19 August 2010

Requesting a certificate from a local CA on TMG or UAG

It is almost inevitable that you will get to the point where you need to install local CA certificates to your TMG or UAG server.

Normally the process is pretty straight forward. 
  • Open MMC
  • Add the Certificates Snap In
  • Select Computer Account
  • Expand Certificates to  - Personal - Certificates
  • From the conext menu of Certificates select Request New Certificate


The certificate templete I use requres me to manually configure the following two fields

common name
user principal name

Your request will fail since the RPC request will be dropped.

To allow the request to go through you might have tried to careat a allow all rule to the internal CA but this will also fail. The reason is there is a system policy firewall rule that is applied first that would block the request.

Opem the TMG management consloe and edit the system policy



Under Auntintication services - Active Directory you need to Uncheck Enforce Strict RPC compliance.

I also added a user defined protocol:
TCP Outbound :1131

And allowed it from localhost to the Certificate Issue server.

I found what was being blocked by checking the logging.  I set the filter for source netwro = localhost and destination network = internal  Then i checked for dropped requests when I requested a certificate.



If you realy, really get stuck and find yourself in a pinch and you really, really need to get a cert on there ASAP the quick and dirty way is to stop the Microsoft Forefront TMG Firewall service.  Just disable your external network first.

1 comment:

argentina said...

good tutorial.
thank you for sharing 0_~

Post a Comment