none
UAG - CRL not resolving from client RRS feed

  • Question

  • Hi,

    I have a UAG Server with 2 NICs, one in the LAN and one in the DMZ. The DMZ has real IP addresses and the WAN NIC on the UAG has 2 consecutive public IP addresses.

    NLS is hosted on one server and the CRL is published to another server on the LAN eg http://crl.domain.com/CRLD.

    The internal domain name is the same as the external domain name eg domain.com. The CRL can be contacted from the LAN. We setup an A record on public DNS for crl.domain.com and a Trunk on the UAG to forward any requests coming from the WAN to the IIS server hosting the CRL on the LAN. If I browse to crl.domai.com from a PC away from the domain I see the CRL.

    UAG is not working. I can ping the IP-HTTPS gateway IPv6 address that shows up on the client but that is about it. The error conenction tool tells me that the client cannot reach the DNS server but nothing else.

    I have noticed that I cannot resolve the name crl.domain.com from the Windows client when it is not connected to the domain, eg at home, but can from other devices that are not on the domain. I thought this was happening as it was sending DNS requests to the uncontactable DNS server but I also added in an entry in the hosts file and it still ignored it. When I ping crl.domain.com it cannot resolve the IP even though it shows me the entry when I do ipconfig /displaydns !!

     

    Any ideas

    Tuesday, August 17, 2010 4:34 PM

Answers

All replies

  • If you have the same domain internally and externally, you will need to add the CRL FQDN to you NRPT exemption list as dicsussed here: http://technet.microsoft.com/en-us/library/ee690445.aspx

    Alternatively (and recommended) buy a IP-HTTPS cert from a public CA and then you dont have to worry about publishing the CRL at all!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by kins Tuesday, August 17, 2010 7:47 PM
    Tuesday, August 17, 2010 5:33 PM
    Moderator
  • Thanks..that now works.

    Both crl and DA DNS resolve to the same first real IP on the WAN NIC of the DA server.

    I can browse to https://da.domain.com:443/IPHTTPS and get HTTP 403 error: This website requires you to log in

    I can browse to the CRL - https://crl.domain.com/crld

     

    I was still having problems connecting and for those of you that may find this useful I found this thread http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/a679f007-4daa-4cfb-88bb-21f958c3d383and turned on the Windows Firewall on the TMG server......hey presto I can access my LAN.

     

    thanks

     

     

     

     

    Tuesday, August 17, 2010 7:47 PM
  • The best thing to do is to make sure that their is a CRL entry that is reachable by external clients. You can include that entry on your certificates, create the name in your public DNS, and the client will use it's local DNS configuration instead of the NRPT. However, if you must use the same domain name for external client, go with Jason's recommendation and include it as an exemption in the NRPT.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, August 19, 2010 2:40 PM
    Moderator