none
How to secure CRL Distribution Point for Direct Access RRS feed

  • Question

  • Hi,

    I am implementing Direct Access and am using a Server 2008 Ent PKI. I want to publish the CRL for Internet based clients but want to secure access to it.

    I will be creating an A record on public DNS for crl.domain.com and this will direct clients to my firewall. I could then port NAT in port 80 to the IIS server hosting the CRL DP on the LAN. The CRL would be visible and you can open the .crl file and see info. A DMZ setup would do either and we have on but you still see the same content.

    This doesn't look secure to me. You can also browse back up to the root page and see the IIS 7 page. When you click on it it just brings you to Microsoft website.

    1. How do I go about securing this or is there anything to worry about by having the CRL publically available? Surely the clients have to see what we can see by browsing to the site

    Friday, July 16, 2010 10:54 AM

Answers

  • Hey Ran,

    I was testing this afternoon and came to the same conclusion ;)

    I will work on the ruleset to try and match my ISA article...this sounds like a good UAG blog post project in light of the increasing need for external CRL access...

    Where do you stand on licensing as this is an anonymous service? Should this be added to the support boundaries document for TMG supported publishing too?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:51 PM
    Tuesday, July 20, 2010 12:30 AM
    Moderator
  • Hi Jason,

    I have a blog post for this ready. I just need to validate - which I can do today as I'm working on v3 of the Test Lab Guide and TLGs extensions.

    I'll blog on the new Test Lab Guide initiative on Monday - it's going to BIG and GREAT!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:51 PM
    Tuesday, July 20, 2010 12:47 PM
    Moderator

All replies

  • Hi Kins

    Make sure the firewall enables only read only access to the CRL and that the firewall enforces access only to the specific published folder. A TMG firewall does this easily.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, July 16, 2010 12:37 PM
    Moderator
  • This should help: http://blog.msfirewall.org.uk/2008/06/publishing-certificate-revocation-lists.html and this: http://blog.msfirewall.org.uk/2008/06/publishing-certificate-revocation-lists_13.html

    Alternatively, use a public CA to issue the DA IP-HTTPS certificate and then you dont need to worry about it ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, July 16, 2010 12:59 PM
    Moderator
  • Can I use the same TMG firewall that is used for UAG to publish the site ?
    Friday, July 16, 2010 3:37 PM
  • No - but you can publish your CRL using UAG.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, July 19, 2010 12:42 PM
    Moderator
  • No - but you can publish your CRL using UAG.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team


    Is that supported then Tom?

    Got any details? ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, July 19, 2010 1:09 PM
    Moderator
  • Hi Jason,

    Just create a trunk that publishes one single web application, as described here: http://blogs.technet.com/b/edgeaccessblog/archive/2010/01/15/what-happened-to-basic-and-webmail-trunks.aspx. The application this trunk publishes is the CDP. Remove authentication from this trunk, disable endpoint components installation and activation, and, for extra bonus points, modify the default URL ruleset which allows /.* so that it will only allow one specific URL - the one that downloads the CRL ;-)

    Regards,

    -Ran

    Monday, July 19, 2010 6:22 PM
  • Hey Ran,

    I was testing this afternoon and came to the same conclusion ;)

    I will work on the ruleset to try and match my ISA article...this sounds like a good UAG blog post project in light of the increasing need for external CRL access...

    Where do you stand on licensing as this is an anonymous service? Should this be added to the support boundaries document for TMG supported publishing too?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:51 PM
    Tuesday, July 20, 2010 12:30 AM
    Moderator
  • Hi Jason,

    I have a blog post for this ready. I just need to validate - which I can do today as I'm working on v3 of the Test Lab Guide and TLGs extensions.

    I'll blog on the new Test Lab Guide initiative on Monday - it's going to BIG and GREAT!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:51 PM
    Tuesday, July 20, 2010 12:47 PM
    Moderator
  • Hi Jason,

    I have a blog post for this ready. I just need to validate - which I can do today as I'm working on v3 of the Test Lab Guide and TLGs extensions.

    I'll blog on the new Test Lab Guide initiative on Monday - it's going to BIG and GREAT!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Cool, you always beat me to it :-P

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, July 20, 2010 3:02 PM
    Moderator
  • Ha! You beat me to it more than I beat you! :)

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, July 21, 2010 6:48 PM
    Moderator
  • hi folx,

    is there a step-by-step guide how to publish the crl via uag? the blog-article above is to general 4 my skill-lvl.

    ;-)


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Monday, August 2, 2010 9:07 AM
  • Hi Jens,

    I'll work on that today and try to get it up by the end of the day.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, August 2, 2010 2:57 PM
    Moderator
  • hi tom,

    great news - i am very excited (f5 on my rss 4 the edge man)!

    ;-)


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Monday, August 2, 2010 4:59 PM
  • :)

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, August 3, 2010 11:28 AM
    Moderator
  • ah - there it is:

    http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    thx tom!
    afk in my lab.

    ;-)


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Tuesday, August 3, 2010 1:05 PM
  • Hi Jen,

    I was going to post the URL but you found it already! :)

    I'll post it again, just for fun

    http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, August 3, 2010 2:16 PM
    Moderator
  • hi tom,

    sry that i was 2 quick! like i said f5 on my rss. ;-)

    thx 4 the article - i was surprised, that i didn't make much errors in my tests (but some essentials on the other hand)!

    *ggg*


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Tuesday, August 3, 2010 2:33 PM
  • hi!

    spend a few weeks on holiday - so i didn't reply.

    crl-publish works fine, but i first had some problems with the internal website whitch hosts the crl. removing my host-header on the internal website fixed the problem!


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Wednesday, September 1, 2010 12:17 PM
  • Hi Jens,

    Great! Good to hear you got it working and thanks for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, September 1, 2010 3:16 PM
    Moderator
  • hi tom,

    i worked a bit more on my "host-header-problem" and found out, that binding the public fqdn to the internal website also fixes my problem.

    is this best practice? or is it recommendet removing the internal host-headers of my webserver?


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Thursday, September 2, 2010 6:55 AM
  • Removing the internal host headers would help in obfuscating your internal namespace.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, September 3, 2010 1:29 PM
    Moderator
  • thx. in my case it's a test scenario, where my websites are hosted on a dc with one ip but multiple sites. so i won't remove 'em but will advice my customers not using internal host-headers!

    *ggg*


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Friday, September 3, 2010 3:08 PM