How to Publish the CRL on a Separate Web Server
One of the most commonly seen problems when deploying Internet-based client management is access to the CRL (certificate revocation list). Although this is PKI design rather than part of Configuration Manager, failure to access the CRL when needed will result in failed Internet-based client management connections.
By default, the Internet-based site systems need to check the CRL for the CA that issued the client certificates (this is a setting inherited by IIS). Additionally, if CRL checking is enabled on the Configuration Manager clients, when they are on the Internet they will still need to check the CRL for the CA that issued the server certificates. This gets a bit tricky with IBCM, because computers on the Internet or in the DMZ cannot access a CRL in the intranet - unless you are using something like ISA publishing. Turning off CRL checking to get around the problem is not recommended for security reasons.
If you are having problems with this requirement, see the following blog post for our tips on publishing the CRL on a separate Web server in the DMZ (another forest either with or without a trust relationship to the intranet). Even if the DMZ environment does not apply to you, you might find these procedures useful if you need to publish additional CRL distribution points (CDPs) in the intranet for high availability and to reduce WAN traffic:
