PDA

View Full Version : SCS cert question



lammbo
2007-11-14, 16:45
My company bought another company. They (thankfully) have CheckPoint firewalls so I will be taking over management of their firewalls within a few months. In the meantime, the rest of the IT staff at my company is planning on migrating the Windows domain this weekend. This other company has their SCS running on a Windows server that is also their Domain Controller, print server, file server, DNS, etc. (groan).

They have no additional hardware available for me to split off SCS right now, so that is not an option or I would setup a SPLAT box for SCS and move the IP and DB.

So, if the IP and netbios name remain the same, should I be OK on the certs generated by SCS? The fqdn will change when they disjoin from the previous domain and join ours, is the fqdn used when SCS generates it's certs or am I going to have an issue with this?

Thanks in advance guys!

Barry J. Stiefel
2007-11-14, 17:59
My company bought another company. They (thankfully) have CheckPoint firewalls so I will be taking over management of their firewalls within a few months. In the meantime, the rest of the IT staff at my company is planning on migrating the Windows domain this weekend. This other company has their SCS running on a Windows server that is also their Domain Controller, print server, file server, DNS, etc. (groan).

They have no additional hardware available for me to split off SCS right now, so that is not an option or I would setup a SPLAT box for SCS and move the IP and DB.

So, if the IP and netbios name remain the same, should I be OK on the certs generated by SCS? The fqdn will change when they disjoin from the previous domain and join ours, is the fqdn used when SCS generates it's certs or am I going to have an issue with this?

Thanks in advance guys!My understanding is that a root CA starts off by self-signing its own certificate, and it's tied to the FQDN. If you change the FQDN on your SCS, I think you're in for a world of hurt.

lammbo
2007-11-15, 09:25
Well, that sucks... Thanks for the answer though Barry!

So as I see it, I have 2 options:
(We have a DC for my company's domain in-place at that site now, so this server in question does not need to remain a DC)

1) Leave that DC as-is and setup a domain trust in windows until I assume magement of their firewalls with my SCS and this won't matter. Then that server can be demoted at a later date, I can remove SCS and then it can be joined to my domain as a member server.


2) Upgrade_export the DB from SCS.
a) Move DHCP, DNS, etc. to the DC we already have there. Demote this server so it's not a DC. Change the IP and hostname on this server. Join my domain as member server.

b) Build another SCS (high end workstation is all I have available). Use the same IP and FQDN on the new server. Perform upgrade_import on this new box. SIC and CERTS should all be valid and life goes on running on a high-end workstation for a month or two.


If anyone has better advice, I have until about noon today (EST) to decide. I welcome any advice that has better alternatives.