I want to be able to use Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service for Internet-based domain members to enroll and renew their certificates. I have a couple questions on the design.
I have been reviewing all the documents I can find on design for Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service. One design option that seems to be missing from the options in the documents I look at is having both servers reside on the internal network, then use a reverse proxy to redirect Internet clients via HTTPS to the servers. I am just curious if anyone knows of a reason this configuration will NOT work?
Secondly, the authentication options include Windows Integrated Authentication, Client Certificate Authentication, and Username and Password. If my clients are domain members and the users are logged in with cached domain credentials, will Windows Integrated Authentication work if the internet-based client connects via reverse proxy to the enrollment server? The documents sound like this wouldn't work as the client does not have a direct connection to the internal network to truly authenticate to a domain controller, but I want to be sure I'm understanding it correctly.
Thanks for any assistance you can provide!