Melbourne, Australia
To be provided
Use Contact to message

Always On VPN – Configure Server Infrastructure – Certificate autoenrollment

Harmik Batth Tech's Blog

Always On VPN – Configure Server Infrastructure – Certificate autoenrollment

This section assumes that you have built and deployed VM’s for RRAS and NPS Servers already. NPS Servers are domain-joined computers, while RRAS servers are non-domain joined computers.

In this section, you
install and configure the server-side components necessary to support the VPN,
including configuring PKI to distribute the certificates used by users, the VPN
server, and the NPS server; configuring RRAS to support IKEv2 connections; and
configuring the NPS server to perform authorization for the VPN connections.

You can configure
Group Policy on the domain controller so that domain members automatically request
user and computer certificates.

This allows VPN users
to automatically request and retrieve user certificates that authenticate VPN
connections. Likewise, this policy allows NPS servers to automatically request
server authentication certificates. (You will manually enroll certificates on
VPN servers.)

To enable certificate
autoenrollment in Group Policy

  1. On a domain controller, open Group Policy Management.
  2. In the navigation pane, right-click domain (e.g., harmikbatth.lab), and click Create a GPO in this domain, and Link it here.
  3. On the New GPO dialog box, type Autoenrollment Policy, and click OK.
  4. In the navigation pane, right-click Autoenrollment Policy, and click Edit.
  5. In the Group Policy Management Editor, complete the following steps to configure computer certificate autoenrollment:
    1. In the navigation pane, click Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
    2. In the details pane, right-click Certificate Services Client – Auto-Enrollment, and click Properties.
    3. On the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model, click Enabled.
    4. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.
    5. Click OK.
    1. In the navigation pane, click User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
    2. In the details pane, right-click Certificate Services Client – Auto-Enrollment, and click Properties.
    3. On the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model, click Enabled.
    4. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.
    5. Click OK.
  6. Close the Group Policy Management Editor.

Previous Post – Always On VPN Deployment

No Comments

Add your comment