In the previous part of this series we created the required certificate templates and some prerequisite configuration in terms of the NDES service account and a group for the NDES server to be a member of. In this part it’s time to get our hands dirty and install NDES on a domain member server.

Blog series overview

External and internal name resolution

Like described in the overview post of this series, we’re going to leverage Azure AD Application Proxy as a reverse proxy for publishing the NDES URL externally. Generally I recommend to create a CNAME for internal name resolution for services like this for the simple reason that it’d make management easier over time whenever there’d be any kind of need to re-point the internal name used for the Azure AD Application Proxy app. So I strongly suggest that you create a CNAME record e.g. ndes.domain.local in your internal DNS infrastructure pointing to the FQDN of the soon to be NDES server, e.g. NDES01.domain.local.

What Azure AD Application Proxy will do for us is to proxy any request coming to an external URL, e.g. ndes-tenantname.msappproxy.net to an internal URL, e.g. ndes.domain.local. When mobile devices retrieve a SCEP Certificate profile that contains the external URL for the NDES and this needs to be reversed into the internal URL.

At this point you may be thinking, why are we publishing the NDES URL now? The answer is pretty simple. We require to know about the exact external URL when we install NDES later on in this part of the series using the provided PowerShell script. The script will perform a validation check against one of the enrolled certificates available locally in the computer account certificate store (don’t worry, we’ll cover how to enroll these certificates a bit down).

Azure AD Application proxy configuration

Azure AD Application Proxy is a Azure AD Premium licensing feature and provides an alternative to having to maintain a virtual private network or demilitarized zone on-premises to enable remote end-user access to web applications. In this part of the series, we’re not going to cover the installation of the Azure AD Application Proxy agent. You simply just download it from the Azure portal and run the setup wizard and it will automatically connect to your tenant after you’ve successfully signed in during the wizard.

  • Sign in to the Azure portal (portal.azure.com).
  • Locate the Azure Active Directory blade and click on Application proxy.

  • On the top menu, click Configure an app.

  • Name the app something like Intune NDES for instance. Notice that the name of the app is automatically populated as a suggestion for part of the external URL. Enter the internal CNAME of the NDES server that you created earlier. You could also enter the FQDN of the NDES server instead. Some of the information in the picture below has been redacted to protect my tenant name, you should instead se your own tenant name in those places.

  • Change the Pre Authentication to Passthrough and remember to specify a Connector Group. If you’ve not created any custom connector groups, select Default. Finally click on the Add button in the top menu.

  • Verify that you see the following popup in the top right corner, that validates that the app has been successfully created.

You now have Azure AD Application Proxy configured and once NDES is installed later, you should be able to verify the externally published NDES URL by visiting for instance:

  • https://intunendes-tenantname.msappproxy.net/certsrv/mscep/mscep.dll

NOTE – Replace intunendes with the name that you chose and tenantname with your own tenant name in the above URL when verifying access to the NDES URL

Certificate details for NDES server

Before we go ahead and install the NDES server role on the domain member server, let’s talk more about the two certificates mentioned earlier in this part of the series. As you have probably noticed, we configure the Azure AD Application Proxy app with an internal HTTPS URL. In order for that to work, we need to enroll a certificate used for HTTPS binding in IIS. Below are the two different certificates that needs to be enrolled on the NDES server.

NDES SSL Certificate
  • Friendly Name: NDES SSL Certificate
  • Extended Key Usage: Server Authentication
  • Subject Name:
    • Common name – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
  • Subject Alternative Name:
    • DNS – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
    • DNS – Internal FQDN of NDES server (e.g. ndes01.domain.local)
NDES Client Certificate
  • Friendly Name: NDES Client Certificate
  • Extended Key Usage: Client Authentication
  • Subject Name:
    • Common name – Internal FQDN of NDES server (e.g. ndes01.domain.local)
  • Subject Alternative Name:
    • DNS – External FQDN of NDES server (e.g. intunendes-tenantname.msappproxy.net)
      • This is only required when deploying certificates for Android mobile devices
    • DNS – Internal FQDN of NDES server (e.g. ndes01.domain.local)

Issue certificates for NDES server

Enough talking about the certificate details, let’s get them enrolled on the NDES server.

Issue NDES SSL Certificate
  • Open a mmc.exe console and add the Certificates add-in for the local computer.
  • Expand the Certificates node and the Personal certificate store.
  • Rigtht-click on Certificates and select All Tasks > Request New Certificate.
  • Click Next and Next again in the wizard that appears.
  • Select the NDES Server certificate template and click the More information is required link.

