Microsoft Intune introduced High Available (HA) support for SCEP/PFX Connector
Since December 2017 Microsoft Intune introduced support for multiple active SCEP/PFX connectors per tenant in order to provide high availability for certificate handling.
Initially the Microsoft Intune SCEP/PFX connector didn’t provide support for high availability. The SCEP/PFX connector could be installed as an single instance with no option for multiple active connectors.
Notes: by default the connectors listed in the Microsoft Intune portal cannot be identified/linked to the on-premise servers where the SCEP/PFX connectors are installed on. My advice is to rename the first connector after installation and repeat this for each additional connector installed, to overcome this.
Multiple active SCEP/PFX connectors
Customers who use the on-premise SCEP/PFX connector to deliver certificates to devices, can now configure multiple connectors in a single tenant. Each connector pulls certificate tasks (e.g. requests, renewal or revocation) from Intune. If one connector goes offline, the other connector continue to process these certificate requests.
Microsoft Intune SCEP/PFX connector active failover PFX Connector 1.
As the SCEP/PFX connector is a key component in a certificate deployment infrastructure high availability support is a must for large enterprises. End-users which contains a valid certificate are not directly effected in case of a failure, as they’re still able to access corporate resources. Once a device is retired/wiped we must be sure that the certificate revocation is performed.
Although Microsoft Intune provides support for multiple active SCEP/PFX connectors, there can be only one Certificate Authority (CA) configured per Microsoft Intune PCKS profile. Defining multiple PCKS profiles can be considered to have multiple CA’s in scope. This from a loadbalancing and/or high available perspective.
- Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices
- Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting
- What’s new in Microsoft Intune
- How to configure certificates in Microsoft Intune (new Intune Azure portal)
- Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)
- Configure certificate infrastructure for SCEP in Microsoft Intune
Nice, looks like the azure application proxy component is used for more and more workloads. I suspect the scep connector also uses some aadap technology.
Seems familiar and they have in common you’re opening an outbound connection without the need of opening ports for external publishing. The connector framework looks similar to Azure AD (Health) Connect, Proxy and Exchange Connector, AIP connector, etc. Actually you can publish NDES via AADAP.
Thank You for sharing this!