Always ON RAS+VPN, use certificate that is already deployed

Lenny 1 Reputation point

Hello everyone,

I need your help, because when it talks about certificate... I'm losing my mind.

Well, here is the context :

I need to deploy the Alaways on VPN solution, using a RAS server on a dmz, and a NPS server in the classic LAN

The connection work successfully while using user + password, so the main configuration / network etc is ok.

But, I need to only accept connections via certificate, AND, to use certicate that is already deployed on all computer of the domain.

Going through the different doc about always on VPN, they're always creating new certificate, but in my case I need to use a certificate that is already deployed.

SO :

I have a certificate on a computer joined domain, how can I use it and tell my NPS server that THIS certificate is the one needed to etablish the connection ? Is it even possible to not create new certificate ?

Thanks a lot for your help guys !

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,311 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,436 Reputation points

    Hi @LennyBendahmane-6418

    If you're using domain CA, NPS, and auto-enrollment, then I'm assuming your clients are domain members. You could set the Network Policy condition to require a domain group (Domain Users/Computers or a custom "Trusted Users/Devices" AD group).

    Technically, the domain member could still connect via a foreign cert from a Trusted CA, but it will protect from an outsider with a foreign cert.

    Here's a guide to managing NPS certificates:

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments