How to set up certificate authentication for VPN access to TMG 2010

active-directorycertificatemicrosoft-ftmg-2010vpnwindows-server-2008

I found this article (link) on how to set up VPN access to TMG 2010. It's clearly written and easy to follow, however, there are some pre-requisites for this. As I am fairly new to Windows server technology, those pre-requisites didn't ring a bell in my head, I'd really appreciate if someone could elaborate a bit more on those pre-requisites, hopefully with some detailed step-by-step guidance. And here is my server setup: I have two Windows 2008 R2 servers, one with TMG 2010 installed as an edge firewall, the other installed as DC and DNS.

The steps that I didn't have any clue are 3 and 5:

  • Pre-requisite 3: Enterprise Root CA: where and how to install this?
  • Pre-requisite 5: Computer certificate installed in TMG server: Where to get the certificate and how to install it?
  • I suppose I need to install a certificate on my client PC which will access TMG through VPN, so how to get that certificate?

Best Answer

Have a look here for some guidance. It's called "Active Directory Certificate Services" (ADCS)

Reviewers: I would post the full details of the link, but it's quite large.

The Basic steps:

  1. Log on to TEST_PKI1 as a domain administrator.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the Roles Summary section, click Add roles.

  4. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.

  5. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  6. On the Specify Setup Type page, click Enterprise, and then click Next.

  7. On the Specify CA Type page, click Root CA, and then click Next.

  8. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.

  9. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next.

  10. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.

  11. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.

  12. After verifying the information on the Confirm Installation Options page, click Install.

  13. Review the information on the confirmation screen to verify that the installation was successful.

Related Topic