Hi I am setting ADCS 2008 R2 services and would like to use web enrollment for some of certificate templates. From a technical architecture point of view, I would like to know whether it is advised to keep the web enrollment server in the same network or a different network. For example, the CA and HSM are in a private LAN and protected by a firewall. Would be advisable to place the web enrollment server outside the firewall ie., DMZ or within the same LAN as the CAs are? Also, can any body provide me a reference where the best practices are explained more towards the technical architecture of a Windows Certificate Services. Regards Sanurajan.

Hi, Thanks for your post. For more detailed information about Certificate Enrollment Web Services infrastructure, please refer to the following document published by Microsoft. Hope it helps. Certificate Enrollment Web Services Whitepaper http://download.microsoft.com/download/C/2/2/C229E624-36E4-4AD8-9D86-F564ED539A16/Windows%20Server%202008%20R2%20Certificate%20Enrollment%20Web%20Services.doc Best Regards, AidenAiden Cao TechNet Community Support