LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Azure Resources Used for Private Endpoints
  • Adding Private Endpoints to Existing SCEPman Installations

Was this helpful?

  1. Azure Configuration

Private Endpoints

Last updated 27 days ago

Was this helpful?

When installing SCEPman 2.8 or newer, the Storage Account and Key Vault will be connected to a VNET through Private Endpoints. Access to the data of these two Azure Resources is only possible through this VNET, unless you define exceptions.

This VNET is located in the same resource group as the other SCEPman components. The SCEPman and SCEPman Certificate Master App Services are connected to the VNET and, on a network level, have access to the Storage Account and the Key Vault.

After installation, there are no exceptions configured, so no other entity can access the Key Vault certificates and keys or the Table Storage of the Storage Account. If required, for example when or when, you need to add exceptions under the Networking blade of the respective Azure Resource.

Access to the management interface of the Key Vault and Storage Account is unaffected, i.e. you don't need to add your admin machines to the exception list to perform functions such as changing the SKU of your Storage Account or inspecting the access logs of your Key Vault. Of course, you can use Conditional Access to restrict access to the Azure Portal.

The SCEPman and SCEPman Certificate Master App Services do not have Private Endpoints, even if you install SCEPman 2.8 or newer. They can still be accessed from the Internet without networking restrictions. We recommend not restricting access to SCEPman on a networking level, as SCEPman is usually part of the infrastructure used to establish network connections and should therefore be available even if you are not yet connected.

If needed, Conditional Access can be employed to limit access to SCEPman Certificate Master with various restrictions, including networking conditions. SCEPman usually does not use Conditional Access, as the two endpoints SCEP and OCSP do not use Entra authentication. However, you might use Conditional Access to restrict access to .

Azure Resources Used for Private Endpoints

Adding Private Endpoints to Existing SCEPman Installations

If you have installed SCEPman 2.7 or older, your Key Vault and Storage Account won't automatically have Private Endpoints, even if you update to SCEPman 2.8 or newer. You have to add them manually after a conscious decision. Please follow this guide to do so:

  • Create Virtual Network:

    • In the SCEPman resource group, create a virtual network using default settings or as required by your organisation.

    • Create a new subnet in the new Virtual Network with default settings and set "Subnet Delegation" as Microsoft.Web&serverfarms

  • Create KeyVault Private Endpoint:

    • Navigate to your SCEPman's Resource Group > KeyVault > Settings > Networking > Private endpoint connections, and create a private endpoint

    • Select resource type: Microsoft.KeyVault/vaults

    • Select your KeyVault by Resource and vault for Target sub-resource

    • Choose the virtual network and the default subnet (not the subnet created in the first step)

    • Enable Integrate with private DNS zone to automatically create and connect the Private DNS zone

  • Create Storage Account Private Endpoint

    • Navigate to StorageAccount > Security + Networking > Networking > Private endpoint connections and create a Private endpoint

    • By resource, set target sub-resource to table

    • Choose your virtual network and default subnet

    • Enable Integrate with private DNS zone to automatically create and connect the Private DNS zone

  • Integrate SCEPman App Service:

    • Navigate to SCEPman App service > Networking > Add virtual network integration to the Outbound traffic configuration by clicking on "Not configured"

    • Select the virtual network and the created subnet from the first step.

    • Uncheck the option "Outbound internet traffic" and apply

  • Integrate Certificate Master App Service:

    • By adding the virtual network integration to the second app service, you can select the previous connection from the list, you don't have to create a new connection.

    • If enabled, uncheck the option "Outbound internet traffic" and apply

Now verify that the private endpoints for both the Key Vault and Storage Account are approved.

Once confirmed, you can disable public access for both, Key vault and Storage account.

For testing, you can create a new client certificate in Certificate Master, see

Client Certificate
generating a Subordinate CA
SCEPman's REST API
Type
Description

Virtual Network

The SCEPman App Services, the Key Vault, and the Storage Account connect over this VNET.

Private Endpoint (×2)

One for the Key Vault and one for the Storage Account. It makes them accessible over the VNET.

Private DNS zone (×2)

One for the Key Vault and one for the Storage Account. They both have an internal IP address in the VNET, for which they have a name in their respective Private DNS zone.

Network Interface (×2)

One for the Key Vault and one for the Storage Account. It connects the Private Endpoint to the VNET.

querying the Storage Account