Will do .. one possible reason could be that I built my ISA servers as Stand Alone, that is to say they are NOT member servers to the Internal AD network, so it has no DC to get any security policies from, of course I am only speculating at this point. thanks Tom for your always valued expertise. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 3:50 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: L2TP Tunnels with Certificates http://www.ISAserver.org Hi Glenn, I know that you're not the only one, becuase I've set up a lot of them and never had to do this :-) Let us know what you find out about this. Thanks! Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, September 18, 2003 2:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: L2TP Tunnels with Certificates http://www.ISAserver.org Yep, as far as my Cert Server living on the DMZ, when the Certificate Web Code is installed under IIS when you install Certificate services you can do 2 things, remove anonymous logins which will force a login authentication just to open the web based certificate issue sequence and adjust the Certificate server to NOT auto issue, this why you as the administrator must view the Cert request and make the decision to issue or not issue this Certificate, really does not pose much of a security risk, the Certification server was installed as a Stand Alone CA. Again, I need to read further into Secedit and why I need to run it every time the ISA server is rebooted, it is not like it looses track of the Certificate, so I am bit puzzled, for the time being I plan on writing a script to run this secedit utility then bounce both the IPSEC Policy Agent Service and the RRAS Service. When I get more information on this topic I will post it, I am sure I am not the only one running a IPSEC Tunnel with Certificates. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')