none
UAG/DA: Computer Certificate 1 Year Expiration vs. Being Abroad for More Than 1 Year RRS feed

  • Question

  • Hello,

    I work as IT specialist and my task was to implemenet MS UAG server for testing purpose. I managed to install it and it is working great. Along the way I experienced many issues and lots of troubleshooting has been done, so I may say that I have some experineces by now.

    But one question is still bothering me. Every computer (member of "DA Clients" group) needs a Computer certificate, that's a fact. So these computers need to be restared in corp. environment for at least one time, to get its Computer Certificate, until it is able to successfully conenct to UAG server as DA client.
    Because this certificate is based on default template, it expires in 1 year. Here's the catch! If there is a user, who will be abroad for more than one year, let's say without alternative VPN connection, left only with DA access... will his Computer certificate be able to renew itself using DA connection or not?

    Thank you very much for your time and opinion about this!

    Tuesday, October 19, 2010 9:24 AM

Answers

  • Hi Amig@. If the computer certificates are issued by an external certification authority and then manually imported into the computers then there is no chance to automatically renew the certificates. If you are running Microsoft Certificate Services with a CA integrated in Active Directory and the certificates are issued via a auto-enrollment GPO set then I think that the certificates should seamlessly renew without user intervention. Just adjust the Renewal Period in the certificate template to leave time enough for the requests to happen in a reasonable period before the certificate expires

    Hope it helps


    // Raúl - I love this game
    Tuesday, October 19, 2010 9:37 AM
  • Hi Damjan,

    The user will be able to renew the certificate over DirectAccess, so that shouldn't be a problem.

    However, their is an area where you might run into problems, and that has to do with the strict RPC settings on the TMG firewall that is on the UAG server. If you have problems renewing the certificate, you will need to do some configuration the TMG firewall.

    This article can help you out:

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/04/22/deep-dive-into-uag-directaccess-certificate-enrollment.aspx

    In the future (with UAG SP1) this won't be a problem because the configuratin will be enabled by default.

    HTH,

    Tom 


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, October 19, 2010 3:39 PM
    Moderator

All replies

  • Hi Amig@. If the computer certificates are issued by an external certification authority and then manually imported into the computers then there is no chance to automatically renew the certificates. If you are running Microsoft Certificate Services with a CA integrated in Active Directory and the certificates are issued via a auto-enrollment GPO set then I think that the certificates should seamlessly renew without user intervention. Just adjust the Renewal Period in the certificate template to leave time enough for the requests to happen in a reasonable period before the certificate expires

    Hope it helps


    // Raúl - I love this game
    Tuesday, October 19, 2010 9:37 AM
  • Silly me, I forgot to mention that CA is internal, based on Microsoft CA and Active Directory and yes, computer certificates were/are auto-enrolled via GPO set. Default Computer template (v 5.1) cannot be modified. Renewal period is already set to 6 weeks by default.

    I am researching possibilites about creating custom cert. template for Computer Certificate and its auto-enrollment, but that wouldn't be neccessary if "default" configuration will work.

    • Edited by Damjan Grimšič Tuesday, October 19, 2010 9:52 AM Computer template version was incorrect
    Tuesday, October 19, 2010 9:48 AM
  • Hi Damjan,

    The user will be able to renew the certificate over DirectAccess, so that shouldn't be a problem.

    However, their is an area where you might run into problems, and that has to do with the strict RPC settings on the TMG firewall that is on the UAG server. If you have problems renewing the certificate, you will need to do some configuration the TMG firewall.

    This article can help you out:

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/04/22/deep-dive-into-uag-directaccess-certificate-enrollment.aspx

    In the future (with UAG SP1) this won't be a problem because the configuratin will be enabled by default.

    HTH,

    Tom 


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, October 19, 2010 3:39 PM
    Moderator
  • Yes! Thank you both.

    Thomas, I've done that procedure for RPC setting already, because in one scenario, I've had UAG server installed before I managed to Enroll neccessary server certificate(s). I was lucky that time, because I remembered that blog in a second, because I went through many blogs before started practic work about implementing UAG. And yet, when troubleshooting and testing, procedure was a-must-do, because I needed to Enroll certificates for many times more.

    Wednesday, October 20, 2010 6:32 AM
  • Hi Damjan,

    Very good! Let us know if you run into any issues with certificate renewal.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, October 20, 2010 11:14 AM
    Moderator
  • HI Thomas,

    I am running in to an issue and would like to get your advise.  We have UAG and last week the Go-daddy certificate expired. Now can you please provide me the steps make a request and renew it.

    Saturday, March 30, 2013 11:55 AM
  • Hi Damjan

    I have too couple of cases where laptops have been too long outside of company. Certificates are expired months ago. Solution have been most of cases using backup vpn and enrolling new certificate.

    I haven't tested it yet but i think Certificate Enrollment Web Service might be a solution (if CA is enterprise version). Since it allows certificate enrollment for domain and non-domain computers outside domain. UAG -portal could act as a reverse proxy for this.

    Just an idea at the moment but i'm going to test it.

    -teemu


    br -teemu

    Tuesday, April 2, 2013 8:43 PM