ipsec with computer certificates
Hello,
I'm looking to run IPSec to secure file sharing traffic (TCP 139 and 445). For computers that are part of the domain I've been able to use IPSec with kerberos authentication. For clients that are not part of the domain (Macs, non-supported workstations,
home systems, etc...) it is my intention to use certificate based authentication. My question is:
1. Does the computer name and certificate have to match? For example, if my computer netbios name is "WS01" and the machine is pulling a dynamic IP that resolves to "dyn-043.building.my.domain.edu" what values should I use for the Subject or
SAN/DNS in the request? If the next time I start my computer I pull a different dynamic IP will the certificate still work?
Thanks,
Dasani
April 19th, 2011 2:55pm
for clients — yes. For servers — no. You should specify exact name that will client use to connect to the server. You can change your IP unless DNS correctly resolves server name to IP.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2011 3:15pm
Thanks for the response, but not sure I understand. I don't believe the server names will ever change, they should remain static. It is the clients workstation/devices that I'm worried about. In the example above what would I set the "Subject"
to in the certreq inf file when requesting the clients computer certificate?
Thanks,
Dasani
April 19th, 2011 5:35pm
for client computer certificates you need to specify client computer FQDN (in a non-domain environment this equals to NetBIOS name).My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 1:30am
Hi Customer,
Do you use SAN in your file server? If you want to use IPSec on SAN, iSCSI HBA just support IPSec preshared keys.
Installing and Configuring Microsoft iSCSI Initiator
http://technet.microsoft.com/en-us/library/ee338480(WS.10).aspx
Regards, Rick Tan
April 20th, 2011 3:24am
So, say I have a AD domain setup and an enterprise root CA in place. I also have member servers that are part of the domain for file shares. If I wanted to use certificates to authenticate IPSec on a workstation that is a member of the domain
my subject would need to be "ws01.my.domain.com" and if the machine was not part of the domain (unsupported workstation or home system) the subject would be simply "ws01"?
I guess I should ask if IPSec supports the use of user certificates instead of computer certificates.... sounds like that may be much easier.
Thanks,
Dasani
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2011 2:25pm
Hi Customer,
You could setup computer certificate autoenrollment group policy for your domain computer and install computer certificate from CA web for no domain device.
Configure the Workstation Authentication Certificate Template
http://technet.microsoft.com/en-us/library/cc732966(WS.10).aspx
Configure Computer Certificate Autoenrollment
http://technet.microsoft.com/en-us/library/cc732311(WS.10).aspx
HOW TO: Install a Certificate for Use with IP Security
http://support.microsoft.com/kb/253498
Regards, Rick Tan
April 21st, 2011 11:26pm