|
Home > Archive > Radius Server > April 2005 > Where to place IAS and Cert Svces?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Where to place IAS and Cert Svces?
|
|
|
| We want to set up IAS for VPN and wireless authentication. We are also
thinking of setting up an Enterprise Root CA using W2K3 Certificate Services
instead of 3rd party certificate. But we are limited as to where we can
place IAS and Certificate Services -- our options are two DCs (child domain
in empty root that also has two DCs) and two member servers. Should or can
either IAS or Certificate Services be on a DC -- I've read conflicting info
even in MS docs.
One member server will be running WSUS and an antivirus/antispam/antispyware
gateway, and temporarily VPN services, so will be Internet-exposed with
incoming-generated traffic, I would not place CA there, but what about IAS?
We're not a large company and VPN is only for employees. Also, our public
web site is elsewhere.
Thanks,
Joan
| |
| James McIllece [MS] 2005-03-30, 5:58 pm |
| "Joan" <joane@discussions.microsoft.com> wrote in
news:O9X3kbJNFHA.2680@TK2MSFTNGP09.phx.gbl:
> We want to set up IAS for VPN and wireless authentication. We are also
> thinking of setting up an Enterprise Root CA using W2K3 Certificate
> Services instead of 3rd party certificate. But we are limited as to
> where we can place IAS and Certificate Services -- our options are two
> DCs (child domain in empty root that also has two DCs) and two member
> servers. Should or can either IAS or Certificate Services be on a DC
> -- I've read conflicting info even in MS docs.
>
> One member server will be running WSUS and an
> antivirus/antispam/antispyware gateway, and temporarily VPN services,
> so will be Internet-exposed with incoming-generated traffic, I would
> not place CA there, but what about IAS?
>
> We're not a large company and VPN is only for employees. Also, our
> public web site is elsewhere.
>
> Thanks,
> Joan
>
>
>
>
Hi Joan --
Placing IAS on a DC is actually recommended, so that would be a good
choice.
I am not a PKI/Certificate Services expert but I was under the impression
that a root Enterprise CA should be taken offline immediately after
configuration for security purposes. Before you deploy an Enterprise Root
CA, you should read the deployment guides, Help, and other whitepapers for
that technology. All of the documentation you need for PKI can be found at
http://www.microsoft.com/windowsser...i/default.mspx.
Also, note that if you place IAS on a DC in a child domain, you need to
register it in Active Directory in the parent domain to provide IAS with
the ability to authorize and authenticate users in the parent domain. For
more information, see the IAS Help topic "To enable the IAS server to read
user accounts in Active Directory" on the box or on the Web at
http://www.microsoft.com/resources/.../2003/standard/
proddocs/en-
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
ocs/en-us/sag_ias_add_activedir.asp.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| dc3dog 2005-03-31, 3:00 am |
| I think I've read some of the same MS documentation that you have on
Securing Wireless LANs. Another of the documents in that series makes
reference to the doc I think you are referring. It states something to this
effect...
Although it is described in some other MS documentation it is HIGH NOT
recommended to install Cert Server on a DC.
Reference the following MS docs:
"Choosing a Strategy for Wireless LAN Security", "Securing Wireless LANs
with PEAP and Passwords", "Best Practices for Implementing a Microsoft
Windows Server 2003 Public Key Infrastructure", "Managing the Public Key
Infrastructure".
"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
news:Xns962978E23C691jamesmcionlinemicro
s@207.46.248.16...
> "Joan" <joane@discussions.microsoft.com> wrote in
> news:O9X3kbJNFHA.2680@TK2MSFTNGP09.phx.gbl:
>
>
> Hi Joan --
>
> Placing IAS on a DC is actually recommended, so that would be a good
> choice.
>
> I am not a PKI/Certificate Services expert but I was under the impression
> that a root Enterprise CA should be taken offline immediately after
> configuration for security purposes. Before you deploy an Enterprise Root
> CA, you should read the deployment guides, Help, and other whitepapers for
> that technology. All of the documentation you need for PKI can be found at
> http://www.microsoft.com/windowsser...i/default.mspx.
>
> Also, note that if you place IAS on a DC in a child domain, you need to
> register it in Active Directory in the parent domain to provide IAS with
> the ability to authorize and authenticate users in the parent domain. For
> more information, see the IAS Help topic "To enable the IAS server to read
> user accounts in Active Directory" on the box or on the Web at
>
http://www.microsoft.com/resources/.../2003/standard/
> proddocs/en-
>
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
> ocs/en-us/sag_ias_add_activedir.asp.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
| Thomas K 2005-03-31, 3:00 am |
| Hey,
First, shouldn't we be discussing the question "IAS on a GC ?" instead of
"IAS on a DC?" ??
I see the tradeoff this way for IAS on a GC:
+ advantages: faster authentication process because no network latency
is involved between IAS & GC
+ drawbacks1: security: one more server running on a critical service;
if IAS is compromised, AD might be compromised
+ drawbacks2: GC has to have room for increased CPU/RAM/NET demand
As far as the certificate service is concerned, I cannot think of a good
reason to host it on a DC. Indeed, the CA won't need to talk to AD most of
the time (except at boostrapping time when certificates are issued & when
the CRL is published)
What do you think?
/T
"dc3dog" <dc3dog@hotmail.com> wrote in message
news:ORTwYOaNFHA.1176@TK2MSFTNGP15.phx.gbl...
> I think I've read some of the same MS documentation that you have on
> Securing Wireless LANs. Another of the documents in that series makes
> reference to the doc I think you are referring. It states something to
this
> effect...
>
> Although it is described in some other MS documentation it is HIGH NOT
> recommended to install Cert Server on a DC.
>
> Reference the following MS docs:
> "Choosing a Strategy for Wireless LAN Security", "Securing Wireless LANs
> with PEAP and Passwords", "Best Practices for Implementing a Microsoft
> Windows Server 2003 Public Key Infrastructure", "Managing the Public Key
> Infrastructure".
>
>
> "James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> news:Xns962978E23C691jamesmcionlinemicro
s@207.46.248.16...
impression[vbcol=seagreen]
Root[vbcol=seagreen]
for[vbcol=seagreen]
at[vbcol=seagreen]
http://www.microsoft.com/windowsser...i/default.mspx.[vbcol=seagreen]
For[vbcol=seagreen]
read[vbcol=seagreen]
>
http://www.microsoft.com/resources/.../2003/standard/
>
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
> account
> rights.
>
>
| |
|
| Hi James,
Thanks. I guess I'll place IAS on a DC. (btw, dc3dog correctly id'd the doc
that said highly recommended not to place on a DC.) Our two DCs are also GCs
so Thomas K's Q on that is moot for us. I did read many of the CA and PKI
docs including Best Practices, and never having done CA or PKI it can get
somewhat confusing. Because we do not have an extra server to take offline,
and all the MS warnings about managing your own Cert Svces infrastructure
(security concerns, etc) we've decided to use 3rd party. I'm about to
investigate our options with that.
Joan
"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
news:Xns962978E23C691jamesmcionlinemicro
s@207.46.248.16...
> "Joan" <joane@discussions.microsoft.com> wrote in
> news:O9X3kbJNFHA.2680@TK2MSFTNGP09.phx.gbl:
>
>
> Hi Joan --
>
> Placing IAS on a DC is actually recommended, so that would be a good
> choice.
>
> I am not a PKI/Certificate Services expert but I was under the impression
> that a root Enterprise CA should be taken offline immediately after
> configuration for security purposes. Before you deploy an Enterprise Root
> CA, you should read the deployment guides, Help, and other whitepapers for
> that technology. All of the documentation you need for PKI can be found at
> http://www.microsoft.com/windowsser...i/default.mspx.
>
> Also, note that if you place IAS on a DC in a child domain, you need to
> register it in Active Directory in the parent domain to provide IAS with
> the ability to authorize and authenticate users in the parent domain. For
> more information, see the IAS Help topic "To enable the IAS server to read
> user accounts in Active Directory" on the box or on the Web at
> http://www.microsoft.com/resources/.../2003/standard/
> proddocs/en-
> us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
> ocs/en-us/sag_ias_add_activedir.asp.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
> account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
|
|
|
|
|