Skip to main content
Skip table of contents

Setting up the gateway for Microsoft NDES

The Blue Cedar Connect Gateway supports obtaining client certificates through the Microsoft Network Device Enrollment Service (NDES). The purpose of NDES is to serve as a SCEP Registration Authority (RA) that talks to a Microsoft Certificate Authority (CA) to obtain the client certificates. The following figure shows the flow of communication between the app, the gateway, NDES service, and the Microsoft CA:

To use NDES with the gateway, you must configure both the gateway and the NDES service (running on a Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016) to communicate with each other. 

Note: Firewall ports must be open to allow traffic between the gateway and NDES.

If there is an additional firewall located between the gateway and NDES that is private-facing (that is, facing the corporate backend), then you must open additional firewall ports to permit the necessary data traffic to flow freely between the gateway and NDES.

In this case, the gateway is located between two firewalls (a public-facing firewall out to the Internet and a private-facing firewall that protects the corporate backend). If you do not open up the additional ports on the private-facing firewall, then certificate enrollment and authentication fail because the required data cannot pass from the gateway to the corporate backend and vice versa.

For details about configuring the additional firewall ports, see Configure the firewall ports for the Gateway and Active Directory.

Setting up NDES for the gateway

The gateway supports the following password modes for NDES. See the Microsoft product documentation for details.

  • Single password mode 

    Enter the password on NDES. The password establishes the trust between the gateway and NDES.

  • NDES one-time rotating mode

    Connect to an NDES URL to get a random password for one-time use. 

  • No password mode 

    Blue Cedar does not recommended this mode because it is not secure. However, the gateway does support this mode.

Configuring the gateway for NDES

Follow these steps to configure the gateway for NDES:

Configure the gateway to use NDES with this command:

  • BASH
    % set aaa auth-group default certificate-enrollment scep-server-type ms-ndes-20xx
    % commit
  • For scep-server-type, use the attribute that specifies the SCEP server type. the gateway supports these SCEP server types:
  • ms-ndes-2008 
  • ms-ndes-2012
  • ms-ndes-2016
  • entrust
  • generic

Configure the gateway to use your chosen password mode:

  • BASH
    % set aaa auth-group default certificate-enrollment challenge-password-type password-mode
    % commit

    Valid values for password-mode are: 

  • single-password 
  • ndes-one-time-rotating

Configure the challenge password, depending on the type you chose in step 2. 

  • For single password mode: Configure the challenge password field on the gateway with the same password that was configured for NDES.
  • Note: Point a browser at http://IP-address/certsrv/mscep_admin to get the passphrase.
  • Use this template to set the challenge-password on the gateway:
  • BASH
    % set aaa auth-group default certificate-enrollment request-template 
    challenge-password <string>

    For more information about configuring the challenge-password attribute, see Pre-configuration tasks for implementing certificate enrollment.

  • For one-time rotating password mode: Configure the gateway to use the challenge-url to retrieve a rotating challenge password on each enrollment:

    % set aaa auth-group default certificate-enrollment request-template 
    challenge-url http://IP-address/certsrv/mscep_admin

Configure the SCEP URL with this template, using the address of the NDES service in the scep-url. This URL should match one of these fields:

  • The CommonName (CN) of the Subject of the NDES certificate.
  • One of the SAN (Subject Alternative Name) fields contained in the NDES certificate.
  • This example shows an NDES certificate:

       Data: Version: 3 (0x2)        
             Serial Number:            
       Signature Algorithm: sha1WithRSAEncryption        
           Issuer: DC=local, DC=bluecedar, DC=ch7, CN=ch7-SAMPLE-CA        
               Not Before: May 28 17:06:41 2019 GMT            
               Not After : May 28 17:16:41 2024 GMT        
           Subject: DC=local, DC=bluecedar, DC=ch7, CN=ch7-SAMPLE-NDES

    These commands set the SCEP URL in the Gateway configuration:

    % set aaa auth-group default certificate-enrollment scep-url http://ch7-SAMPLE-NDES/certsrv/mscep/mscep.dll
    % set aaa auth-group default certificate-enrollment ndes-one-time-challenge challenge-url http://ch7-SAMPLE-NDES/certsrv/mscep_admin/

Note: The value of the scep-url attribute terminates with mscep.dll. This differs from other SCEP URLs, which typically terminate with pkiclient.exe.

When you are finished configuring the gateway for NDES, the certificate enrollment part of the configuration looks similar to one of these examples: 

Single password mode:

% show aaa auth-group default certificate-enrollment
certificate-enrollment {
  scep-url   ;
  scep-server-type     ms-ndes-2008;
  scep-cert-hash-type  sha1;
  enabled              true;
  email-pin            true;
  challenge-password-type single-password;
  ra-name              msSportsCA;
  request-template {
    challenge-password D08F0ED6868508F779B1D8AA16EFA0;
    key-type           rsa2048;

One-time password mode:

% show aaa auth-group default certificate-enrollment
certificate-enrollment {
 enabled                  true;
  scep-cert-hash-type     sha1;
  email-pin               false;
  challenge-password-type ndes-one-time-rotating;
  scep-server-type        ms-ndes-2012;
  request-template {
    use-fedkey-in-common-name false;
    country-code              US;
    key-type                  rsa2048;
    locality                  Marlborough;
    state                     Massachusetts;
  ra-name                 msSportsCA;
  scep-url      ;
  ndes-one-time-challenge {
    challenge-url            http://192.168.502.81/certsrv/mscep_admin/;
    service-account          scepsvc;
    service-account-password scep123;

192.168.50.xxIP address of the SCEP server.
enabled boolean

true: Easy certificate enrollment is enabled on the gateway.

false: Easy certificate enrollment is disabled.

scep-server-type ms-ndes-20xxSpecifies the NDES type of SCEP server
challenge-password-type type

NDES password mode. Values:

  • single-password
  • ndes-one-time-rotating
service-accountUsername for the SCEP service account. This user should have rights to login to the challenge-url.
service-account-passwordPassword for the service account.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.