To have AD push machine certificates to laptops and desktops, I have used AutoEnroll feature by joining an AD Global group containing the machine IDs of the target machines. This has worked fine…..but what I need to figure out now is a little different:
We have several Windows 2003 servers that need a machine certificate (for server authentication). I can use the same process as I have listed above, but the difference is that these servers are behind a special secure zone (firewalled for PCI purposes).
How do I accomplish AutoEnrollment of certificates to servers that are behind a firewall. Would I have to have ports opened ?? Which ones ?? and where ?? on the target servers or the Issuing CAs ??