|< Day Day Up >|| |
You can streamline the process of deploying computer certificates and 802.11 settings using Group Policy, making the deployment process for L2TP VPNs and 802.1X wireless authentication much simpler. The only steps left to perform manually are obtaining user certificates and creating L2TP VPN connections. To automate the enrollment of user certificates, you need a Windows Server 2003 Enterprise Edition Certificate Authority, which is solidly outside of the reach of small businesses.
Use the following sections to create a new Group Policy Object (GPO) and configure it to automate computer certificate enrollment and 802.11 wireless settings deployment.
You can easily obtain a user certificate using the Microsoft Certificate Services Web site (http://sbssrv/CertSrv, where the Windows Small Business Server computer’s name is sbssrv). You can automate the creation of L2TP VPN connections using the Connection Manager Administration Kit (CMAK).
It’s a best practice to create a new Group Policy Object (GPO) any time you want to apply settings via Group Policy. This makes it easy to undo changes— simply disable the GPO.
Complete the following steps to create a new GPO and link it to the appropriate domain or organizational unit (OU):
From the Start menu, choose the Administrative Tools folder and then open the Group Policy Management console.
In the console tree, navigate to Domains, then to example.local (or whatever the domain is named), and then to Group Policy Objects.
Right-click Group Policy Objects (Figure 15-31). Choose New from the shortcut menu, type a name for the GPO, and then click OK.
Figure 15-31: The Group Policy Objects container and the Group Policy Management console.
Link the new GPO by dragging it from the Group Policy Objects container to the appropriate OU or container:
Use the Computers OU in the MyBusiness OU to link the GPO to all client and server computer accounts created with the Set Up Client Wizard and Set Up Server Wizard.
Use the SBSComputers OU in the MyBusiness\Computers OU to link the GPO to all client computer accounts created with the Set Up Client Wizard.
Use the SBSServers OU in the MyBusiness\Computers OU to link the GPO to all server computer accounts created with the Set Up Server Wizard.
There’s no harm in deploying computer certificates and 802.11 settings to desktop computers.
Use the Group Policy Results and Group Policy Modeling tools to ensure that your GPO is being applied properly. For more information, see Chapter 10, “Shares, Permissions, and Group Policy.”
After creating a new GPO for your settings, use the following steps to enable client computers to automatically obtain computer certificates and install the Windows Small Business Server computer’s certificate in the Trusted Root Certificate Authorities certificate store.
Right-click the GPO you created in the Group Policy Management Console and choose Edit from the shortcut menu. This opens the Group Policy Object Editor.
Navigate to Computer Configuration, Windows Settings, Security Settings, and finally Public Key Policies (Figure 15-32).
Right-click Automatic Certificate Request Settings, choose New from the shortcut menu, and then choose Automatic Certificate Request. When the Automatic Certificate Request Setup Wizard appears, click Next.
On the Certificate Template page, select Computer, click Next, and then click Finish.
Right-click Trusted Root Certificate Authorities and choose Import from the shortcut menu. When the Certificate Import Wizard appears, click Next.
Figure 15-32: The Group Policy Object Editor displaying the Public Key Policies container.
On the File To Import page, click Browse, select the certificate file for the Windows Small Business Server Certificate Authority, and then click Open. (The certificate should be located in the root directory of the C:\ drive.) Click Next.
On the Certificate Store page, click Next to place certificates in the Trusted Root Certification Authorities certificate store. Review the settings and then click Finish. If the import was successful, a message will appear.
In the Group Policy Object Editor, verify that the certificate appears in the Trusted Root Certification Authorities container.
After creating a new GPO for your settings, complete the following steps to create a new wireless network policy that automates the deployment of 802.11 network settings to clients:
In the Group Policy Management Console, right-click the GPO you created and choose Edit from the shortcut menu. This opens the Group Policy Object Editor.
Navigate to Computer Configuration, Windows Settings, Security Settings, and finally Wireless Network (IEEE 802.11) Policies.
Right-click Wireless Network (IEEE 802.11) Policies and choose Create Wireless Network Policy from the shortcut menu. When the Wireless Network Policy Wizard appears, click Next.
On the Wireless Network Policy Name page, type a name and description for the policy, click Next, and then click Finish. The policy Properties dialog box appears.
Click the Preferred Networks tab and then click Add. The New Preferred Setting Properties dialog box (Figure 15-33) appears.
Figure 15-33: The New Preferred Settings Properties dialog box.
Type the SSID of your wireless network in the Network Name box.
Click the IEEE 802.1X tab and choose the EAP type used on the network (Smart Card Or Other Certificate, or Protected EAP) from the EAP Type box. Configure other settings as necessary and then click OK. Add other networks to which clients should automatically connect, and then click OK.
|< Day Day Up >|| |