If someone wants to take advantage of the enterprise certificate authority, but wants the best security, can the
certificate authority be placed on the internal network (thereby requiring the ISA server to be a member of the internal domain)?
Microsoft recommends deploying a standalone certificate authority to protect the root certificate authority from being compromised. Standalone certificate authorities can be taken offline (when they are not being used to generate certificates) which helps to protect the validity of your root certificate authority. The workload of deploying user certificates can be done by subordinates while the root certificate authority is offline. Subordinate certificate authorities can be member servers of the domain and can be used for automating the deployment of certificates.
How can ISA help? ISA can prevent any external users from accessing the certificate authority. And depending on how you configure ISA, it can even help you protect your certificate authority from internal users as well.
I hope this helps. Please respond with a comment to this answer if I'm way off base here.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Dig deeper on Microsoft Exchange Server Permissions
Related Q&A from Richard Luckett
There are a number of actions to take to implement OWA security, including obvious ones like creating strong password policies. Admins should also ...continue reading
Our resident Microsoft Lync expert explains where to find IP phones that are compatible with Microsoft Lync Server.continue reading
While Cisco IP phones are not directly compatible with Microsoft Lync Server, there are ways to make them compatible. Lync guru Richard Luckett ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.