Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA

Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN

Message

Stevenrlong -> Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (16.Jul.2008 10:21:16 PM)
I’m having a problem getting L2TP/IPSec to work using a certificate from my Windows 2008 CA It works just fine using a pre shared key but it looks like a change with 2008 Server CA web enrollment keeps me from installing the certificate as a computer certificate. I’ve tried installing a cert from the mmc console as my ISA is a domain member but it still won’t work Any clues as to what I’m doing wrong? Thank's Steve

tshinder -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (17.Jul.2008 8:51:14 AM)
Yes, Win2008 really horked their Web enrollment site. It's essentially useless now [:'(] Disable the RPC filter and create a rule that allows all traffic inbound and outbound to and from the online Enterprise CA. Then use the Certificates MMC to obtain the certificate. Then enable the RPC filter and delete that rule. HTH, Tom

Jason Jones -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (17.Jul.2008 10:04:19 AM)
You can also disable the 'RPC strict compliance' option on the newly created rule which will have the same effect as disabling the RPC filter, but is a little less brutal! [8D]

tshinder -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (18.Jul.2008 10:11:30 AM)
Hi Jason, I've read that guidance, but I've never seen it work. I've always had to disable the RPC filter, as changing the Strict RPC Compliance setting never made a differece to me. Maybe that will change with SP1 -- I should give it a try. Thanks! Tom

Jason Jones -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (18.Jul.2008 5:50:35 PM)
Really? I don't think I have ever even disabled the RPC filter [:)] My usual process is: Create a new temp rule from localhost to issuing CA (bi-drectional) and allow all protocols. Place the rule at the top of the rulebase Untick "strict RPC compliance" Run MMC and request cert Once cert installed, delete the new rule We now run Window 2003 CA's internally, so I had no choice to do it this way... Cheers JJ P.S. Noticed you sig change - the prowess job official now then? [;)]

justmee -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (19.Jul.2008 7:48:45 AM)
Interesting Jason. However personal I have found your method as not working many times. The solution was to disable the RPC filter.[:D] There is Stefaan's approach, I have not tried it: http://blogs.isaserver.org/pouseele/2007/10/12/certificate-enrollment-requires-a-custom-protocol/ Cheers! J

tshinder -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (19.Jul.2008 11:55:32 AM)
quote: ORIGINAL: Jason Jones Really? I don't think I have ever even disabled the RPC filter [:)] My usual process is: Create a new temp rule from localhost to issuing CA (bi-drectional) and allow all protocols. Place the rule at the top of the rulebase Untick "strict RPC compliance" Run MMC and request cert Once cert installed, delete the new rule We now run Window 2003 CA's internally, so I had no choice to do it this way... Cheers JJ P.S. Noticed you sig change - the prowess job official now then? [;)] Hi Jason, Interesting. I've tried that method before, but it's never worked for me. I've always had to disable the RPC filter, create the rule, and often had to restart the fireall before I could request the certificate. Maybe it's the US version of the product? :) Yep, that's the new job. Offiically starts Aug 11th :) Thanks! Tom

tshinder -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (19.Jul.2008 11:57:16 AM)
Stefaan's solution is nice because it holds to the principle of least priviledge. Thanks! Tom

Jason Jones -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (19.Jul.2008 7:15:45 PM)
Weird, maybe it started working with the changes in RPC with SP1 or SP2???? I know I have definitely never disabled the RPC filter, so somehow it must work for me [8\|] I do like Stefaans option though... Cheers JJ P.S. Congrats on the new job! [;)]

tshinder -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (20.Jul.2008 10:32:12 AM)
Hi Jason, Thanks! I don't doubt your experience at all regarding the RPC filter. I'm thinking that my experiences with it might be the strange one. Tom

Jason Jones -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (6.Sep.2008 7:17:06 PM)
Tested my procedure again last week, and it definitely works, not sure what you amateurs are doing wrong though! [8D][8D][:D] Cheers JJ

justmee -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (7.Sep.2008 7:26:51 AM)
Hi Jason, Yes, it works absolutely gorgeous.[:)] I've used it a couple of times since you posted and encountered no problems. ISA 2006 SP1. What can I say, you're da' man![;)] J

Jason Jones -> RE: Certificate in ISA 2006 for L2TP/IPSec from a Windows 2008 CA (7.Sep.2008 5:27:25 PM)
Glad it works! [;)]

Page: [1]