Branch Office Demand-Dial Connection

Published: April 30, 2010

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

To use certificates for a two-way initiated, mutually authenticated, demand-dial configuration between two routers in the same organization (in this example, a branch office router and a corporate office router), you must perform the following:

  • Configure the calling and answering routers for demand-dial routing.

  • Install a computer certificate on the corporate office router.

  • Configure the domain for Web-based certificate enrollment.

  • Create user accounts and export certificates.

  • Import the dial-out user certificate on the corporate office router.

  • Configure the corporate office router to support certificate-based authentication as a calling router and as an answering router.

  • Import the dial-in certificate on the branch office router.

  • Configure the branch office router to support certificate-based authentication as a calling router.

  • Connect to the corporate office and join the organization domain.

For information about creating and deploying certificates, see Core Network Companion Guide: Deploying Server Certificates and Core Network Companion Guide: Deploying Computer and User Certificates.

Configure the calling and answering routers as described in previous tasks under Deploying VPN Site-to-Site Access.

To configure EAP-TLS on the corporate office router, you must install a computer certificate (also known as a machine certificate). To install a computer certificate, a certification authority must be present to issue certificates. Once the certification authority is configured, you can install a certificate in three different ways:

  • By configuring the automatic enrollment, or autoenrollment, of computer certificates to computers in a Windows Server 2003 domain.

  • By using the Certificates snap-in to obtain a computer certificate.

  • By using your browser to connect to the CA Web enrollment pages to install a certificate on the local computer or to a floppy disk for installation on another computer, such as non-domain member computers that cannot obtain a certificate through autoenrollment.

Based on the certificate policies in your organization, you only need to perform one of these allocations.

To configure a certification authority and install the computer certificate, perform the following steps:

  1. Install the Certificate Services component as an enterprise root certification authority. This step is only necessary if you do not already have an enterprise root certification authority (CA).

    1. If necessary, promote the computer that will be a CA to a domain controller (DC).

    2. Install the Certificate Services component as an enterprise root CA.

  2. Configure the CA to issue certificates with exportable keys.

  3. Do one of the following:

    • To auto-enroll computer certificates, configure the domain.

      To create a computer certificate for the calling or answering router that is a member of the domain for which autoenrollment has been configured (as well as other computers that are members of the domain), restart the computer or type gpupdate /Target:Computer/Force from the command prompt.

    • To manually enroll computer certificates, use the Certificates snap-in or the CA Web enrollment pages to install the CA root certificate.

In order for the CA to issue certificates for the calling router, you must configure the domain for Web-based enrollment.

To create dial-in and dial-out user accounts and export certificates, do the following:

  1. Log on as a domain administrator.

  2. Create a user account that the corporate office router will use when it dials the branch office router (the dial-out account). For more information, see Configure Router User Accounts.

  3. Obtain a certificate that has exportable keys for the dial-out account from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or it might have another name.

  4. Export the certificate for the dial-out account to a .cer file. Within the Certificates snap-in Export wizard, do not export the private key.

  5. Map the newly created certificate (the .cer file) to the dial-out user account.

  6. Export the certificate of the dial-out account to a .pfx file. Within the Certificates snap-in Export wizard, export the private key and click Delete the private key if the import is successful and select the option to Include all certificates in the certification path if possible.

  7. Create a user account that the branch office router will use when it dials the corporate office router (the dial-in account). For more information, see Configure Router User Accounts.

  8. Obtain a certificate that has exportable keys for the dial-in account from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or it might have another name.

  9. Export the certificate for the dial-in account to a .cer file. Within the Certificates snap-in Export wizard, do not export the private key.

  10. Map the newly created certificate (the .cer file) to the dial-in user account.

  11. Export the certificate of the dial-in account to a .pfx file. Within the Certificates snap-in Export wizard, export the private key and click Delete the private key if the import is successful. Save this file to a floppy disk to send to the network administrator at the branch office.

  12. Send the floppy disk that contains the dial-in account user certificate file to the network administrator at the branch office.

On the corporate office router, import the user certificate for the dial-out account.

To configure the corporate office router for certificate-based authentication as an answering router, see Configure the Answering Router for Certificate-based EAP.

To configure the corporate office router for certificate-based authentication as a calling router, see Configure the Calling Router for Certificate-based EAP.

Upon receipt at the branch office of the floppy disk that contains the certificate file from the corporate office, import the user certificate for the dial-in account.

To configure the branch office router for certificate-based authentication as a calling router, see Configure the Calling Router for Certificate-based EAP.

To connect to the corporate office and join the organization domain, do the following:

  1. From the branch office, connect to the corporate office by right-clicking the demand-dial interface, and then clicking Connect.

  2. Once connected, the branch office router joins the domain through the Computer Name tab (in the properties of My Computer).

  3. After joining the domain, restart the branch office router.

  4. After restarting the branch office router, connect to the corporate office router again.

  5. Once connected, the branch office router receives domain policy and a computer certificate (if auto-enrollment of computer certificates is configured). If auto-enrollment of computer certificates is not configured, obtain a computer certificate through the Certificates snap-in.

  6. Once a computer certificate is obtained, configure the branch office router for certificate-based authentication as an answering router. For more information, see Configure the Answering Router for Certificate-based EAP.

At this point, you can install a domain controller in the branch office by using the demand-dial connection to the corporate office.

Notes

  • The ability of the branch office router to join the domain and the installation of a domain controller depends on DNS name resolution. Ensure that both the router and the domain controller computer are configured with the proper DNS server IP addresses.

  • By default, an answering router checks the certificate revocation list when authenticating the calling router. Because the root CA computer is always reachable by the corporate office router, the certificate revocation list can always be checked. However, the root CA computer is not reachable by the branch office router until after the connection is made. If the root CA computer cannot be reached, then Active Directory is checked. In this case, the branch office router accesses its local domain controller for the revocation list. If the certificate revocation list is not published in Active Directory, then the branch office router acting as the answering router rejects the connection attempt. To prevent this problem, do one of the following:

    • Publish the certificate revocation list in Active Directory.

    • On the branch office router, set the following registry value to 1:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\EAP\13\IgnoreRevocationOffline


      CautionCaution
      Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Community Additions

ADD
Show: