locked
OCSP in DMZ RRS feed

  • Question

  • I would like to know how do I install IIS (Figure 1) shows the external address uw.com that I could fasten the OCSP server in the domain uw.loc? When installing OCSP on the IIS server is installed automatically. Unfortunately, nowhere in the description did not find what I need to do to tripped a variant. I can not put on the internet domain uw.loc

    Thursday, April 24, 2014 4:45 PM

Answers

  • You have one of two choices (none of which you diagrammed).

    1) You will place the OCSP server itself in the DMZ and create firewall rules to allow:

         - Domain Membership in the uw.loc domain ( to allow enrollment of the OCSP certificates from the internal CA)

         - internal access to the OCSP server using TCP 80 (HTTP)

         - External access from the internet to TCP 80 (HTTP)

    2) You will place the OCSP server on the internal network, and place a load balancer in the DMZ (or publish using a product like ISA)

          - Need to publish TCP 80 from Internet to load balancer

          - Need to publish TCP 80 from the internal network to the load balancer

    You cannot put IIS on one server, and publish the application for OCSP as you show in your diagram

    Brian

    • Edited by Brian Komar [MVP] Sunday, April 27, 2014 10:20 PM
    • Marked as answer by Jarkman Monday, April 28, 2014 8:09 AM
    Sunday, April 27, 2014 10:16 PM

All replies

  • Sorry, can you try rephrasing your question? I'm not sure if you are asking how to put OCSP in the DMZ or something else.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Friday, April 25, 2014 5:19 AM
  • Ask to be placed in the DMZ OCSP, in accordance with one embodiment provided by the Microsoft. What do I need to do to such a scheme as shown in Figure implement?
    Friday, April 25, 2014 7:47 AM
  • Do you have a plan?
    Sunday, April 27, 2014 9:09 PM
  • You have one of two choices (none of which you diagrammed).

    1) You will place the OCSP server itself in the DMZ and create firewall rules to allow:

         - Domain Membership in the uw.loc domain ( to allow enrollment of the OCSP certificates from the internal CA)

         - internal access to the OCSP server using TCP 80 (HTTP)

         - External access from the internet to TCP 80 (HTTP)

    2) You will place the OCSP server on the internal network, and place a load balancer in the DMZ (or publish using a product like ISA)

          - Need to publish TCP 80 from Internet to load balancer

          - Need to publish TCP 80 from the internal network to the load balancer

    You cannot put IIS on one server, and publish the application for OCSP as you show in your diagram

    Brian

    • Edited by Brian Komar [MVP] Sunday, April 27, 2014 10:20 PM
    • Marked as answer by Jarkman Monday, April 28, 2014 8:09 AM
    Sunday, April 27, 2014 10:16 PM
  • Thank you very much Brian for your answer
    Monday, April 28, 2014 8:09 AM