Setting up the gateway for Microsoft NDES

The Blue Cedar Connect Gateway supports obtaining client certificates through the Microsoft Network Device Enrollment Service (NDES). The purpose of NDES is to serve as a SCEP Registration Authority (RA) that talks to a Microsoft Certificate Authority (CA) to obtain the client certificates. The following figure shows the flow of communication between the app, the gateway, NDES service, and the Microsoft CA:

To use NDES with the gateway, you must configure both the gateway and the NDES service (running on a Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016) to communicate with each other.

Note: Firewall ports must be open to allow traffic between the gateway and NDES.

If there is an additional firewall located between the gateway and NDES that is private-facing (that is, facing the corporate backend), then you must open additional firewall ports to permit the necessary data traffic to flow freely between the gateway and NDES.

In this case, the gateway is located between two firewalls (a public-facing firewall out to the Internet and a private-facing firewall that protects the corporate backend). If you do not open up the additional ports on the private-facing firewall, then certificate enrollment and authentication fail because the required data cannot pass from the gateway to the corporate backend and vice versa.

For details about configuring the additional firewall ports, see Configure the firewall ports for the Gateway and Active Directory.

Setting up NDES for the gateway

The gateway supports the following password modes for NDES. See the Microsoft product documentation for details.

Single password mode
Enter the password on NDES. The password establishes the trust between the gateway and NDES.
NDES one-time rotating mode
Connect to an NDES URL to get a random password for one-time use.
No password mode
Blue Cedar does not recommended this mode because it is not secure. However, the gateway does support this mode.

Configuring the gateway for NDES

Follow these steps to configure the gateway for NDES:

Configure the gateway to use NDES with this command:

BASH

% set aaa auth-group default certificate-enrollment scep-server-type ms-ndes-20xx
% commit

For scep-server-type, use the attribute that specifies the SCEP server type. the gateway supports these SCEP server types:

ms-ndes-2008
ms-ndes-2012
ms-ndes-2016
entrust
generic

For details, see Configuring certificate enrollment for the gateway.

Configure the gateway to use your chosen password mode:

BASH

% set aaa auth-group default certificate-enrollment challenge-password-type password-mode
% commit

Valid values for password-mode are:

single-password
ndes-one-time-rotating

Configure the challenge password, depending on the type you chose in step 2.

For single password mode: Configure the challenge password field on the gateway with the same password that was configured for NDES.
Note: Point a browser at http://IP-address/certsrv/mscep_admin to get the passphrase.
Use this template to set the challenge-password on the gateway:
BASH
```
% set aaa auth-group default certificate-enrollment request-template 
challenge-password <string>
```
For more information about configuring the challenge-password attribute, see Pre-configuration tasks for implementing certificate enrollment.
For one-time rotating password mode: Configure the gateway to use the challenge-url to retrieve a rotating challenge password on each enrollment:
BASH
```
% set aaa auth-group default certificate-enrollment request-template 
challenge-url http://IP-address/certsrv/mscep_admin
```

Configure the SCEP URL with this template, using the address of the NDES service in the scep-url. This URL should match one of these fields:

The CommonName (CN) of the Subject of the NDES certificate.
One of the SAN (Subject Alternative Name) fields contained in the NDES certificate.

This example shows an NDES certificate:

BASH

Certificate:    
   Data: Version: 3 (0x2)        
         Serial Number:            
           19:07:b3:75:6b:a0:a0:b8:40:a1:7c:67:73:45:69:7d    
   Signature Algorithm: sha1WithRSAEncryption        
       Issuer: DC=local, DC=bluecedar, DC=ch7, CN=ch7-SAMPLE-CA        
       Validity            
           Not Before: May 28 17:06:41 2019 GMT            
           Not After : May 28 17:16:41 2024 GMT        
       Subject: DC=local, DC=bluecedar, DC=ch7, CN=ch7-SAMPLE-NDES

These commands set the SCEP URL in the Gateway configuration:

BASH

% set aaa auth-group default certificate-enrollment scep-url http://ch7-SAMPLE-NDES/certsrv/mscep/mscep.dll
% set aaa auth-group default certificate-enrollment ndes-one-time-challenge challenge-url http://ch7-SAMPLE-NDES/certsrv/mscep_admin/

Note: The value of the scep-url attribute terminates with mscep.dll. This differs from other SCEP URLs, which typically terminate with pkiclient.exe.

When you are finished configuring the gateway for NDES, the certificate enrollment part of the configuration looks similar to one of these examples:

Single password mode:

BASH

% show aaa auth-group default certificate-enrollment
certificate-enrollment {
  scep-url             http://192.168.50.45/certsrv/mscep/mscep.dll;
  scep-server-type     ms-ndes-2008;
  scep-cert-hash-type  sha1;
  enabled              true;
  email-pin            true;
  challenge-password-type single-password;
  ra-name              msSportsCA;
  request-template {
    challenge-password D08F0ED6868508F779B1D8AA16EFA0;
    key-type           rsa2048;
}

One-time password mode:

BASH

% show aaa auth-group default certificate-enrollment
certificate-enrollment {
 enabled                  true;
  scep-cert-hash-type     sha1;
  email-pin               false;
  challenge-password-type ndes-one-time-rotating;
  scep-server-type        ms-ndes-2012;
  request-template {
    use-fedkey-in-common-name false;
    country-code              US;
    key-type                  rsa2048;
    locality                  Marlborough;
    state                     Massachusetts;
  }
  ra-name                 msSportsCA;
  scep-url                http://192.168.50.81/certsrv/mscep/mscep.dll;
  ndes-one-time-challenge {
    challenge-url            http://192.168.502.81/certsrv/mscep_admin/;
    service-account          scepsvc;
    service-account-password scep123;
  }
}

Value	Description
192.168.50.xx	IP address of the SCEP server.
enabled boolean	true: Easy certificate enrollment is enabled on the gateway. false: Easy certificate enrollment is disabled.
scep-server-type ms-ndes-20xx	Specifies the NDES type of SCEP server
challenge-password-type type	NDES password mode. Values: single-password ndes-one-time-rotating
service-account	Username for the SCEP service account. This user should have rights to login to the challenge-url.
service-account-password	Password for the service account.