Does UAG require ability to perform live CRL checking RRS feed

  • Question

  • Have to deploy UAG in an environment where the networks are severely restricted and no internet access is allowed for servers residing in a DMZ. My question is this. Does UAG require the ability to perform live CRL checking of certificates used on published applications. Such as, if Exchange is hosted using a 3rd party certificate from Verisign, does the UAG need to be able to perform a CRL check to the Verisign CRL-D server on http?

    Thanks in advance!

    Steve Angell - IAM Practice Director

    Wednesday, April 10, 2013 3:11 PM

All replies

  • Hi Amig@. Yes, UAG checks the validity of the certificate and the status of the revocation. If not able to do it it will present an error message when the user accesses the published application. Fortunately, the behavior can be modified using some registry keys (well, the certificate checks are a safe practice but in some cases...)

    Go to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL and you will find to keys named ValidateRwsCert and ValidateRwsCertCRL. The first one checks the validity of the certificate and the second one the revocation status. You can independently assign 0 or 1 to them with 0 meaning the checks are not performed

    Hope it helps

    // Raúl - I love this game

    Thursday, April 11, 2013 9:43 AM