Automatic Certificate Enrollment Fails on the ISA Firewall
You’ve done the footwork ahead of time and created your PKI, complete with an Enterprise CA. You know that one of the major advantages to using an enterprise CA is that the CA certificates are automatically placed in each domain member’s machine certificate store. This includes the ISA firewall’s machine certificate store.
However, when you check the ISA firewall’s machine certificate store you don’t have the CA’s certificate in the Trusted Root Certification Authorities machine certificate store. What’s up with that? The problem is that the autoenrollment mechanism uses DCOM and by default the ISA firewall’s System Policy Rules block DCOM traffic from the ISA firewall to the default Internal Network (where the enterprise CA is most likely located). What to do?
You have two options:
- Configure System Policy to allow DCOM traffic
- Disable the RPC Filter and allow all traffic to and from the Enterprise CA and then re-enable the RPC filter and remove the allow rule
The first option is the officially supported method. However, I find that it does not always work. If you find the first option doesn’t work for you, try the second method. Remember to re-enable the RPC filter after you obtain the CA certificate if you use the second option.
For the first option, here are the steps:
1. In the ISA firewall console, click Firewall Policy:
- For ISA Server 2004 Enterprise Edition, for array-level firewall policy, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand the array name, and click Firewall Policy.
- For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand the server name, and then click Firewall Policy.
2. On the Tasks tab, click Edit System Policy.
3. From the Configuration Groups list, click Active Directory.
4. On the General tab, do not select Enforce strict RPC compliance checkbox.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP — ISA Firewalls
Stefaan Pouseele Says:
May 28th, 2006 at 4:42 am
Hi Tom,
creating a temporary access rule from Localhost to the Internal Network allowing All Outbound Traffic seems to cure the problem too.
HTH,
Stefaan
Tom Shinder Says:
May 28th, 2006 at 5:32 am
Hi Stefaan,
I’ve found that you need to disable the RPC filter *before* creating that access rule or else it won’t work. Are you working with ISA 2006? Maybe that’s the difference?
Thanks!
Tom
Thomas Godsk Joergensen Says:
August 20th, 2007 at 7:00 am
I’ve encountered the same problem on ISA 2006. As mentioned by Tom, if using Windows XP and Windows Server 2003 DCOM is used (Windows 2000 uses RPC). In that case, the problem can be resolved by disabling the RPC interface and fixing the TCP port used by DCOM on the issuing CA and then create a custom rule for this fixed port in addition to allowing RPC (all interfaces). It is all described in detail in the following Microsoft article on web enrollment: http://www.microsoft.com/technet/prodtechnol/windo...l.mspx. Search for “Disabling the RPC Interface at the Issuing CA” (without quotes) and read on.
HTH
Thomas