Hi,
I followed this guide:
http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
I'm looking for an implementation with a DMZ and I've a few questions.
In my example for my lab, I'll use the company name "MONODE".
My scenario is the following:
- the PKI architecture must support 5000+ users who work both at the office and home; they'll access content from the office at home through a SSL VPN or a SharePoint portal (or other apps using certificates delivered by the internal CA)
- the company internal Active Directory domain is: monode.local
- the company owns an Internet domain called monode.com
I came up with the following hierarchy for an implementation with DMZ after reading this page (http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx) :
But I'm really wondering what is the best approach to publish the CRL to the DMZ. Here I would make an outbound rule (SMB) in the internal firewall to be able to auto publish the CRL from "CA02 server" to the web server in the DMZ. Is this a good
approach?
- Would it be better to setup the OCSP responder (SRV1) directly in the DMZ?
- In the lab, it says that "the alias 'PKI' can resolve to a load balancer which distributes requests to any number of web servers that contain the CA certificates and CRLs"; does that mean you should setupmultiple OCSP Responder or Web servers where you publish the CRL and use NLB or a hardware load balancer to handle the load?
I'm a bit confused with the load-balancing for the ocsp/web servers and the best approach to take in my situation with a DMZ so any help on this would be great!