Branch office demand-dial connection
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Branch office demand-dial connection
To use certificates for a two-way initiated, mutually authenticated, demand-dial configuration between two routers in the same organization (in this example, a branch office router and a corporate office router), you must perform the following:
Configure the calling and answering routers for demand-dial routing.
Install a computer certificate on the corporate office router.
Configure the domain for Web-based certificate enrollment.
Create user accounts and export certificates.
Import the dial-out user certificate on the corporate office router.
Configure the corporate office router to support certificate-based authentication as a calling router and as an answering router.
Import the dial-in certificate on the branch office router.
Configure the branch office router to support certificate-based authentication as a calling router.
Connect to the corporate office and join the organization domain.
Configuring the calling and answering routers for demand-dial routing
Configure the calling and answering routers as described in Deploying demand-dial routing for dial-up demand-dial routing or Router-to-router VPN Deployment for VPN demand-dial routing.
Installing a computer certificate on the corporate office router
In order to configure EAP-TLS on the corporate office router, you must install a computer certificate (also known as a machine certificate). In order to install a computer certificate, a certification authority must be present to issue certificates. Once the certification authority is configured, you can install a certificate in three different ways:
By configuring the automatic enrollment, or autoenrollment, of computer certificates to computers in a Windows Server 2003 domain.
By using the Certificates snap-in to obtain a computer certificate.
By using your browser to connect to the CA Web enrollment pages to install a certificate on the local computer or to a floppy disk for installation on another computer, such as non-domain member computers that cannot obtain a certificate through autoenrollment.
Based on the certificate policies in your organization, you only need to perform one of these allocations.
For more information, see Network access authentication and certificates.
To configure a certification authority and install the computer certificate, perform the following steps:
Install the Certificate Services component as an enterprise root certification authority. This step is only necessary if you do not already have an enterprise root certification authority (CA).
If necessary, promote the computer that will be a CA to a domain controller (DC).
Install the Certificate Services component as an enterprise root CA. For more information, see Install an enterprise root certification authority.
Configure the CA to issue certificates with exportable keys. For more information, see To establish the certificate types that an enterprise certification authority can issue.
Do one of the following:
To auto-enroll computer certificates, configure the domain. For more information, see Configure automatic certificate allocation from an enterprise CA.
To create a computer certificate for the calling or answering router that is a member of the domain for which autoenrollment has been configured (as well as other computers that are members of the domain), restart the computer or type gpupdate /Target:Computer/Force from the command prompt.
To manually enroll computer certificates, use the Certificates snap-in or the CA Web enrollment pages to install the CA root certificate. For more information, see Manage certificates for a computer and Request a certificate.
In order for the CA to issue certificates for the calling router, you must configure the domain for Web-based enrollment. For more information, see Set up certification authority Web enrollment support.
Creating user accounts and exporting certificates
To create dial-in and dial-out user accounts and export certificates, do the following:
Log on as a domain administrator.
Create a user account that the corporate office router will use when it dials the branch office router (the dial-out account). For more information, see Create a new user account.
Obtain a certificate that has exportable keys for the dial-out account from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or it might have another name. For more information, see Install a router (offline request) certificate.
Export the certificate for the dial-out account to a .cer file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, do not export the private key.
Map the newly created certificate (the .cer file) to the dial-out user account. For more information, see Map a certificate to a user account.
Export the certificate of the dial-out account to a .pfx file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, export the private key and click Delete the private key if the import is successful and select the option to Include all certificates in the certification path if possible.
Create a user account that the branch office router will use when it dials the corporate office router (the dial-in account). For more information, see Create a new user account.
Obtain a certificate that has exportable keys for the dial-in account from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or it might have another name. For more information, see Install a router (offline request) certificate.
Export the certificate for the dial-in account to a .cer file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, do not export the private key.
Map the newly created certificate (the .cer file) to the dial-in user account. For more information, see Map a certificate to a user account.
Export the certificate of the dial-in account to a .pfx file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, export the private key and click Delete the private key if the import is successful. Save this file to a floppy disk to send to the network administrator at the branch office.
Send the floppy disk that contains the dial-in account user certificate file to the network administrator at the branch office.
Importing the dial-out certificate on the corporate office router
On the corporate office router, import the user certificate for the dial-out account. For more information, see Import a certificate.
Configuring the corporate office router to support certificate-based authentication
To configure the corporate office router for certificate-based authentication as an answering router, see Configure the answering router for certificate-based EAP.
To configure the corporate office router for certificate-based authentication as a calling router, see Configure the calling router for certificate-based EAP.
Importing the certificate on the branch office router
Upon receipt at the branch office of the floppy disk that contains the certificate file from the corporate office, import the user certificate for the dial-in account. For more information, see Import a certificate.
Configuring the branch office router to support certificate-based authentication
To configure the branch office router for certificate-based authentication as a calling router, see Configure the calling router for certificate-based EAP.
Connecting to the corporate office and joining the organization domain
To connect to the corporate office and join the organization domain, do the following:
From the branch office, connect to the corporate office by right-clicking the demand-dial interface, and then clicking Connect.
Once connected, the branch office router joins the domain through the Computer Name tab (in the properties of My Computer).
After joining the domain, restart the branch office router.
After restarting the branch office router, connect to the corporate office router again.
Once connected, the branch office router receives domain policy and a computer certificate (if auto-enrollment of computer certificates is configured). If auto-enrollment of computer certificates is not configured, obtain a computer certificate through the Certificates snap-in. For more information, see Manage certificates for a computer and Request a certificate.
Once a computer certificate is obtained, configure the branch office router for certificate-based authentication as an answering router. For more information, see Configure the answering router for certificate-based EAP.
At this point, you can install a domain controller in the branch office by using the demand-dial connection to the corporate office. For more information on installing a domain controller, see Checklist: Installing a domain controller.
Notes
The ability of the branch office router to join the domain and the installation of a domain controller depends on DNS name resolution. Ensure that both the router and the domain controller computer are configured with the proper DNS server IP addresses.
By default, an answering router checks the certificate revocation list when authenticating the calling router. Because the root CA computer is always reachable by the corporate office router, the certificate revocation list can always be checked. However, the root CA computer is not reachable by the branch office router until after the connection is made. If the root CA computer cannot be reached, then Active Directory is checked. In this case, the branch office router accesses its local domain controller for the revocation list. If the certificate revocation list is not published in Active Directory, then the branch office router acting as the answering router rejects the connection attempt. To prevent this problem, do one of the following:
Publish the certificate revocation list in Active Directory. For more information, see Schedule the publication of the certificate revocation list or Manually publish the certificate revocation list.
On the branch office router, set the following registry value to 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\EAP\13\IgnoreRevocationOffline
Caution
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.