Home > TMG > Passing Certificate Enrolment Traffic through TMG 2010

Passing Certificate Enrolment Traffic through TMG 2010

An issue I faced recently with deploying TMG 2010 and Microsoft Certificate Services was how to to allow traffic from one network to another for certificate enrolment, I noticed errors on servers not in the same subnet as the issuing CA indicating they could not pickup a certificate via auto enrolment.

Turning on logging on TMG 2010 I noticed the below logs from a Domain controller to the issuing CA

image

image

TMG has a rule that allows RPC traffic from the client server to the issuing CA and Root CA with Enable Strict RPC Compliance turn off

So what’s happening, well basically the domain controller is initiating traffic on RPC port 135 and the CA is communicating back telling the server to talk on port 49246, because this traffic is encrypted TMG cannot read it or understand it so drops the traffic.

What can be done?

One way to resolve this issue is to configure the issuing CA and Root CA to listen on a static port instead of a dynamic range and configure a custom protocol in TMG to allow the traffic.

Step 1.

Log into the issuing CA and run dcomcnfg.exe this will open the Component Services MMC

image

Step 2.

Expand Component Services, Computers, My Computer, and then select DCOM Config on the left.

image

Step 3.

Right Click CertSrv Request and select Properties, in the dialog box select the Endpoint tab and select Add, select the radial Use static endpoint in the box to the right input the port you wish the client servers to use to talk to the CA server. To check what the server is listening on you can run from a command shell the below.

 

image

I used 789, once you have closed the dialog boxes by selecting OK where appropriate you then need to restart the CA services

image 

Step 4.

Now that the CA is listening on a static port or should I say telling the client server to use a static port you now need to amend your firewall rules to allow it, you will need to add a new custom protocol for TCP 789 or whatever you used.

 

image

image

 

Checking the server event log I can see it has worked.

image

 

And the TMG 2010 event logs show the same

image

Advertisements
Categories: TMG Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: