Setting up Secure Communications between Servers on Port 636

[surfangel]

Hi all

I need to setup SSL secure comunications between a Windows Management Server in our Standard Subnet and a windows server in a DMZ.

Only Port 636 is enabled between these two servers. I am basically running an LDAP lookup within a VBscript from the Management server to a Secure Domain controller in the DMZ.

How do I go about setting up a Secure Certificate between these two servers. Do I need to use IIS or some other method?

Sorry if this seems to be a dumb question but I do not have much experience in this area.

Cheers

 

[ITPangaeaArchitect]

Do you have a CA? You'll need that first.

Basically, all you need to do is set up a CA, enroll the DCs for domain controller certs (will autoenroll by default if using an enterprise CA with default policy settings)
install the certs
configure the LDAP signing security option to secure only

that should do the trick

From what I recall, if a DC has a cert and knows it can use 636, it will always use it. That does not mean a client binding to AD will use 636 however (if you set the policy, it should though).

I'm a bit tired, so may be scratching at my head a bit right now.

A VBScript call for the ADSDSOObject will behave differently than native Windows though.

If all you are doing is VBScript, then all you need is the certificate on the DC you will be connecting to, then change your LDAP query to reflect the servername and the port (LDAP://server.domain.com:636/OU=whatever,DC=domain,DC=com)


-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+