Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services

Microsoft Certificate Services can be installed on the Domain controller of the internal Network and provide Certificates to Hosts on the Internal Network domain, as well as Hosts that are not members of the Internal Network domain. We will use Certificates in many different scenarios, tasks to complete:

Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services Picture 1

• Allow the ISA Server 2004 Firewall to provide a channel to support L2TP / IPSec VPN protocol , create site-to-site VPN links .

• Allow the ISA Server 2004 Firewall to provide a channel to support L2TP / IPSec VPN protocol , enabling the VPN client to make a connection from a Remote Location (site)

• Allow remote users to access the Outlook Web Access site, a strong SSL-to- SSL bridged connections method.

• Publish secure Exchange SMTP and POP 3 services on Internet Certificates to enable SSL / TLS security . SSL (Secure Sockets Layer) protocol, is a session layer protocol (layer) capable of encrypting data transmitted between client and server.

SSL security is currently considered the standard that provides security for remote access to websites. Additionally, certificates can be used to authenticate participants to VPN connections, including VPN clients and VPN servers (this method is called mutual authentication).

In this section we will cover the following processes:

• Install Internet Information Services 6.0 to support the Certificate Authority's Web

Enrollment ( receive Certificates from the CA server through the registration form on CA'sWeb)

• Install Microsoft Certificate Services in Enterprise CA mode

Install Internet Information Services 6.0

Certificate Authority's Web enrollment site uses Internet Information Services World

Wide Publishing Service . Because we have installed IIS Web services, in Chapter 1, when installing Exchange 2003, it supports Outlook Web Access site, so there is no need to reinstall IIS service. However, you should confirm the WWW Publishing Service that has been Enabled, before proceeding to install Enterprise CA.

Follow these steps to confirm that the WWW Publishing Service is running on the domain controller:

1. Click Start to select Administrative Tools . Click Services

2. In the Services console, click Standard tab below. Scroll down the list and double-click the World Wide Web Publishing Service.

3. In the World Wide Web Publishing Server Properties dialog box, confirm the Startup type is Automatic , and the operation status of the service is Started .

Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services Picture 2

Install Certificate Services in Enterprise CA mode

Microsoft Certificate Services will be installed in this mode on the domain controller itself. There are advantages when installing CA in Enterprise mode (as opposed to Standalone mode) including:

• The CA root certificate (root CA certificate) is automatically included in the Certificate storage area of Trusted Root Certification Authorities (certificate store) on all member machines of the Domain (domain member). Computer members of Domains when using transactions need Certificates to improve security, can easily find legal providers - CA servers, in Trusted Root Certification Authorities on their Computer.

• Clients also easily use the Certificates MMC snap-in (at RUN, type mmc , choose File, Add / Remove snap-in , Add , choose Certificates) , and easily use this snap-in to request certificates from CA Servers or from CA's Websites

• All computers in the domain can be assigned to multiple Certificates through the Active Directory autoenrollment feature

Note that it is not necessary to install CA in Enterprise mode. You can install CA in Standalone mode, but in this Lab we will not mention standalone mode or how to get a certificate from a Standalone CA

Perform the following steps to install the Enterprise CA on the Domain Controller EXCHANGE2003BE

1. Click Start , Control Panel . Click Add or Remove Programs .

2. In Add or Remove Programs , click Add / Remove Windows Components

3. On the Windows Components page, drag the list down and check the Certificate Services checkbox. Click Yes in the Microsoft Certificate Services dialog box, notice that the informing you may not change the name of the machine or the domain member's machine when it is acting as a CA '. This is very obvious. You cannot change Computer Name or change this Computer Domain membership, after you have installed CA service.Click Yes.

4. Click Next on the Windows Components page.

5. On the CA Type page, select Enterprise root CA option and click Next .

Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services Picture 3

http://www.tacteam.net/isaserverorg/isabokit/9dnssupport/9dnssupport.htm

In this text box, you enter the NetBIOS name of the domain controller as EXCHANGE2003BE . Click

Next .

Installing and configuring the 2004 ISA Server Firewall - Chapter 2 Installing Certificate Services Picture 4

7. If this Computer previously installed a CA, you will be asked ' you wish to overwrite the existing key', overwriting existing keys . If you have deployed other CAs on the Network, you may not overwrite the current keys. And if this is the first CA, it is acceptable to overwrite the existing key . In this example we have not previously installed the CA on Computer so there is no dialog box shown above

8. In the Certificate Database Settings page, use the default storage location for Certificate Database and Certificate database log text boxes. Click Next .

9. Click Yes in Microsoft Certificate Services dialog box, you receive a message to restart the Internet

Information Services . Click Yes to stop service. Service will be restarted automatically.

10. Click OK in Insert Disk dialog box. In Files Needed dialog box, insert the I386 folder path in Copy file from text box and click OK.

11. Click Finish on the Completing the Windows Components Wizard page.

12. Close Add or Remove Programs.

At this point Enterprise CA can issue certificates to other Computers in the Domain through autoenrollment , Certificates mmc snap-in , or through the Web enrollment site. In this ISA Server 2004 configuration guide, we will allocate a Web site certificate to the OWA Web site and also allocate Computer certificates for ISA Server 2004 Firewall computer and for external VPNs.

client and VPN gateway (VPN router) machine.

Conclude:

In this section we discussed using a CA-Certificate Authority and how to install an Enterprise CA on the Domain controller in the internal Network . And next we will use the Enterprise CA to grant Computer Certificates to VPN clients and servers, and also provide a Web Server certificate site for Exchange Server's Outlook Web Access Web site.

Ho Viet Ha - Owner
Network Information Security Vietnam, Inc.
http://nis.com.vn