Branch office demand-dial connection

To use certificates for a two-way initiated, mutually authenticated, demand-dial configuration between two routers in the same organization (in this example, a branch office router and a corporate office router), you must perform the following:

Configuring the calling and answering routers for demand-dial routing

Configure the Windows 2000 calling and answering routers as described in Deploying demand-dial routing for dial-up demand-dial routing or Deploying router-to-router VPNs for VPN demand-dial routing.

Installing a computer certificate on the corporate office router

In order to configure EAP-TLS on the corporate office router, you must install a computer certificate (also known as a machine certificate). In order to install a computer certificate, a certificate authority must be present to issue certificates. Once the certificate authority is configured, you can install a certificate two different ways:

Based on the certificate policies in your organization, you only need to perform one of these two allocations.

To configure a certificate authority and install the computer certificate, perform the following steps:

  1. Install the Windows 2000 Certificate Services component as an enterprise root certificate authority. This step is only necessary if you do not already have an enterprise root certificate authority (CA).
    1. If necessary, promote the computer that will be a CA to a domain controller (DC). For more information, see To install a domain controller
    2. Install the Windows 2000 Certificate Services component as an enterprise root CA. For more information, see To install an enterprise root certification authority
  2. Configure the CA to issue router (offline request) certificates. For more information, see To establish the certificate types that an enterprise certification authority can issue
  3. To auto-enroll machine certificates, configure the Windows 2000 domain. For more information, see To configure automatic certificate allocation from an enterprise CA

    4. To create a computer certificate for the calling or answering router that is a member of the domain for which auto-enrollment has been configured (as well as other computers that are members of the domain), restart the computer or type secedit /refreshpolicy machine_policy from a Windows 2000 command prompt.

  4. To manually enroll machine certificates, use Certificate Manager to install the CA root certificate. For more information, see To manage certificates for a computer and To request a certificate

Configuring the domain for Web-based certificate enrollment

In order for the CA to issue certificates for the calling router, you must configure the Windows 2000 domain for Web-based enrollment. For more information, see To set up certification authority Web enrollment support

Creating user accounts and exporting certificates

To create dial-in and dial-out user accounts and export certificates, do the following:

  1. Log on as a domain administrator.
  2. Create a user account that the corporate office router will use when it dials the branch office router (the dial-out account). For more information, see To add a user account
  3. Obtain a router (offline request) certificate for the dial-out account from the certificate authority through Web-based enrollment. For more information, see To install a router (offline request) certificate
  4. Export the router (offline request) certificate for the dial-out account to a .cer file. For more information, see To export a certificate Within the Certificate Manager Export wizard, do not export the private key.
  5. Map the newly created router (offline request) certificate (the .cer file) to the dial-out user account. For more information, see To map a certificate to a user account
  6. Export the router (offline request) certificate of the dial-out account to a .pfx file. For more information, see To export a certificate Within the Certificate Manager Export wizard, export the private key and click Delete the private key if the import is successful and select the option to Include all certificates in the certification path if possible.
  7. Create a user account that the branch office router will use when it dials the corporate office router (the dial-in account). For more information, see To add a user account
  8. Obtain a router (offline request) certificate for the dial-in account from the certificate authority through Web-based enrollment. For more information, see To install a router (offline request) certificate
  9. Export the router (offline request) certificate for the dial-in account to a .cer file. For more information, see To export a certificate Within the Certificate Manager Export wizard, do not export the private key.
  10. Map the newly created router (offline request) certificate (the .cer file) to the dial-in user account. For more information, see To map a certificate to a user account
  11. Export the router (offline request) certificate of the dial-in account to a .pfx file. For more information, see To export a certificate Within the Certificate Manager Export wizard, export the private key and click Delete the private key if the import is successful. Save this file to a floppy disk to send to the network administrator at the branch office.
  12. Send the floppy disk that contains the dial-in account user certificate file to the network administrator at the branch office.

Importing the dial-out certificate on the corporate office router

On the corporate office router, import the user certificate for the dial-out account. For more information, see To import a certificate

Configuring the corporate office router to support certificate-based authentication

To configure the corporate office router for certificate-based authentication as an answering router, see To configure the answering router for certificate-based EAP

To configure the corporate office router for certificate-based authentication as a calling router, see To configure the calling router for certificate-based EAP

Importing the certificate on the branch office router

Upon receipt at the branch office of the floppy disk that contains the certificate file from the corporate office, import the user certificate for the dial-in account. For more information, see To import a certificate

Configuring the branch office router to support certificate-based authentication

To configure the branch office router for certificate-based authentication as a calling router, see To configure the calling router for certificate-based EAP

Connecting to the corporate office and joining the organization domain

To connect to the corporate office and join the organization domain, do the following:

  1. From the branch office, connect to the corporate office by right-clicking the demand-dial interface, and then clicking Connect.
  2. Once connected, the branch office router joins the domain through the Network Identification tab (in the properties of My Computer).
  3. After joining the domain, restart the branch office router.
  4. After restarting the branch office router, connect to the corporate office router again.
  5. Once connected, the branch office router receives domain policy and a machine certificate (if auto-enrollment of machine certificates is configured). If auto-enrollment of machine certificates is not configured, obtain a machine certificate through Certificate Manager. For more information, see To manage certificates for a computer and To request a certificate
  6. Once a machine certificate is obtained, configure the branch office router for certificate-based authentication as an answering router. For more information, see To configure the answering router for certificate-based EAP

At this point, you can install a domain controller in the branch office by using the demand-dial connection to the corporate office. For more information on installing a Windows 2000 domain controller, see Checklist: Installing a domain controller

note Note

caution Caution