Hello, I'm looking to run IPSec to secure file sharing traffic (TCP 139 and 445). For computers that are part of the domain I've been able to use IPSec with kerberos authentication. For clients that are not part of the domain (Macs, non-supported workstations, home systems, etc...) it is my intention to use certificate based authentication. My question is: 1. Does the computer name and certificate have to match? For example, if my computer netbios name is "WS01" and the machine is pulling a dynamic IP that resolves to "dyn-043.building.my.domain.edu" what values should I use for the Subject or SAN/DNS in the request? If the next time I start my computer I pull a different dynamic IP will the certificate still work? Thanks, Dasani

for clients — yes. For servers — no. You should specify exact name that will client use to connect to the server. You can change your IP unless DNS correctly resolves server name to IP.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks for the response, but not sure I understand. I don't believe the server names will ever change, they should remain static. It is the clients workstation/devices that I'm worried about. In the example above what would I set the "Subject" to in the certreq inf file when requesting the clients computer certificate? Thanks, Dasani

for client computer certificates you need to specify client computer FQDN (in a non-domain environment this equals to NetBIOS name).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Hi Customer, Do you use SAN in your file server? If you want to use IPSec on SAN, iSCSI HBA just support IPSec preshared keys. Installing and Configuring Microsoft iSCSI Initiator http://technet.microsoft.com/en-us/library/ee338480(WS.10).aspx Regards, Rick Tan

So, say I have a AD domain setup and an enterprise root CA in place. I also have member servers that are part of the domain for file shares. If I wanted to use certificates to authenticate IPSec on a workstation that is a member of the domain my subject would need to be "ws01.my.domain.com" and if the machine was not part of the domain (unsupported workstation or home system) the subject would be simply "ws01"? I guess I should ask if IPSec supports the use of user certificates instead of computer certificates.... sounds like that may be much easier. Thanks, Dasani

Hi Customer, You could setup computer certificate autoenrollment group policy for your domain computer and install computer certificate from CA web for no domain device. Configure the Workstation Authentication Certificate Template http://technet.microsoft.com/en-us/library/cc732966(WS.10).aspx Configure Computer Certificate Autoenrollment http://technet.microsoft.com/en-us/library/cc732311(WS.10).aspx HOW TO: Install a Certificate for Use with IP Security http://support.microsoft.com/kb/253498 Regards, Rick Tan