Windows Server

Park Duck Chang · Guest

hi.. all expert.
i wonder what type of CA is the best choice..
as i know, both Enterprise Root CA or Stand-alone CA is available for LCS
2005.
our AD domain doesn't have CA Server at all.... there is not PKI Infra...
so.. i think..if our AD Domain will have PKI Infra..then my better choice is
Enterprise Root CA..
but if there is no requirement for PKI except LCS.. then Stand-Alone CA is
better choice..
am i wrong ?....somebody tell me what is the better....

Bob Christian · Guest

Park -
Another option is to obtain an external cert from one of the external
vendors, such as Geotrust or VeriSign.
An external certificate helps clear up the issues ensuring that your clients
trust certificate chains.
Regarding a certificate server, I have always liked installing the
certificate server as an Enterprise Root CA on Windows 2003 Enterprise
Edition server.

Microsoft has an excellent guide on configuring certificates:
Live Communications Server 2005 Document: Configuring Certificates
http://www.microsoft.com/downloads/details.aspx?FamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=en

--
Bob Christian II
http://bobchristian.blogspot.com - Blog

"Park Duck Chang" <ParkDuckChang@discussions.microsoft.com> wrote in message
news:27E7CF34-3D7C-4189-BF89-D348F9FAF089@microsoft.com...

Park Duck Chang · Guest

thanks Bob!
but my client don't want to pay for External Certificate....
finally, i installed Standalone CA... on Windows Server 2003 EE because some
political problem..

i will implement Access Proxy for remote users.. if i face with further
technical issues, i will request your help more...

anyway.. thanks for your kindness.

"Bob Christian" wrote:

[quote]Park -
Another option is to obtain an external cert from one of the external
vendors, such as Geotrust or VeriSign.
An external certificate helps clear up the issues ensuring that your clients
trust certificate chains.
Regarding a certificate server, I have always liked installing the
certificate server as an Enterprise Root CA on Windows 2003 Enterprise
Edition server.

Microsoft has an excellent guide on configuring certificates:
Live Communications Server 2005 Document: Configuring Certificates
http://www.microsoft.com/downloads/details.aspx?FamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=en

--
Bob Christian II
http://bobchristian.blogspot.com - Blog

"Park Duck Chang" <ParkDuckChang@discussions.microsoft.com> wrote in message
news:27E7CF34-3D7C-4189-BF89-D348F9FAF089@microsoft.com...
hi.. all expert.
i wonder what type of CA is the best choice..
as i know, both Enterprise Root CA or Stand-alone CA is available for LCS
2005.
our AD domain doesn't have CA Server at all.... there is not PKI Infra...
so.. i think..if our AD Domain will have PKI Infra..then my better choice
is
Enterprise Root CA..
but if there is no requirement for PKI except LCS.. then Stand-Alone CA is
better choice..
am i wrong ?....somebody tell me what is the better....

[/quote]

Bob Christian · Guest

Your main issue will be that you will experience some issues with the
certificate chain and getting the clients to trust it. Expectations are that
you already have the MTLS configured for routing between the home server and
Access Proxy.

Once the clients trust the certificate and certificate chain, they should be
able to log into the Access Proxy via TLS without a problem.

--
Bob Christian II
http://bobchristian.blogspot.com - Blog

"Park Duck Chang" <ParkDuckChang@discussions.microsoft.com> wrote in message
news:29EAE847-06E4-4335-9CAB-2171254DA8A9@microsoft.com...
[quote]thanks Bob!
but my client don't want to pay for External Certificate....
finally, i installed Standalone CA... on Windows Server 2003 EE because
some
political problem..

i will implement Access Proxy for remote users.. if i face with further
technical issues, i will request your help more...

anyway.. thanks for your kindness.

"Bob Christian" wrote:

Park -
Another option is to obtain an external cert from one of the external
vendors, such as Geotrust or VeriSign.
An external certificate helps clear up the issues ensuring that your
clients
trust certificate chains.
Regarding a certificate server, I have always liked installing the
certificate server as an Enterprise Root CA on Windows 2003 Enterprise
Edition server.

