I'm in the process of setting up a PKI infrastructure for an SCCM 2012 environment. In order to manage travelling laptops over the internet, we installed a new Windows 2012 R2 server in the DMZ.  To communicate properly with the travelling SCCM clients, we need to install 2 certificates on this DMZ server.  This DMZ server is in a different forest/domain than the SCCM and CA server, with no trusts established between it and our production domain.  If it makes any difference, there is also no DNS forwarding, but I have added an entry to the hosts file on the DMZ server, and to the internal CA and SCCM servers (all Windows 2012 R2), so that they can resolve each other.

I've created the 2 certificate templates per the SCCM documentation on the internal CA server, but in the Security tab, there is no way for me to add the DMZ server for the "Read and Enroll" rights (since it's in another, untrusted forest.)  Since I can't enroll the certificates through the MMC console of the DMZ server, my next thought was that I could use the CA web enrollment method, and try to get certificates enrolled that way.   However, when I type in http://MY_CA_SERVER/certsrv, Internet Explorer spins for about 10-15 seconds, and then I get "Page cannot be displayed."  I added the webpage to the Trusted Sites in IE, but that did not help.  Visiting the CA webpage from a domain-joined computer works fine; it's just not working from the DMZ server.

Does this sound like a communications/port issue?  Between my internal domain and this DMZ server, I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.  Do I need anything additional for Certificate Authority communication?  If I'm not approaching this in the correct manner, I'm also open to other suggestions on how to install these 2 certificates properly.

Thanks in advance for any advice.

> I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.

please, close RPC ports in your perimeter firewall. Instead of using legace web pages, I would consider to set up a new Certificate Enrollment Web Servcies (which first appeared in Windows Server 2008 R2): http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

if it is not possible to install CEP/CES services, then you can use the following guide (although it requires some manual procedures): http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5

> Am I on the right track here?

no. In order to use SAN attribute in web page, you have to enable SAN attributes on CA server (which are disabled by default). Once you enable SAN attributes, your CA will become vulnerable to malicious certificate issuance. Any legitimate user who has permissions to enroll for certificates (any) will be able to pass any custom SAN value and impersonate another user. This is one of the reason why we (and I always recommend to others) do not use web enrollment pages starting with Windows Server 2008 and Windows Vista.

> I AM trying to use the certificate web enrollment services.

again, no. Web enrollment pages (which you are trying to use) and web enrollment services are different things. Please, check wiki article (from my previous post) for more details about difference.

Hi,

Do you need further assistances on this issue by now?

If yes, please feel free to let us know.

Have a nice day!