Sign in

Microsoft.com

United States (English)

Brasil (Português)Česká republika (Čeština)Deutschland (Deutsch)España (Español)France (Français)Italia (Italiano)Россия (Русский)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語)香港特别行政區 (中文)

System Center Configuration Manager TechCenter

Troubleshooting

System Center Configuration Manager TechCenter > System Center Configuration Manager Forums > Configuration Manager Internet Clients and Native Mode > AIA access for internet-based clients in native mode

AIA access for internet-based clients in native mode

Monday, October 05, 2009 7:51 PMJosh_S

0
Sign In to Vote
I have an environment where some clients will be primarily internet-based but the issuing CA will be in on the intranet. When clients connect from the Internet and they are configured for CRL checking, they will not be able to access the CRL from the CA. They will also not be able to access the AIA for certificate chaining. I read this article describing how to publish the CRL on a separate web server outside of the forest:

http://blogs.technet.com/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx

My question is, what about the AIA? Does it need to be available to these internet-based systems as well? Or will the CRL suffice?

Thanks!
- Moved byTorsten [MVP]MVPTuesday, October 06, 2009 7:06 AMMoved to IBCM subforum (From:Configuration Manager Setup/Deployment)
- Reply
- Quote

Answers

Tuesday, October 06, 2009 1:57 PMCarol BaileyMSFT, Moderator

0
Sign In to Vote
"primarily internet-based " - this is probably the key here. If these clients have already connected to native mode site systems on the intranet and then move to the Internet, then they will have already downloaded the intermediate CA certificates that they need for chaining. If not, (and for CA certificate renewal purposes when clients are on the Internet) then yes, you could apply the same logic/design to AIA locations (as an alternative, you could export and install them onto clients). If you need more information, you can post questions about AIA extensions to the Windows security forum: http://forums.technet.microsoft.com/en-US/winserversecurity/threads/

- Carol

This posting is provided “AS IS” with no warranties and confers no rights
- Marked As Answer byCarol BaileyMSFT, ModeratorTuesday, October 20, 2009 8:56 PM
- Reply
- Quote

All Replies

Tuesday, October 06, 2009 7:06 AMTorsten [MVP]MVP

0
Sign In to Vote
Moving this thread to the native mode subforum ...
- Reply
- Quote
Tuesday, October 06, 2009 1:57 PMCarol BaileyMSFT, Moderator

0
Sign In to Vote
"primarily internet-based " - this is probably the key here. If these clients have already connected to native mode site systems on the intranet and then move to the Internet, then they will have already downloaded the intermediate CA certificates that they need for chaining. If not, (and for CA certificate renewal purposes when clients are on the Internet) then yes, you could apply the same logic/design to AIA locations (as an alternative, you could export and install them onto clients). If you need more information, you can post questions about AIA extensions to the Windows security forum: http://forums.technet.microsoft.com/en-US/winserversecurity/threads/

- Carol

This posting is provided “AS IS” with no warranties and confers no rights
- Marked As Answer byCarol BaileyMSFT, ModeratorTuesday, October 20, 2009 8:56 PM
- Reply
- Quote

Need Help with Forums? (FAQ)