|
Posted by Mr555 on August 29, 2006, 8:18 pm
Please log in for more thread options Hello S. Pidgorny
I agreed with your comment, I throught I can specify any DC.
I have tried your suggestions previously it won't work. the CRL will
automaticlly updates only if I put 192.168.1.1 under LDAP Server: settings
So you don't think there are any settings that may bind to our old DC "corp"
server ? i need to specify on our new 2003DC
This is how I specify on our VPN netscreen 50 under certificate optios > CRL
settings
CRL Settings
URL Address:
ldap:///CN=company1,CN=Paul,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain1,DC=co,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
LDAP Server: 192.168.1.1
Refresh Frequency: Daily
"S. Pidgorny <MVP>" wrote:
> You should be able to use any domain controller and point the LDAP url
> accordingly, like:
>
>
ldap://192.168.1.2/CN=company1,CN=Paul,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain1,DC=co,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>
> > Hello
> >
> > Thank you so much for your input to my questions. I am new to certificate
> > server, throught I just enabled the cetificate services will be OK. At the
> > moment our VPN is operational. the only problem (serious problem) we are
> > having is that it will only retrive new CRL from the certificate srever,
> > if I
> > specific the old LDAP server IP address which is 192.168.1.1 " corp server
> > windows 2000" we are going to demote corp server soon, I got the feeling
> > that
> > some configuration is been done on corp server., possible I have to enable
> > it
> > on Paul Server 192.168.1.2 windows 2003. I am not sure what it is . so
> > hopefully you will be able to help me with this.
> > we are using netscreen 50 as our VPN server. under certificate options on
> > our netscreen VPN server, a place where you have to specific the URL path,
> > under the netscreen documentstions it saids I must copy it from the
> > published
> > CRL locations "
> >
URL=ldap:///CN=company1,CN=Paul,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain1,DC=co,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint"
> > to that location, then I have specific the Ldap ip address 192.168.1.1 to
> > work around
> >
> > Thank you
> >
> > Mr555
> >
> >
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> >> Which VPN server do you use and how do you configure it for CRL lookup
> >> (if
> >> applicable)?
> >> What CDPs are defined in the VPN client certificate properties?
> >> Not less important - what CDPs are defined in the VPN server certificate?
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> >3 months ago we migrated to windows 2003 Server.
> >> >
> >> > We have moved the entire FSMO role from our old windows 2000 server
> >> > "Corp"
> >> > to our new windows 2003 Server "Paul" Paul is now the forest root of
> >> > our
> >> > network.
> >> > The ip address of Paul is 192.168.1.2
> >> >
> >> > Few weeks ago our windows 2000 certificate server "Spoon" die, we
> >> > decided
> >> > to
> >> > rebuild the certificate server to windows 2003. The new certificate
> >> > server
> >> > is
> >> > now called "Mugen" and is configured as a stand-alone root CA member
> >> > server.
> >> > The purpose of this certificate server is to authenticate VPN
> >> > connection
> >> > to
> >> > our network and is operate together with our netscreen VPN / firewall.
> >> >
> >> > 15 days ago, our VPN / firewall failing to retrieve CRL from
> >> > certificate
> >> > server. Therefore VPN connections stop working.
> >> >
> >> > Under extensive investigation, I have discovered we can only make our
> >> > VPN/firewll to automatically obtain CRL from the certificate server
> >> > "Mugen" ,
> >> > if we specific the old LDAP server IP address " corp." which is
> >> > 192.168.1.1,
> >> >
> >> > if I enter the ip address of Paul 192.168.1.2 to the VPN/ firewall
> >> > certificate settings, the automatic CRL retrieve will fail.
> >> >
> >> > I have checked with the firewall support team. They said netscreen does
> >> > support windows 2003 Server. They suspect I have not configured our
> >> > certificate server correctly to work under "Paul" LDAP Server.
> >> >
> >> > Questions:
> >> >
> >> > Are there any configuration or security policy I need to configure to
> >> > allow
> >> > communication between LDAP "Paul" server and certificate server "
> >> > Mugen"?
> >> >
> >> > I need to specific "Paul" as the LDAP server on the VPN setup instead
> >> > of
> >> > corp.
> >> > Server, please help
> >> >
> >> > Thank you
> >> >
> >> > Mr555
> >> >
> >> >
> >> >
> >>
> >>
> >>
>
>
>
| 
XML Sitemap