Questions

Where to place CA, on DMZ ISA or in AD.

Tags:
+
0 Votes
Locked

Where to place CA, on DMZ ISA or in AD.

alan.atkins
I have a server set up with ISA 2004 (with plans to upgrade to ISA 2006 soon). It is not on a perimeter yet, but I plan to add a second zone in DNS AD to house servers that need exteranal connections(i.e. ISA, webserver, and Exchange). My question is, in this scenario where would I need to place a certificate authority? Should I install it on the ISA server so that it can assign and authenticate on the edge as well as to the AD requesting for internal ceritficates (ISA server is multi-homed for internal connections)? Or, would it be best to just let my DC run CA services so that it is polled from the ISA on external or VPN connections. In this scenario however, wouldn't my webserver and VPN need to traverse to my private network to get certificates assigned? I am pretty confused on the whole CA set up in my enviroment as my company does not have the budget to follow all best practices, such as doman and child and a separate server for every stinking set up available for 2003 servers (as I am sure Microsoft loves this for the fact that they can sale more server O/S's, other than just the practical and performance considerations). I would apprecaite any help or information that can be given to me on this matter.