PKI - Best practices for High Availability or Balancing of CRL and NDES services

Question

PKI - Best practices for High Availability or Balancing of CRL and NDES services

49885604 235

Hi all,
In order to configure the Certification Authority services in High Availability or Balancing I need to know:

-What is recommended for the CRL in terms of HA or Balancing configurations? Could I add a further CRL server used for certificate revocation? (for example: i could create a new DNS record and new CDP record for all IssuingCA)

-What is recommended for NDES in terms of HA or Balancing configurations? It seems that only one Issuing CA can be targeted for the NDES service. Is it correct?

Can you help me with Microsoft Best Practices dedicated to these specific topics?

Kind regards,

Alessio.

1 answer

Your answer

Answer 1

Thameur-BOURBITA 36,506 Moderator

Hi @49885604

-What is recommended for the CRL in terms of HA or Balancing configurations? Could I add a further CRL server used for certificate revocation? (for example: i could create a new DNS record and new CDP record for all IssuingCA)

It's recommended to publish crl on a web server http. This server should be high available. Regarding the DNS record , I recommend to create a alias in order to simplyfy server migration when you need to upgrade OS for example.

You can alse use multiple web server to ensure the high availabilityL.

You can refer t the follow link to get more details about CRL best practice:

PKI Best Practices

-What is recommended for NDES in terms of HA or Balancing configurations? It seems that only one Issuing CA can be targeted for the NDES service. Is it correct?

Can you help me with Microsoft Best Practices dedicated to these specific topics?

I invite you to read the following link :

NDES Security Best Practices

Please don't forget to accept helpful answer

Thameur-BOURBITA 36,506 Reputation points Moderator

2023-12-16T12:41:12.3166667+00:00

Hi @49885604

Just checking if there is any progress.

Please don't forget to accept helpful answer
49885604 235 Reputation points

2023-12-19T08:00:07.49+00:00

Hi Thameur-BOURBITA, thanks for your reply but I didn't find anything regarding the NDES service in HA or in Balancing in this article: NDES Security Best Practices

Can you help me again?

Alessio
Thameur-BOURBITA 36,506 Reputation points Moderator

2023-12-19T09:52:09.29+00:00

Hi @49885604 •

Unfortunately ,there is not an option out of the box to support clustering or load balancing of the NDES.

You can install many servers NDES and configure network load balancing, but it cannot ensure the high availabilty because when the active node which generates the one time passphrase is down , the devices will fail enrollment because the second node havent't the passphrase.

To get more details I invite your to read the following link:

Network Device Enrollment Services (NDES) Frequently Asked Questions (FAQ): - TechNet Articles - United States (English) - TechNet Wiki

Please don't forget to accept helpful answer and close the thread
49885604 235 Reputation points

2023-12-20T08:53:13.12+00:00

Hi Thameur-BOURBITA,

thanks for your reply, for the last explanation and article, I'll check it and I'll send you my idea of NDES in HA.

Kind regards,

Alessio.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Thameur-BOURBITA 36,506 Reputation points Moderator

2023-12-26T09:54:34.52+00:00

Hi @49885604

Just checking if there is any progress!

Please don't forget to accept helpful answer and close this thread
49885604 235 Reputation points

2023-12-28T09:53:07.06+00:00

Hi @Thameur-BOURBITA ,
Regarding my idea of HA\Balancing, I attached the diagram of what I'd like to implement.

The OCSP Array would have two IssuingCA Servers available for certificate revocation, through the DNS record the MDM platform could point to both NDES servers and each of them can point the related IssuingCA. So I would have two distinct channels.

In case I lost an NDES node I would have the other channel available for certificate enrollment, the problem would be if I lost an IssuingCA in my infrastructure, because the NDES server is not able to point two IssuingCAs at the same time (Considering your article I don't think we can use another DNS record to allow NDES server to point two IssuingCA servers).

What do you think about it?

SolutionNDES_HA-Balancing.png

Share via

PKI - Best practices for High Availability or Balancing of CRL and NDES services

1 answer

Your answer