Certificate
Autoenrollment
Next, configure the root CA so
that computer certificates are issued automatically through a group
policy using a GPO named Cert Auto Enrollment Group Policy Object. These
certificates will be used to secure the IPSec tunnels established.
To configure computer
certificate autoenrollment, complete the following steps:
1. | On the
domain controller DC1, launch Server Manager.
| 2. | Expand Features, Group Policy Management, Forest:
companyabc.com, Domains, and select companyabc.com.
| 3. | In the console tree, right-click the domain
companyabc.com and select Create a GPO in the Domain and Link It Here.
| 4. | Enter the name Cert Auto Enrollment Group Policy
Object and then click OK.
| 5. | Right-click the Cert Auto Enrollment Group Policy
Object and select Edit.
| 6. | In the console tree of the Group Policy Management
Editor, open Computer Configuration, Policies, Windows Settings,
Security Settings, and select Public Key Policies.
| 7. | In the details pane, right-click Automatic Certificate
Request Settings, point to New, and then click Automatic Certificate
Request.
| 8. | In the
Automatic Certificate Request Wizard, click Next.
| 9. | On the
Certificate Template page, click Computer (shown in Figure 4), click Next,
and then click Finish.
| 10. | Close the
Group Policy Management Editor and Group Policy Management Console.
|
Now, each computer that is a
member of the domain will be enrolled automatically with a computer
certificate.
IP-HTTP Certificate
Next, obtain an additional
certificate for DA1 with a customized subject and alternative name for
IP-HTTPS connectivity. This certificate is in addition to the computer
certificate that was obtained through the autoenrollment configured
earlier.
To obtain the
additional certificate for the DirectAccess server DA1, execute the
following steps:
1. | On the
DirectAccess server DA1, click Start, type mmc, and then press
Enter.
| 2. | Click File
and select Add/Remove Snap-Ins.
| 3. | Select Certificates, click the Add button, select
Computer Account, click Next, select Local Computer, click Finish, and
then click OK.
| 4. | In the
console tree of the Certificates snap-in, expand Local Computer,
Personal, and select Certificates.
| 5. | Right-click Certificates, point to All Tasks, and then
click Request New Certificate.
| 6. | Click Next twice.
| 7. | On the Request Certificates page, click Web Server
2008, and then click the button More Information Is Required to Enroll
for This Certificate.
| 8. | On the Subject tab of the Certificate Properties dialog
box, in the Subject Name section, for Type, select Common Name.
| 9. | In the Value field, type da1.companyabc.com,
and then click the Add button.
| 10. | In the Alternative Name section, for Type, select DNS.
| 11. | In the Value field, type da1.companyabc.com,
and then click the Add button.
| 12. | Click OK, click Enroll, and then click Finish.
| 13. | In the details pane of the Certificates snap-in, verify
that a new certificate with the name da1.contoso.com was enrolled with
Intended Purposes of Server Authentication.
| 14. | Right-click the certificate and select Properties.
| 15. | In the Friendly Name field, type IP-HTTPS and
click OK.
|
Installing the
DirectAccess Feature on DA1
Before you can run the
DirectAccess Setup Wizard, you must install the DirectAccess feature on
DA1. To install the DirectAccess feature, execute the following steps:
1. | On the
DirectAccess server DA1, launch Server Manager.
| 2. | Right-click on Features and select Add Features.
| 3. | On the Select Features page, select DirectAccess
Management Console.
| 4. | At the pop-up, click Add Required Features. This adds
the Group Policy Management feature.
| 5. | Click Next.
| 6. | Click Install.
| 7. | Click Close to finish.
|
The DirectAccess feature
has been installed, but still needs to be configured.
|