  • Skip ahead to the General tab and give the certificate a friendly name, e.g. NDES SSL Certificate.

  • Go back to the Subject tab and select Common name in the Subject name drop down menu. In the Value field, type in the external FQDN of the NDES server. This would be the intunendes-tenantname.msappproxy.net example used in this post. Click Add. In the Alternative name section, select DNS as the type and add the external FQDN of the NDES server including the internal FQDN of the NDES server.

  • Click OK.
  • Click Enroll.

  • Click Finish once the certificate has been enrolled.

Issue NDES Client Certificate
  • Open a mmc.exe console and add the Certificates add-in for the local computer.
  • Expand the Certificates node and the Personal certificate store.
  • Rigtht-click on Certificates and select All Tasks > Request New Certificate.
  • Click Next and Next again in the wizard that appears.
  • Select the NDES Server certificate template and click the More information is required link.

  • Skip ahead to the General tab and give the certificate a friendly name, e.g. NDES Client Certificate.

  • Go back to the Subject tab and select Common name in the Subject name drop down menu. In the Value field, type in the internal FQDN of the NDES server. This would be the NDES01.domain.local example used in this post. Click Add. In the Alternative name section, select DNS as the type and add the external FQDN of the NDES server including the internal FQDN of the NDES server.

  • Click OK.
  • Click Enroll.

  • Click Finish.

Install and configure NDES server role

At this stage the NDES domain member server has been prepared and is ready to have the NDES server role installed. In my previous post regarding this topic I showed how to manually make all the required changes prior to installing the NDES server role and the required post installation tasks. Instead of doing that all over, and in order to speed things up and have it all documented at the same time, I’ve created a PowerShell script that takes care of it all. You can download the script from our GitHub repo at the following URL:

https://github.com/SCConfigMgr/Intune/blob/master/Certificates/Install-MSIntuneNDESServer.ps1

Prior to running this script, you need to be able to provide an Enterprise Admin credential and you also need to be a local administrator on the NDES server. Additionally, you also need to be able to input the NDES service account credentials.

Running the script is fairly simple, you only have to provide the following input parameters:

  • CertificateAuthorityName
    • This needs to be a combination of the <Certificate Authority FQDN>\<Certificate Authority name>
    • Example input: CA01.domain.local\DOMAIN-CA01-CA
  • NDESTemplateName
    • This would be the template name (not display name) created earlier in part two of this series
    • Example input: NDESIntune
  • NDESExternalFQDN
    • This would be the URL published externally using Azure AD Application Proxy
    • Example input: intunendes-tenantname.msappproxy.net
  • RegistrationAuthorityName
    • This would be the name of the Registration Authority
    • Example input: Name
  • RegistrationAuthorityCompany
    • This would be the company name of the Registration Authority
    • Example input: CompanyName
  • RegistrationAuthorityDepartment
    • This would be the department of the Registration Authority
    • Example input: Department
  • RegistrationAuthorityCity
    • This would be the city of the Registration Authority
    • Example input: City

I’d also suggest that you pass the Verbose parameter to get the output shown in the picture below. Here’s an example of how to use the script:

.\Install-MSIntuneNDESServer.ps1 -CertificateAuthorityConfig "CA01.domain.local\DOMAIN-CA01-CA" -NDESTemplateName "NDESIntune" -NDESExternalFQDN "intunendes-tenantname.msappproxy.net" -RegistrationAuthorityName "Name" -RegistrationAuthorityCompany "CompanyName" -RegistrationAuthorityDepartment "Department" -RegistrationAuthorityCity "City" -Verbose

Right after the script has executed it will prompt for the Enterprise Admin credential followed with a prompt for the NDES service account credentials.

Once the installation has completed, it’s important that you restart the server. Once the server has restarted, verify that you can access the following URLs:

  • https://NDES01.domain.local/certsrv/mscep/mscep.dll
  • https://intunendes-tenantname.msappproxy.net/certsrv/mscep/mscep.dll

At this point it’s expected that you’re able to browse the mentioned URL’s above. Later when the Intune Certificate Connector will be installed it will take care of securing the URL’s rendering them giving you an expected 403 error message.

In the next part of this blog series we’ll go over the steps of installing the Intune Certificate Connector and make sure it connects with Microsoft Intune.

(2782)

Nickolaj Andersen

Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.