Business Partner Demand-Dial Connection
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
To use certificates for a two-way initiated, mutually authenticated, demand-dial configuration between two business partners (in this example, Company A and Company B), you must perform the following:
Configure the calling and answering routers for demand-dial routing.
Install computer certificates on the calling router and answering router computers.
Configure the domain for Web-based certificate enrollment.
At Company A, create a user account for the Company B router and export a certificate for the user account.
At Company B, create a user account for the Company A router and export a certificate for the user account.
At Company A, import the certificate from Company B.
Configure the Company A router to support certificate-based authentication as a calling router and as an answering router.
At Company B, import the certificate from Company A.
Configure the Company B router to support certificate-based authentication as a calling router and as an answering router.
For information about creating and deploying certificates, see Core Network Companion Guide: Deploying Server Certificates and Core Network Companion Guide: Deploying Computer and User Certificates.
Configuring the calling and answering routers for demand-dial routing
Configure the Routing and Remote Access calling and answering routers as described in previous tasks under Deploying VPN Site-to-Site Access.
Installing computer certificates on the calling router and answering router computers
To use EAP-TLS, a computer certificate (also known as a machine certificate) must be installed on the authenticating server and the remote access client. In order to install a computer certificate, a certification authority (CA) must be present to issue certificates. After the certification authority is configured, you can install a certificate in three different ways:
By configuring the automatic enrollment, or autoenrollment, of computer certificates to computers in a Windows Server 2003 domain.
By using the Certificates snap-in to obtain a computer certificate.
By using your browser to connect to the CA Web enrollment pages to install a certificate on the local computer or to a floppy disk for installation on another computer, such as non-domain member computers that cannot obtain a certificate through autoenrollment.
Based on the certificate policies in your organization, you need to perform only one of these allocations.
To configure a certification authority and install the computer certificate, perform the following steps:
Install the Certificate Services component as an enterprise root CA. This step is necessary only if you do not already have an enterprise root CA.
If necessary, promote the computer that will be a CA to a domain controller (DC).
Install the Certificate Services component as an enterprise root CA.
Configure the CA to issue certificates that permit exportable keys. To do so, you must clone and rename the router (offline request) template, choose to make the keys exportable, and add the new template to the templates the CA can use to issue certificates.
Do one of the following:
To auto-enroll computer certificates, configure the domain.
To create a computer certificate for the calling or answering router that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the computer or type gpupdate /Target:Computer /Force from the command prompt.
To manually enroll computer certificates, use the Certificates snap-in or the CA Web enrollment pages to install the CA root certificate.
In order for the CA to issue certificates for the calling router, you must configure the domain for Web-based enrollment.
Creating a user account and exporting its certificate for the Company B router
To create a dial-in user account for the Company B router and export the user certificate of the user account, do the following:
Log on as a domain administrator.
Create a user account that the Company B router will use when it dials the Company A router. For more information, see Configure Router User Accounts.
Obtain a certificate that has an exportable key from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or have another name.
Export the exportable key certificate to a .cer file. Within the Certificates snap-in Export wizard, do not export the private key.
Map the newly created certificate (the .cer file) to the user account that was created for the Company B router.
Export the certificate to a .pfx file. Within the Certificates snap-in Export wizard, export the private key, select the Delete the private key if the import is successful check box, and click Include all certificates in the certification path if possible. Save this file to a floppy disk to send to the network administrator at Company B.
Send the floppy disk that contains the Company B dial-in account user certificate file to the network administrator at Company B.
Creating a user account and exporting its certificate for the Company A router
To create a dial-in user account for the Company A router and export the user certificate of the user account, do the following:
Log on as a domain administrator.
Create a user account that the Company A router will use when it dials the Company B router. For more information, see Configure Router User Accounts.
Obtain a certificate that has exportable keys from the certification authority through Web-based enrollment. This certificate might be called router (offline request), or it might have another name.
Export the certificate to a .cer file. Within the Certificates snap-in Export wizard, do not export the private key.
Map the newly created certificate (the .cer file) to the user account created for the Company A router.
Export the certificate to a .pfx file. Within the Certificates snap-in Export wizard, export the private key, select the Delete the private key if the import is successful check box, and click Include all certificates in the certification path if possible. Save this file to a floppy disk to send to the network administrator at Company A.
Send the floppy disk that contains the Company A dial-in account user certificate file to the network administrator at Company A.
Importing the certificates from Company B
Upon receipt at Company A of the floppy disk that contains the certificate file from Company B, on the Company A router, import the user certificate.
Configuring the Company A router to support certificate-based authentication
To configure the Company A router for certificate-based authentication as an answering router, see Configure the Answering Router for Certificate-based EAP.
To configure the Company A router for certificate-based authentication as a calling router, see Configure the Calling Router for Certificate-based EAP.
Importing the certificates from Company A
Upon receipt at Company B of the floppy disk that contains the certificate files from Company A, on the Company B router, import the user certificate.
Configuring the Company B router to support certificate-based authentication
To configure the Company B router for certificate-based authentication as an answering router, see Configure the Answering Router for Certificate-based EAP.
To configure the Company B router for certificate-based authentication as a calling router, see Configure the Calling Router for Certificate-based EAP.