Business partner demand-dial connection

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Business partner demand-dial connection

To use certificates for a two-way initiated, mutually authenticated, demand-dial configuration between two business partners (in this example, Company A and Company B), you must perform the following:

  • Configure the calling and answering routers for demand-dial routing.

  • Install computer certificates on the calling router and answering router computers.

  • Configure the domain for Web-based certificate enrollment.

  • At Company A, create a user account for the Company B router and export a certificate for the user account.

  • At Company B, create a user account for the Company A router and export a certificate for the user account.

  • At Company A, import the certificate from Company B.

  • Configure the Company A router to support certificate-based authentication as a calling router and as an answering router.

  • At Company B, import the certificate from Company A.

  • Configure the Company B router to support certificate-based authentication as a calling router and as an answering router.

Configuring the calling and answering routers for demand-dial routing

Configure the Routing and Remote Access calling and answering routers as described in Deploying demand-dial routing for dial-in demand-dial routing or Router-to-router VPN Deployment for VPN demand-dial routing.

Installing computer certificates on the calling router and answering router computers

To use EAP-TLS, a computer certificate (also known as a machine certificate) must be installed on the authenticating server and the remote access client. In order to install a computer certificate, a certification authority must be present to issue certificates. Once the certification authority is configured, you can install a certificate in three different ways:

  • By configuring the automatic enrollment, or autoenrollment, of computer certificates to computers in a Windows Server 2003 domain.

  • By using the Certificates snap-in to obtain a computer certificate.

  • By using your browser to connect to the CA Web enrollment pages to install a certificate on the local computer or to a floppy disk for installation on another computer, such as non-domain member computers that cannot obtain a certificate through autoenrollment.

Based on the certificate policies in your organization, you only need to perform one of these allocations.

For more information, see Network access authentication and certificates.

To configure a certification authority and install the computer certificate, perform the following steps:

  1. Install the Certificate Services component as an enterprise root certification authority (CA). This step is only necessary if you do not already have an enterprise root CA.

    1. If necessary, promote the computer that will be a CA to a domain controller (DC).

    2. Install the Certificate Services component as an enterprise root CA. For more information, see Install an enterprise root certification authority.

  2. Configure the CA to issue certificates that permit exportable keys. To do so, you must clone and rename the router (offline request) template, choose to make the keys exportable, and add the new template to the templates the CA can use to issue certificates. For more information, see To establish the certificate types that an enterprise certification authority can issue.

  3. Do one of the following:

    • To auto-enroll computer certificates, configure the domain. For more information, see Configure automatic certificate allocation from an enterprise CA.

      To create a computer certificate for the calling or answering router that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the computer or type gpupdate /Target:Computer /Force from the command prompt.

    • To manually enroll computer certificates, use the Certificates snap-in or the CA Web enrollment pages to install the CA root certificate. For more information, see Manage certificates for a computer and Request a certificate.

In order for the CA to issue certificates for the calling router, you must configure the domain for Web-based enrollment. For more information, see Set up certification authority Web enrollment support.

Creating a user account and exporting its certificate for the Company B router

To create a dial-in user account for the Company B router and export the user certificate of the user account, do the following:

  1. Log on as a domain administrator.

  2. Create a user account that the Company B router will use when it dials the Company A router. For more information, see Create a new user account.

  3. Obtain a certificate that has an exportable key from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or have another name. For more information, see Install a router (offline request) certificate.

  4. Export the exportable key certificate to a .cer file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, do not export the private key.

  5. Map the newly created certificate (the .cer file) to the user account that was created for the Company B router. For more information, see Map a certificate to a user account.

  6. Export the certificate to a .pfx file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, export the private key, select the Delete the private key if the import is successful check box, and click Include all certificates in the certification path if possible. Save this file to a floppy disk to send to the network administrator at Company B.

  7. Send the floppy disk that contains the Company B dial-in account user certificate file to the network administrator at Company B.

Creating a user account and exporting its certificate for the Company A router

To create a dial-in user account for the Company A router and export the user certificate of the user account, do the following:

  1. Log on as a domain administrator.

  2. Create a user account that the Company A router will use when it dials the Company B router. For more information, see Create a new user account.

  3. Obtain a certificate that has exportable keys from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or it might have another name. For more information, see Install a router (offline request) certificate.

  4. Export the certificate to a .cer file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, do not export the private key.

  5. Map the newly created certificate (the .cer file) to the user account created for the Company A router. For more information, see Map a certificate to a user account.

  6. Export the certificate to a .pfx file. For more information, see Export a certificate. Within the Certificates snap-in Export wizard, export the private key, select the Delete the private key if the import is successful check box, and click Include all certificates in the certification path if possible. Save this file to a floppy disk to send to the network administrator at Company A.

  7. Send the floppy disk that contains the Company A dial-in account user certificate file to the network administrator at Company A.

Importing the certificates from Company B

Upon receipt at Company A of the floppy disk that contains the certificate file from Company B, on the Company A router, import the user certificate. For more information, see Import a certificate.

Configuring the Company A router to support certificate-based authentication

To configure the Company A router for certificate-based authentication as an answering router, see Configure the answering router for certificate-based EAP.

To configure the Company A router for certificate-based authentication as a calling router, see Configure the calling router for certificate-based EAP.

Importing the certificates from Company A

Upon receipt at Company B of the floppy disk that contains the certificate files from Company A, on the Company B router, import the user certificate. For more information, see Import a certificate.

Configuring the Company B router to support certificate-based authentication

To configure the Company B router for certificate-based authentication as an answering router, see Configure the answering router for certificate-based EAP.

To configure the Company B router for certificate-based authentication as a calling router, see Configure the calling router for certificate-based EAP.