Forefront TMG 2010 - computer certificate enrollment issue

 

 

If your Forefront 2010 is member of AD domain and you have problem to automatically enroll computer certificate for TMG 2010 like below:

tmg-cert-enr-issue-1.png

do the following:

 - disable"Enforce strict RPC compliance" in System Policy Editor

tmg-cert-enr-issue-2.png

because in my infrastructure CA servers ARE NOT domain controllers it is not sufficient solution.

DCOM is using random ports and after RPC to DC it asks CA servers on tcp/59655 for enrollment(see below, traffic to is blocked) for certificate enrollment.

tmg-cert-enr-issue-3.png

to fix this create rule to allow traffic to CA servers initiated from Local Host(Forefront TMG) to CA servers on high ports (1024-65535)

tmg-cert-enr-issue-4.png

after this change I could obtain certificate

tmg-cert-enr-issue-5.png

good option is also to use fixed port range for DCOM on CA servers to limit port range,e.g. from 6500-6590

 

dzbanek 2013-01-07

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.