Hi Glenn, I have to say that none of this makes much sense to me, as I've never had to do any secedit stuff. Also, I've never put a certificate server in my DMZ, which is even stranger! I've never had to restart the policy agent either to be L2TP/IPSec working. Its all left field sort of stuff going on here! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, September 18, 2003 2:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: L2TP Tunnels with Certificates http://www.ISAserver.org Tom, I am equally as puzzled, but I can tell you this is the case, at least with my setup, here it is .. I have 2 ISA servers with the Internet between them, I have built the ISA servers as Stand ALone servers, built a Windows 2003 servers with IIS and Certificate services that resides on my DMZ, this is the Cert server that all my ISA servers get the Cert from, after all is configured I then need to run the secedit utility before the L2TP Tunnel will connect, even after I bounce the IPSEC Policy Agent and RRAS Services I need to re-run the secedit utility again so the Tunnels can connect ??? this comes from Microsoft, I need to read more about secedit but I am stumped as to why I need to run this every time IPSEC Policy Agent and RRAS Services are bounced, I would think running this once would be enough ? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 3:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: L2TP Tunnels with Certificates http://www.ISAserver.org Hi Glenn, I'm curious why you would need to run secedit for L2TP/IPSec gateawy to gateway links. Once the certificates are installed, that's it. I can see it if you want to force machines to get a certificate immediately if you have configured AD for autoenrollment for machine certificates, but that only needs to be done once. The demand dial interface on the calling router should just fire up as soon as someone triggers it. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, September 18, 2003 1:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: L2TP Tunnels with Certificates http://www.ISAserver.org Hi Tom, Thank U for responding, Yes you are correct on the calling and Persistent part, but what I am trying to figure out is Why? I have to run the secedit command each and every time the RRAS and IPSEC Policy Agent services are bounced? I have to run this command "secedit refreshpolicy machine_policy /enforce" on the downstream ISA server. I discovered this secedit utility dealing with Microsoft support when I first started to dabble in L2TP Tunnels with Certificates, you can set everything right when building the L2TP Tunnels complete with Certificates, but it will not connect unless you run the above secedit command I provided in this email ... any clues ? Thank you Tom G. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')