Microsoft has an excellent guide on configuring certificates:
Live Communications Server 2005 Document: Configuring Certificates
http://www.microsoft.com/downloads/details.aspx?FamilyId=779DEDAA-2687-4452-901E-719CE6EC4E5A&displaylang=en

--
Bob Christian II
http://bobchristian.blogspot.com - Blog

"Park Duck Chang" <ParkDuckChang@discussions.microsoft.com> wrote in
message
news:27E7CF34-3D7C-4189-BF89-D348F9FAF089@microsoft.com...
hi.. all expert.
i wonder what type of CA is the best choice..
as i know, both Enterprise Root CA or Stand-alone CA is available for
LCS
2005.
our AD domain doesn't have CA Server at all.... there is not PKI
Infra...
so.. i think..if our AD Domain will have PKI Infra..then my better
choice
is
Enterprise Root CA..
but if there is no requirement for PKI except LCS.. then Stand-Alone CA
is
better choice..
am i wrong ?....somebody tell me what is the better....

[/quote]

Park Duck Chang · Guest

Thanks Bob.

we will create setup module for Office Communicator 2005 deployment
this setup module will contain a batch file that have "certmgr.exe" command..

i already tested this setup module successfully...

your advice is so helpful to me... Thanks.

"Bob Christian" wrote:

Bob Christian · Guest

Excellent! If you have directions, could you please post those for the
folks that may find this message searching the net or searching Google
Groups?

Thanks!!!

Bob

--
Bob Christian II
MVP - LCS
http://bobchristian.blogspot.com - Blog

"Park Duck Chang" <ParkDuckChang@discussions.microsoft.com> wrote in message
news:F5163B64-8154-4BF9-BFCF-05D3365ECE42@microsoft.com...

Park Duck Chang · Guest

sure... but it's just my TEST. and i'm a korean (-_- !)

Below is The method for installing certificate chain to Clients..that i have
tried...

1. Create *.p7b file for CA certificate chain.
this is possible from CA Site(http://CAServer/Certsrv/).. easily, you
can access locally at CA Server.

accss CA Site and click the hyperlink(menu) "download CA Certificate,
Certificate Chain, CLR".
at next page, click the hyperlink(menu) "download Certificate Chain"
then the File Save Dialog Box will opend.
Save the *.p7b file.

2. Create Batch File with "Certmgr.exe".
Because You have Certificate Chain file, you can create deploy batch
file with folowing comand.

"certmgr.exe -add -all "c:\MyCACertChain.p7b" -s -r localMachine Root"

3. Deploy batch file with some setup module.

4. if client install the batch file, the client trust all certificates by
your CA.

check the Certficate snap-in at clients.

the Certficate snap-in(Current Account and Computer Account) has your CA
at Trusted Root Certificate Authorities node.

"Bob Christian" wrote:

Jacques · Guest

Hi,
I've read this message with great interests. I have a Windows 2003 server
and I've to find the file certmgr.exe but this file does not seems to exist
on the server. Did the file name and options changed withWindows 2003.
Thank you
Jacques

"Park Duck Chang" <dcpark@xdnsoft.com> a écrit dans le message de
news:A05169CB-68DC-4578-867D-EA8D0A1468E4@microsoft.com...

Park Duck Chang · Guest

if you installed VS.NET 2003,
you can find certmgr.exe at C:\Program Files\Microsoft Visual Studio .NET
2003\SDK\v1.1\Bin

you can just copy certmgr.exe from another computer with vs.net 2003, and
include certmgr.exe in your setup file...
then, it will work well at client computer(windows xp or windows 2003)

thanks for encouraging me...-_-

--
To Be System Architect

"Jacques" wrote:

Jacques · Guest

Thank you
Jacques

"Park Duck Chang" <dcpark@xdnsoft.com> a écrit dans le message de
news:39B67B59-58D6-4411-B431-DFFC4063C8B5@microsoft.com...

	Windows Server Forum Index -> Live Communications Server	All times are GMT
Page 1 of 1