How to AutoEnroll to servers behind Firewall

msyed1
msyed1 used Ask the Experts™
on
To have AD push machine certificates to laptops and desktops, I have used AutoEnroll feature by joining an AD Global group containing the machine IDs of the target machines.  This has worked fine…..but what I need to figure out now is a little different:

We have several Windows 2003 servers that need a machine certificate (for server authentication).  I can use the same process as I have listed above, but the difference is that these servers are behind a special secure zone (firewalled for PCI purposes).  

How do I accomplish AutoEnrollment of certificates to servers that are behind a firewall.  Would I have to have ports opened ??  Which ones ?? and where ?? on the target servers or the Issuing CAs ??
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
binary_1001010

Commented:
you can use internet enrollment, but will have to install IIS server/role.  port 443 needs to be opened.
msyed1

Author

Commented:

binary_1001010:

Can you please give me more details on what you mean by 'internet enrollment'.....

IIS is already installed as a Role on the Issuing CA and the target servers already have IIS installed as well.  

Port 443 needs to be opened where ?? on the Issuing CA or the target servers (sorry I am not very knowledgeable about this)..

Thanks.
Commented:


I had Window 2003 Domain Controllers which had been set for autoenroll, thing with them is for AD to use the new certificate you would have to restart the AD service , which for Windows 2003 meant a reboot.

According to this
http://msdn.microsoft.com/en-us/library/bb643324.aspx#EFD
the machines need to be part of the domain to autoenroll.

I would check with your PCI auditor and see what the max time range is for the Certs and make it a manual process if you can get them to give the ok for 5 years.

Worked at a place where I had 50, 3 year ssl certs that required manual renewals. I know your pain.

Mark

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial