In this entry I review the configuration steps for validating Mutual Transport Layer Security (MTLS) is enabled for traffic between an LCS 2005 SP1 Standard Edition Server and any Office Communicator 2005 Clients interacting with this Server within the Corporate Enterprise. I include installation of a Windows 2003 R2 Enterprise Certification Authority to issue the Enhanced Key Usage (EKU) Server Authentication Certificate Template to the LCS2k5 SP1 Server. Then, I configure the LCS2k5 SP1 Server to offer this Certificate to Office Communicator 2005 Clients when connecting. Additionally, I then show how to manually configure the Office 2005 Communicator clients to use MTLS over TCP instead of just TCP. There are several practices offered here that should be used only in a 'testing scenerio'. Those practice include:Installation of an Enterprise Root Certification Authority (ER-CR) on an Active Directory Domain ControllerInstallation of a Single Certification Authority (CA)Not Reviewing Backup and Restore Procedures for Key Management Components of the Certification Authority Not Reviewing use of the Security Configuration Wizard (SCW) along with Group Policy Objects to further reduce Public Key Infrastructure (PKI) attack vectorsHere is the Network Environment detail (the specific Installation Steps are here):LCS2k5 SP1 Standard EditionMSDE DatabaseNo FederationNo ArchivingNo Access ProxySingle ForestSingle DomainEnterprise Client IM 'Text Only'TCP Transport - Client to Server and Server to Client (I change this to MTLS over TCP)Client Configuration - Manually ConfiguredNo IPSec - Client to Server
Lynn LunikIndependent Security ConsultantWindows(R) PlatformIT Pro Secure Corporationandexchangesummit.nethttp://itprosecure.com and http://www.exchangesummit.net blog <at> itprosecure.com