none
UAG IPSec certificate renewal using autoenrollment RRS feed

Answers

  • Hi.  There must have been something wrong with the CA (SubCASvr) I was trying to renew my certificate with.  It is a subordinate CA configured to issue IPSec certificates. 

    As a work around, I configured one of our other CA's (PrimCASvr) to issue IPSec certificates. 
    I started the certificate renewal process and pointed the enrolment to PrimCASvr.
    The renewal succeeded.

    This confirms that the TMG rules work, allowing RPC / DCOM traffic to PrimCASvr.
    But for some reason, renewals pointing to SubCASvr would't work. 

    At least now I have more time to figure it out.

    Thanks for your help.

    Wednesday, February 1, 2012 11:29 PM

All replies

  • Where did you clear the flag for "enforce strict..."? On the access rule you created?

    Where are your CA's - on DC's or on separate servers?

     

    What I usually do is to create a custom access rule allowing all traffic to [computer set] CA servers and then disable Strict RPC complicance on that rule.

     


    Hth, Anders Janson Enfo Zipper
    Wednesday, February 1, 2012 9:26 AM
  • It sounds like something still isn't right with the rule. As Anders mentioned, make sure to include all of your CA servers (intermediates also) in the Computer Set that you configure as the destination of this rule. Also make sure that after you add the rule and adjust the System Policy for the RPC compliance checkbox, that you "Apply" the settings inside TMG.

    Here is another walkthrough, though it's probably the same information as the others: http://www.ivonetworks.com/news/2010/10/adding-the-%e2%80%9ccomputer%e2%80%9d-certificate-to-your-uag-directaccess-appliance-%e2%80%93-%e2%80%9cthe-rpc-server-is-unavailable%e2%80%9d/

    Wednesday, February 1, 2012 1:46 PM
  • Hello Anders and Jordan, thank you for your replies.

    I have cleared "Enforce strict RPC compliance" on my custom access rule (Right-click rule > Configure RPC Protocol). 
    The rule allows all outbound traffic from Local Host to a computer set containing all the IP addresses of CA's and an Intermediate CA.
    The rule is 1st in the Firewall Policy, top of the list of rules. 

    I have also edited the TMG System Policy > Authentication Services > Active Directory and cleared "Enforce strict RPC compliance."

    These configuration changes have been applied / saved in TMG on the DirectAccess server. 

    The CA's are on DC's and are accessible from DirectAccess server on the Internal interface, same subnet. 

    I'd really like to get autoenrolment going.  But I may have to perform an offline request because the IPSec cert expires in 2 days. 
    If you have any links to walkthroughs of a manual offline request for an IPSec cert, that would be great.  I have no experience with cert requests using command line.

    Wednesday, February 1, 2012 10:30 PM
  • Hi.  There must have been something wrong with the CA (SubCASvr) I was trying to renew my certificate with.  It is a subordinate CA configured to issue IPSec certificates. 

    As a work around, I configured one of our other CA's (PrimCASvr) to issue IPSec certificates. 
    I started the certificate renewal process and pointed the enrolment to PrimCASvr.
    The renewal succeeded.

    This confirms that the TMG rules work, allowing RPC / DCOM traffic to PrimCASvr.
    But for some reason, renewals pointing to SubCASvr would't work. 

    At least now I have more time to figure it out.

    Thanks for your help.

    Wednesday, February 1, 2012 11:29 PM