When CES/CEP are needed for enrollment from the DMZ/Internet is the CES/CEP roles typically installed on non-domain joined Windows Server 2012/R2 servers in the DMZ? If so, are their any documents outlining the port requirements inbound and outbound between DMZ and Internal (AD and CA)? An alternative seems to be to use a reverse proxy to the CES/CEP server that's internal and domain joined. Depending on the situation this may not be allowed or feasible. I have outlined below the only firewall and port information I can find which was for 2008 R2. Before I get started down the path of testing this design I just want to make sure I understand the requirements for such a scenario of placing the CES/CEP roles in the DMZ on a non-domain joined Windows Server 2012/R2 server. Comparing and contrasting the DMZ non-domain joined and the internal domain-joined server would be a plus.
I have already reviewed:
http://technet.microsoft.com/en-us/library/hh831822.aspx
http://blogs.technet.com/b/askds/archive/2010/02/01/certificate-enrollment-web-services.aspx
https://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
https://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
Network Connectivity Requirements
Network connectivity requirements are a key part of deployment planning, particularly for scenarios where the Certificate Enrollment Web Policy Service and Certificate Enrollment Web Service will be hosted in a perimeter network. All client connectivity to both services occurs within an HTTPS session, so only HTTPS traffic is required between the client and the web services. The Certificate Enrollment Policy Web Service communicates with AD DS, using standard Lightweight Directory Access Protocol (LDAP) and secure LDAP (LDAPS) ports (TCP 389 and 636 respectively). The Certificate Enrollment Web Service communicates with the CA using DCOM. By default, DCOM uses random ephemeral ports. However, this behavior is configurable and the CA can be configured to reserve a specific range of ports to simplify firewall configuration. See Microsoft Knowledge Base article 154596: How to configure RPC dynamic port allocation to work with firewalls for more information.
Firewall Requirements
If the Certificate Enrollment Policy Web Service is installed in a network location in which there is a firewall between it and a writeable domain controller, the following traffic types must be allowed through the firewall:
•Kerberos ports: 464, 440
•LDAP ports: 389, 636
In order to make network traffic across the firewall manageable, configure the CA to use a restricted set of ports. On the firewall, create a rule allowing TCP traffic on the port numbers selected, from the network or host on which the Certificate Enrollment Web Service runs to the CA. For more additional information about configuring a firewall with a Microsoft CA, see the blog post Certificate Enrollment Requires a Custom Protocol.
Thanks