Hi, I’ve been trying to configure a secure VPN for our workers to access the domain network from outside our headquarters using their laptops. So at the office we have a DSL Router, and we can forward any port to the server if needed. At present we just have port 1723 forwarded to the DC, as needed for the VPN conection. We have in the DC server with W2K3 Server R2, installed Active Directory, IIS, IAS and Certificate services. I’m trying to deploy L2TP connections as I read that it’s the safest implementation by using user or computer certificates. It seems that with SP2 of Windows XP Pro, it’s possible to make L2TP connections from behind a DSL router (It uses NAT to share the public IP address). I’ve disabled all PPTP connections in Routing and remote access manager, so the clients must use L2TP to access the VPN. OK, so I’ve Installed Certificate Services in the server and using it as the only CA in the domain (Root CA), and in the certificate Authority manager, there are some certificate templates listed, including “computer certificate”, which I think is the one I need. The problem is that when I access http://server/certsrv from a VPN Cient, I don’t have the option to download a “computer certificate”, only “user certificates”. And when I try to access the VPN, it returns a error message saying that I don’t have a proper computer certificate installed. So I need someway to enroll a computer certificate to my windows XP clients. I’ve tried using the request certificate option in the MMC, but it says that I don’t have a trusted CA. Can anyone give me some tips to solve this mess??

There are so many things that need to be addressed here. #1. If you're truly worried about security as demonstrated by your decision to use L2TP, why are you using your DC as an IAS, and VPN endpoint? On top of all that, it's also your domain's CA! Yikes! Seriously, if security is that important to you, if there's ANY port opened directly to your CA or DC from the net, you need to rethink your design. #2. Did you set up your CA as a stand alone or enterprise CA? #3. Does your router support NAT-T? #4. Since you are obviously not using a commercial cert for this application, do all your clients have your CA's cert installed yet? Since it says you don't have a trusted CA yet, I'm guessing no. You're gonna need to address all of these before you can move forward. "Enough, enough bowing down to disillusion! Hats off & applause to rogues & evolution! The ripple effect is too good not to mention. If you’re not affected, you’re not paying attention!"

Hi, thanks for ur reply.. #1 This is a test lab... In three weeks 3 new servers are gonna arrive to our company, and I need to be prepared to implement a L2TP system, where each service will be in a different machine. #2 I set the Enterprise CA #3 Yes the router has NAT-T support. #4 finally I managed to install certs in the clients, but authentication process fails.. I read something about I have to install a cert at the server as well.. can u help me with this.. Thanks..

"#4 finally I managed to install certs in the clients, but authentication process fails.. I read something about I have to install a cert at the server as well.. can u help me with this.." Reread what I wrote. I highly suspect you have not installed the cert on the client machines to trust this CA as an issuing CA root. Either that, or you haven't installed the proper cert on the server itself. "Enough, enough bowing down to disillusion! Hats off & applause to rogues & evolution! The ripple effect is too good not to mention. If you’re not affected, you’re not paying attention!"

Ok, I've been searching for information about installing the cetificates, but nothing is clear so I need help over here please. All stuff I read is about autoenrollment in the group policy of AD which dosn't seem to work, Web enrollment where there is no way to get the option of downloading a computer cert from the certsrv page.. I need to know how to make the CA to be a trusted one in a WinXP machine and in the Server as well, and then how to request and what to request in each machine.. >hanks..