (Firewall) to protect your computer
- 15 interesting questions about Firewall
- Vista will have a 'two-way firewall'
- ISG 1000 - Security tool for large and medium enterprises
- Arising a serious flaw in Macromedia products
- Free firewall for low-configuration machines
- Chinese firewalls generated serious flaws
- Microsoft introduced commercial server software
- Information security - Where to start?