Hi John, We have successfully installed ENC and tested on machines behind firewalls. Once ENC was configured on the domain manager and staging server (staging server is in our DMZ and acts as ENC gateway) we ran the following on the domain manager . Note, this should be done after the ENC policy has been applied to all servers that will act as managers or gateways for ENC. To make our certificates. Open a command prompt and browse to an empty folder you create somewhere on the system like C:\ENC-CERTS> Run the following command to create a server ROOT certificate upon which all other certificates will be based: cacertutil create -o:root.p12 -op: -od:root.der -s:CN=encroot,O= -d: An example would be "cacertutil create -o:root.p12 -op:root_pass -od:root.der -s:CN=encroot,O=i365 -d:730" This will generate the files ROOT.DER and ROOT.P12 in this folder. Now to generate the Manager’s Client certificate for the ENC Server/Manager via the following run from a command prompt browsed to the same C:\ENC_CERTS folder: cacertutil create -o: .p12 -od: .der -i:root.p12 -ip: -s:cn= ,dc= ,dc=com -xsan: -as -ac -ae -op: An example would be "cacertutil create -o:ClientOne.p12 -od:ClientOne.der -i:root.p12 -ip:root_pass -s:cn=pucjo01vm-r12.pucjo01ad.com,dc=i365,dc=com -xsan: pucjo01vm-r12.pucjo01ad.com -as -ac -ae -op:ClientOne_pass" This will create the files ClientOne.DER and ClientOne.P12 on the ENC Server/ Manager in the same folder as the root certificates. Now run the following command to import the certificates for use on this machine: encutilcmd certi -r root.der -i .p12 -p An example would be "encutilcmd certi -r root.der -i ClientOne.p12 -p ClientOne_pass" *If you require the use of Internet Proxy server settings, you can use command like the following examples: *NOTE: This may not be needed, test without it first. ENC will capture the logged in user and try to authenticate the proxy with that user. If this doesn’t work then the above will be helpful. encutilcmd client -proxy_host -proxy_http -proxy_port -user -password An example would be "encutilcmd client -proxy_host naproxy.ca.com -proxy_http -proxy_port 80 -user
pucjo01@ca.com -password
n0tmyre@Lpwd " This should result in:http proxy : Current user name is
pucjo01@ca.com.http proxy : Current host is 'naproxy.ca.com'.http proxy : Current port is '80'.INFO: Command completed successfully. Now we can enable the ENC component of CAF via the following command: encutilcmd client -state enabled -server An example would be "encutilcmd client -state enabled -server pucjo01vm-r12.pucjo01ad.com" followed by: ‘encutilcmd updateconfig’ Now run ‘caf start encclient’ Run the following command to ensure that the certificates are installed: encutilcmd certv -l A successful return will look like the following: INFO: Current process user is a member of local administrators group.INFO: Created and validated client side TLS context OK.URI: x509cert://[TLS-SCHANNEL]/CN=pucjo01vm-r12.pucjo01ad.com,DC=i365,DC=comINFO: Created and validated server side TLS context OK.URI: x509cert://[TLS-SCHANNEL]/CN=pucjo01vm-r12.pucjo01ad.com,DC=i365,DC=comINFO: Using PUCJO01VM-R12.PUCJO01AD.COM as target FQDN Loopback Data Source: ClientTarget: PUCJO01VM-R12.PUCJO01AD.COMI am: x509cert://[TLS-SCHANNEL]/CN=pucjo01vm-r12.pucjo01ad.com,DC=i365,DC=comPeer is: x509cert://[TLS-SCHANNEL]/CN=pucjo01vm-r12.pucjo01ad.com,DC=i365,DC=com Loopback Data Source: ServerI am: x509cert://[TLS-SCHANNEL]/CN=pucjo01vm-r12.pucjo01ad.com,DC=i365,DC=comPeer is: x509cert://[TLS-SCHANNEL]/CN=pucjo01vm-r12.pucjo01ad.com,DC=i365,DC=com Wait a few moments and now run ‘ENCCLIENT STATUS’. You should see something like this if it is working: C:\>encclient statusRetrieving status information from ENC Client...Connected to Gateway Server PUCJO01VM-R12.PUCJO01AD.COM with connection type 'socket'ENC IP Address of this machine is 172.27.5.7Name resolution statistics: Found: 6658 (0 from cache) Not Found: 2788 Ignored: 3927Listening on: Virtual Port 4728 Virtual Port 7163There are no active router connectionsThere are no active data channelsNOTE: To see more details you can run ‘ENCCLIENT STATUS -DETAIL’ but this will hang if run while ENC is disconnected! Take a copy of ‘clienttwo.p12’ and ‘root.der’ (not clienttwo.der !) and place them in a folder on the target machine. To generate certificates for any other machines that will report into this ENC Gateway/Domain Manager. First you’ll need to generate a certificate for each box as follows (Use the same command prompt we have, browsed to C:\ENC-CERTS or equivalent): [left] cacertutil create -o: .p12 -od: .der -i:root.p12 -ip: -s:cn= ,dc= ,dc=com -xsan: -as -ac -ae -op: An example would be " cacertutil create -o:clienttwo.p12 -od:clienttwo.der -i:root.p12 -ip:root_pass -s:cn=pucjo01w-pucjo01ad.com,dc=i365,dc=com -xsan: pucjo01w-pucjo01ad.com -as -ac -ae -op:clienttwo_pass" Each client should have a different certificate name. Don’t generate files like ‘client.p12’ or ‘client.der’ for multiple machines. It will cause their registrations to overwrite! This will create files called ‘clienttwo.p12’ and ‘clienttwo.der’ in this case. Be sure to record the client password you picked Once these steps have been completed the following should be ran on th e client machine . Take a copy of ‘clienttwo.p12’ and ‘root.der’ (not clienttwo.der !) and place them in a folder on the target machine. Open a command prompt on the target machine and browse to the folder you’ve made containing these two files and run the following: encutilcmd certi -r root.der -i .p12 -p An example would be "encutilcmd certi -r root.der -i clienttwo.p12 -p clienttwo_pass" Run ‘encutilcmd client -state enabled -server Run ‘encutilcmd updateconfig’ Now run ‘caf start encclient’ Wait a while and run ‘encclient status’ and observe. ** Now you should be able to block all ports in and out of the ENC Gateway/Domain Manager except port 443 (Or the custom port you’ve chosen) and still be able to communicate with these agents.