Certificate Services

[Robert Field]

We are currently deploying a vpn solution for remote users. We have
deployed private DSL lines to several of our staff and we want to
ensure that only trusted computers can be used on the DSL connection.

Our plan is to deploy computer certificates to the computers using the
Enterpise CA model and then use this to authenticate the computer when
it connects using the DSL link.

My first question is

When deploying computer based certificates using GPO's is there anyway
of filtering out computers, I don't want all of our computers in the
domain having a certificate installed I only want it to apply to
laptops.

My Second question is

If we place an IAS Server out in our perimeter network will that
authenticate the computer certificate?


We are currently using Windows 2000 pro and Windows 2000 Active
Directory.

Any feedback would be much appreciated.

Regards

Rob

 

[Steven Umbach]

Using computer certificates will require l2tp which will not work with NAT
unless the NAT-T update has been applied so keep that in mind. You can use Group
Policy to control what computers receive computer certificates. One way would be
to create an OU and configure autoenrollment only for that OU [check that it is
not enabled at the domain level] where you would place the accounts for the
laptops. I really don't know the answer about ISA offhand but I believe the
answer would be no as your Remote Access server would be the one to authenticate
vpn computers, but a post in one of the ISA newsgroups would probably get an
answer. See the links below for more info. --- Steve

http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/autocertsteps.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

 

[Steven Umbach]

Using computer certificates will require l2tp which will not work with NAT
unless the NAT-T update has been applied so keep that in mind. You can use Group
Policy to control what computers receive computer certificates. One way would be
to create an OU and configure autoenrollment only for that OU [check that it is
not enabled at the domain level] where you would place the accounts for the
laptops. I really don't know the answer about ISA offhand but I believe the
answer would be no as your Remote Access server would be the one to authenticate
vpn computers, but a post in one of the ISA newsgroups would probably get an
answer. See the links below for more info. --- Steve

http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/autocertsteps.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

 

[Robert Field]

Thank you Steve, I was under the impression that Certificates could
only be applied at Domain Level but they do appear to work at OU level
as well which is great.

Using computer certificates will require l2tp which will not work with NAT
unless the NAT-T update has been applied so keep that in mind. You can use Group
Policy to control what computers receive computer certificates. One way would be
to create an OU and configure autoenrollment only for that OU [check that it is
not enabled at the domain level] where you would place the accounts for the
laptops. I really don't know the answer about ISA offhand but I believe the
answer would be no as your Remote Access server would be the one to authenticate
vpn computers, but a post in one of the ISA newsgroups would probably get an
answer. See the links below for more info. --- Steve

http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/autocertsteps.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

We are currently deploying a vpn solution for remote users. We have
deployed private DSL lines to several of our staff and we want to
ensure that only trusted computers can be used on the DSL connection.

Our plan is to deploy computer certificates to the computers using the
Enterpise CA model and then use this to authenticate the computer when
it connects using the DSL link.

My first question is

When deploying computer based certificates using GPO's is there anyway
of filtering out computers, I don't want all of our computers in the
domain having a certificate installed I only want it to apply to
laptops.

My Second question is

If we place an IAS Server out in our perimeter network will that
authenticate the computer certificate?


We are currently using Windows 2000 pro and Windows 2000 Active
Directory.

Any feedback would be much appreciated.

Regards

Rob