locked
UAG and PKI RRS feed

  • Question

  • I'm planning on implementing UAG Direct access to a handfull of users as a proof of concept over the next few months.  We currently have no PKI deployed, i want to deploy a multi tier PKI for UAG and future enahncements but the problem i have is that i have no time to plan this out properly as other projects are taking priority over the next few months so i would like to do the following;

    - Setup a single tier Enterprise root cert CA for the proof of concept

    - Setup UAG on a Windows 2k8 r2 server

    - Configure DA and all requirements

    - Enroll only computers that are going to be involved in the POC

    We are then looking to roll DA early next year part of this will be to design the multi tier pki and decommission the single tier CA and migrate the proof of concept users to the new PKI?

    Would this be possible/recommended?

    Cheers

    Richard


    Friday, August 26, 2011 8:46 PM

Answers

  • Usually, Richard, certificates are auto-enrolled to all domain computers. However, technically, you can manually enroll, as long as the right template is used, and that the certificate assigned to clients maps to the computer account properly. Please note that certificates are typically the most sensitive part of DA, and may take some effort to get going, so be careful and patient, read all available documentation and blogs, and prepare ample time for experimentation, piloting and possible support, if needed.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:21 PM
    Friday, August 26, 2011 10:21 PM
  • I'm planning on implementing UAG Direct access to a handfull of users as a proof of concept over the next few months.  We currently have no PKI deployed, i want to deploy a multi tier PKI for UAG and future enahncements but the problem i have is that i have no time to plan this out properly as other projects are taking priority over the next few months so i would like to do the following;

    - Setup a single tier Enterprise root cert CA for the proof of concept

    - Setup UAG on a Windows 2k8 r2 server

    - Configure DA and all requirements

    - Enroll only computers that are going to be involved in the POC

    We are then looking to roll DA early next year part of this will be to design the multi tier pki and decommission the single tier CA and migrate the proof of concept users to the new PKI?

    Would this be possible/recommended?

    Cheers

    Richard



    Hi Richard,

    That approach sounds fine for a POC. You can use autoenrollment for certs, but just limit the enrolment to POC clients with appropriate certificate template security.

    If you want to minimise impact to your production AD forest, you could also try this: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9949

    Cheers

    JJ

    P.S. Happy to help if you need PKI/DA design and deployment consultancy in the UK ;)


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    • Marked as answer by R.A.F25 Sunday, August 28, 2011 1:58 PM
    Saturday, August 27, 2011 11:56 PM

All replies

  • Usually, Richard, certificates are auto-enrolled to all domain computers. However, technically, you can manually enroll, as long as the right template is used, and that the certificate assigned to clients maps to the computer account properly. Please note that certificates are typically the most sensitive part of DA, and may take some effort to get going, so be careful and patient, read all available documentation and blogs, and prepare ample time for experimentation, piloting and possible support, if needed.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:21 PM
    Friday, August 26, 2011 10:21 PM
  • I'm planning on implementing UAG Direct access to a handfull of users as a proof of concept over the next few months.  We currently have no PKI deployed, i want to deploy a multi tier PKI for UAG and future enahncements but the problem i have is that i have no time to plan this out properly as other projects are taking priority over the next few months so i would like to do the following;

    - Setup a single tier Enterprise root cert CA for the proof of concept

    - Setup UAG on a Windows 2k8 r2 server

    - Configure DA and all requirements

    - Enroll only computers that are going to be involved in the POC

    We are then looking to roll DA early next year part of this will be to design the multi tier pki and decommission the single tier CA and migrate the proof of concept users to the new PKI?

    Would this be possible/recommended?

    Cheers

    Richard



    Hi Richard,

    That approach sounds fine for a POC. You can use autoenrollment for certs, but just limit the enrolment to POC clients with appropriate certificate template security.

    If you want to minimise impact to your production AD forest, you could also try this: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9949

    Cheers

    JJ

    P.S. Happy to help if you need PKI/DA design and deployment consultancy in the UK ;)


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    • Marked as answer by R.A.F25 Sunday, August 28, 2011 1:58 PM
    Saturday, August 27, 2011 11:56 PM
  • Hi Richard,

    if you're planning to reuse the POC environment for production,  then you have to migrate your DA IPSec rules as well. Keep in mind that the DA server and your clients have to share the same IPSec policies (have to match) and also issueing CAs (must be the same). Therefore a migration of the CA at a later time may either become tricky or you have to agree some DA outtakes till the DA server and all your clients received the updated PKI settings´via group policy.

    -Kai

    Sunday, August 28, 2011 1:11 PM
  • Thanks Ben

    I realise even doing the way I have suggested will still require careful planning and will take time, I just wanted to reassure myself that this plan will not have an adverse affect on my AD.

    Jason

    Thanks for POC guide it is something i have not seen before so will read through.

    Thanks for the offer I obviously know you guys down there know what you are doing having been reading ISA.org blogs and forums for quite some years.. Do you discount for charities ;-)

    Kai, i will probably setup a new DA environment using an appliance based UAG but will keep that in mind, there will be a small amount of POC users so downtime would not be an issue.


    Cheers

    Richard

    Sunday, August 28, 2011 1:58 PM
  • Jason

    Thanks for POC guide it is something i have not seen before so will read through.

    Thanks for the offer I obviously know you guys down there know what you are doing having been reading ISA.org blogs and forums for quite some years.. Do you discount for charities ;-)

    Sorry, I shouldn't really hawk my wares on here, but yes, we work with quite a few charities ;)

    Shout if you get stuck...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Sunday, August 28, 2011 8:04 PM