Microsoft Intune introduced High Available (HA) support for SCEP/PFX Connector


Since December 2017 Microsoft Intune introduced support for multiple active SCEP/PFX connectors per tenant in order to provide high availability for certificate handling.

Initially the Microsoft Intune SCEP/PFX connector didn’t provide support for high availability. The SCEP/PFX connector could be installed as an single instance with no option for multiple active connectors.

Microsoft Intune SCEP-PFX Connector
Microsoft Intune SCEP/PFX connector support multiple active connectors per tenant.

Notes: by default the connectors listed in the Microsoft Intune portal cannot be identified/linked to the on-premise servers where the SCEP/PFX connectors are installed on. My advice is to rename the first connector after installation and repeat this for each additional connector installed, to overcome this.

Multiple active SCEP/PFX connectors

Customers who use the on-premise SCEP/PFX connector to deliver certificates to devices, can now configure multiple connectors in a single tenant. Each connector pulls certificate tasks (e.g. requests, renewal or revocation) from Intune. If one connector goes offline, the other connector continue to process these certificate requests.

Microsoft Intune PFX connector High Availability 201711
Microsoft Intune SCEP/PFX connector High Availability.

Microsoft Intune PFX connector High Availability failover 201711

Microsoft Intune SCEP/PFX connector active failover PFX Connector 1.

Microsoft Intune PFX connector High Availability failover 2 201711
Microsoft Intune SCEP/PFX connector active failover PFX Connector 2.

As the SCEP/PFX connector is a key component in a certificate deployment infrastructure high availability support is a must for large enterprises.  End-users which contains a valid certificate are not directly effected in case of a failure, as they’re still able to access corporate resources. Once a device is retired/wiped we must be sure that the certificate revocation is performed.

Microsoft Intune PFX connector High Availability 2 201711
Microsoft Intune SCEP/PFX connector High Availability – Certificate Authority failover.

Although Microsoft Intune provides support for multiple active SCEP/PFX connectors, there can be only one Certificate Authority (CA) configured per Microsoft Intune PCKS profile. Defining multiple PCKS profiles can be considered to have multiple CA’s in scope. This from a loadbalancing and/or high available perspective.

Microsoft Intune PKCS profile

Sources

  • Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices

https://ronnydejong.com/2017/02/20/part-1-deploying-microsoft-intune-pfx-connector-in-an-enterprise-worldcommon-practices/

  • Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

https://ronnydejong.com/2017/05/02/part-2-deploying-microsoft-intune-connector-in-an-enterprise-world-troubleshooting/

  • What’s new in Microsoft Intune

https://docs.microsoft.com/en-us/intune/whats-new#week-of-december-11-2017

  • How to configure certificates in Microsoft Intune (new Intune Azure portal)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-certificates

  • Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-pfx

  • Configure certificate infrastructure for SCEP in Microsoft Intune

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-scep

Advertisements

3 thoughts on “Microsoft Intune introduced High Available (HA) support for SCEP/PFX Connector

  1. Rkast

    Nice, looks like the azure application proxy component is used for more and more workloads. I suspect the scep connector also uses some aadap technology.

    1. Seems familiar and they have in common you’re opening an outbound connection without the need of opening ports for external publishing. The connector framework looks similar to Azure AD (Health) Connect, Proxy and Exchange Connector, AIP connector, etc. Actually you can publish NDES via AADAP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.