locked
Certified endpoint configuration missing RRS feed

  • Question

  • Hi,

    According to: http://technet.microsoft.com/en-us/library/ee921423.aspx

    1. In the Forefront UAG Management console, select the trunk for which you enabled the Certified Endpoint feature.

    2. Under Application List, click Add.

      The Add Application Wizard is displayed.

    3. Select Built-in Services, then from the drop-down list, select Certified Endpoint Enrollment.

    4. Click Finish.

    However, we cannot see this Built-in Service? why not?

    We do have an internal AD integrated subordinate PKI, that UAG already has connected to and obtained a SAN certificate from. We have also installed the PKI CTL from the internal PKI server. The PKI server also has the Web Enrollment installed.

    Thanks,

    Sk


    • Edited by D Wind Friday, November 18, 2011 1:10 AM
    Friday, November 18, 2011 1:05 AM

Answers

  • Hi Sk,

    You can use remote CA, but if you want users to be able to self-request certificates, using the "Certified Endpoint Enrollment" you need local CA.

    You can see here: http://technet.microsoft.com/en-us/library/ee921442.aspx that it starts with:

    "If you are deploying certified endpoints using certificates issued from a local certification authority (CA), after the Certified Endpoint Enrollment application is added to the trunk, you must add the appropriate tools to the end-user pages. The available tools depend on whether you are using the default portal home page or your own custom page..."

     

    Ophir.

    • Marked as answer by D Wind Sunday, November 20, 2011 5:59 AM
    Saturday, November 19, 2011 8:29 AM

All replies

  • Hi Sk,

    The option to use the built-in "Certified Endpoint Enrollment" is available only if you have CA installed on the UAG itself (local CA).

    After you enable the local CA, the configuration will identify it and you will have this application available.

    The application is based on the existing CA infrastructure so you cannot use this option is CA is not installed locally on the UAG.

    Ophir.

    Friday, November 18, 2011 8:45 AM
  • Interesting....why then do Microsoft have the Technet article directly above the one mentioned above, talking about how to set up a remote CA to provide privileged clients with certificates.

    http://technet.microsoft.com/en-us/library/ee921424.aspx

    Saturday, November 19, 2011 6:54 AM
  • Hi Sk,

    You can use remote CA, but if you want users to be able to self-request certificates, using the "Certified Endpoint Enrollment" you need local CA.

    You can see here: http://technet.microsoft.com/en-us/library/ee921442.aspx that it starts with:

    "If you are deploying certified endpoints using certificates issued from a local certification authority (CA), after the Certified Endpoint Enrollment application is added to the trunk, you must add the appropriate tools to the end-user pages. The available tools depend on whether you are using the default portal home page or your own custom page..."

     

    Ophir.

    • Marked as answer by D Wind Sunday, November 20, 2011 5:59 AM
    Saturday, November 19, 2011 8:29 AM
  • OK, I understand thank you.

    Our requirement is somewhat different. we would like to be able to manually issue machine certificates to the few machines that will be seen as 'privileged/certified endpoints' - thus getting the privileged session settings.


    so that answers the question in this post. perhaps you could also take a look at my other related post?

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/722e1631-4aff-45ea-b674-722ed8932b01

    thanks

    • Edited by D Wind Sunday, November 20, 2011 5:58 AM
    Sunday, November 20, 2011 5:57 AM