Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Certificate in ISA 2006 for L2TP/IPSec from a Windows 2... - 16.Jul.2008 10:21:16 PM   
Stevenrlong

 

Posts: 41
Joined: 26.Oct.2002
From: San Francisco
Status: offline 		I’m having a problem getting L2TP/IPSec to work using a certificate from my Windows 2008 CA
It works just fine using a pre shared key but it looks like a change with 2008 Server CA web enrollment keeps me from installing the certificate as a computer certificate. I’ve tried installing a cert from the mmc console as my ISA is a domain member but it still won’t work
Any clues as to what I’m doing wrong?
 
Thank's
Steve
Post #: 1
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 17.Jul.2008 8:51:14 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Yes, Win2008 really horked their Web enrollment site. It's essentially useless now

Disable the RPC filter and create a rule that allows all traffic inbound and outbound to and from the online Enterprise CA. Then use the Certificates MMC to obtain the certificate.

Then enable the RPC filter and delete that rule.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Stevenrlong)
Post #: 2
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 17.Jul.2008 10:04:19 AM   
Jason Jones

 

Posts: 1796
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		You can also disable the 'RPC strict compliance' option on the newly created rule which will have the same effect as disabling the RPC filter, but is a little less brutal!

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 3
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 18.Jul.2008 10:11:30 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jason,

I've read that guidance, but I've never seen it work. I've always had to disable the RPC filter, as changing the Strict RPC Compliance setting never made a differece to me. Maybe that will change with SP1 -- I should give it a try.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 4
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 18.Jul.2008 5:50:35 PM   
Jason Jones

 

Posts: 1796
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Really?

I don't think I have *ever* even disabled the RPC filter

My usual process is:
  • Create a new temp rule from localhost to issuing CA (bi-drectional) and allow all protocols.
  • Place the rule at the top of the rulebase
  • Untick "strict RPC compliance"
  • Run MMC and request cert
  • Once cert installed, delete the new rule


We now run Window 2003 CA's internally, so I had no choice to do it this way...

Cheers

JJ

P.S. Noticed you sig change - the prowess job official now then?

< Message edited by Jason Jones -- 18.Jul.2008 5:52:02 PM >

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 5
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 19.Jul.2008 7:48:45 AM   
justmee

 

Posts: 497
Joined: 14.May2007
Status: offline 		Interesting Jason.
However personal I have found your method as not working many times. The solution was to disable the RPC filter.
There is Stefaan's approach, I have not tried it:
http://blogs.isaserver.org/pouseele/2007/10/12/certificate-enrollment-requires-a-custom-protocol/
Cheers!
J

(in reply to Jason Jones)
Post #: 6
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 19.Jul.2008 11:55:32 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Jason Jones

Really?

I don't think I have *ever* even disabled the RPC filter

My usual process is:
  • Create a new temp rule from localhost to issuing CA (bi-drectional) and allow all protocols.
  • Place the rule at the top of the rulebase
  • Untick "strict RPC compliance"
  • Run MMC and request cert
  • Once cert installed, delete the new rule



We now run Window 2003 CA's internally, so I had no choice to do it this way...

Cheers

JJ

P.S. Noticed you sig change - the prowess job official now then?


Hi Jason,

Interesting. I've tried that method before, but it's never worked for me. I've always had to disable the RPC filter, create the rule, and often had to restart the fireall before I could request the certificate. Maybe it's the US version of the product? :)

Yep, that's the new job. Offiically starts Aug 11th :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 7
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 19.Jul.2008 11:57:16 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Stefaan's solution is nice because it holds to the principle of least priviledge.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to justmee)
Post #: 8
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 19.Jul.2008 7:15:45 PM   
Jason Jones

 

Posts: 1796
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Weird, maybe it started working with the changes in RPC with SP1 or SP2????

I know I have definitely never disabled the RPC filter, so somehow it must work for me

I do like Stefaans option though...

Cheers

JJ

P.S. Congrats on the new job!

< Message edited by Jason Jones -- 19.Jul.2008 7:24:53 PM >

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 9
RE: Certificate in ISA 2006 for L2TP/IPSec from a Windo... - 20.Jul.2008 10:32:12 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jason,

Thanks!

I don't doubt your experience at all regarding the RPC filter. I'm thinking that my experiences with it might be the strange one.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts