0

I found this article (link) on how to set up VPN access to TMG 2010. It's clearly written and easy to follow, however, there are some pre-requisites for this. As I am fairly new to Windows server technology, those pre-requisites didn't ring a bell in my head, I'd really appreciate if someone could elaborate a bit more on those pre-requisites, hopefully with some detailed step-by-step guidance. And here is my server setup: I have two Windows 2008 R2 servers, one with TMG 2010 installed as an edge firewall, the other installed as DC and DNS.

The steps that I didn't have any clue are 3 and 5:

  • Pre-requisite 3: Enterprise Root CA: where and how to install this?
  • Pre-requisite 5: Computer certificate installed in TMG server: Where to get the certificate and how to install it?
  • I suppose I need to install a certificate on my client PC which will access TMG through VPN, so how to get that certificate?
Tong Wang
  • 187
  • 1
  • 3
  • 13

1 Answers1

1

Have a look here for some guidance. It's called "Active Directory Certificate Services" (ADCS)

Reviewers: I would post the full details of the link, but it's quite large.

The Basic steps:

  1. Log on to TEST_PKI1 as a domain administrator.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the Roles Summary section, click Add roles.

  4. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.

  5. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  6. On the Specify Setup Type page, click Enterprise, and then click Next.

  7. On the Specify CA Type page, click Root CA, and then click Next.

  8. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.

  9. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next.

  10. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.

  11. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.

  12. After verifying the information on the Confirm Installation Options page, click Install.

  13. Review the information on the confirmation screen to verify that the installation was successful.

MichelZ
  • 11,068
  • 4
  • 32
  • 59
  • Thanks. So, which server should I add the AD CS role? The DC/DNS server or the TMG server? If I am not mistaken, I'll generate a certificate from AD CS, then deploy this certificate on the TMG server as well as the VPN client, correct? – Tong Wang Jun 18 '12 at 14:44
  • Ideally, you would Setup a Certificate Authority hierarchy on seperate Servers. In your Situation, you'll probably use the DC/DNS Server. I highly recommend however getting professional help with Setting all this up (and Setting it up securely), it's not an easy Task. Yes, you would generate certs from AD CS for TMG and the Clients – MichelZ Jun 18 '12 at 14:48
  • I remember the PKI encryption includes both a public key and a private key. So do I create a pair of certificates and put one on the TMG server and the other on the VPN client? Or does that work differently? – Tong Wang Jun 18 '12 at 15:41