Comments on: Automatic Certificate Enrollment Fails on the ISA Firewall http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/ Written by Dr Thomas W Shinder, consultant to Microsoft, HP and many Fortune 500 companies on ISA firewall and Web proxy deployments this blog is where administrators get information about ISA Server Universal Threat Management firewalls. Topics include how to manage, deploy, and troubleshoot ISA Server as a network firewall, Web proxy/Web cache, remote access VPN server and VPN gateway to provide a high level of network security for all corporate computers. Fri, 29 Aug 2008 17:58:54 +0000 http://wordpress.org/?v=MU by: Thomas Godsk Joergensen http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/#comment-114194 Mon, 20 Aug 2007 13:00:33 +0000 http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/#comment-114194 I've encountered the same problem on ISA 2006. As mentioned by Tom, if using Windows XP and Windows Server 2003 DCOM is used (Windows 2000 uses RPC). In that case, the problem can be resolved by disabling the RPC interface and fixing the TCP port used by DCOM on the issuing CA and then create a custom rule for this fixed port in addition to allowing RPC (all interfaces). It is all described in detail in the following Microsoft article on web enrollment: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx. Search for "Disabling the RPC Interface at the Issuing CA" (without quotes) and read on. HTH Thomas I’ve encountered the same problem on ISA 2006. As mentioned by Tom, if using Windows XP and Windows Server 2003 DCOM is used (Windows 2000 uses RPC). In that case, the problem can be resolved by disabling the RPC interface and fixing the TCP port used by DCOM on the issuing CA and then create a custom rule for this fixed port in addition to allowing RPC (all interfaces). It is all described in detail in the following Microsoft article on web enrollment: http://www.microsoft.com/technet/prodtechnol/windo...l.mspx. Search for “Disabling the RPC Interface at the Issuing CA” (without quotes) and read on.

HTH

Thomas

]]> by: Tom Shinder http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/#comment-985 Sun, 28 May 2006 11:32:46 +0000 http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/#comment-985 Hi Stefaan, I've found that you need to disable the RPC filter *before* creating that access rule or else it won't work. Are you working with ISA 2006? Maybe that's the difference? Thanks! Tom Hi Stefaan,
I’ve found that you need to disable the RPC filter *before* creating that access rule or else it won’t work. Are you working with ISA 2006? Maybe that’s the difference?
Thanks!
Tom

]]> by: Stefaan Pouseele http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/#comment-984 Sun, 28 May 2006 10:42:33 +0000 http://blogs.isaserver.org/shinder/2006/05/27/automatic-certificate-enrollment-fails-on-the-isa-firewall/#comment-984 Hi Tom, creating a temporary access rule from Localhost to the Internal Network allowing All Outbound Traffic seems to cure the problem too. HTH, Stefaan Hi Tom,

creating a temporary access rule from Localhost to the Internal Network allowing All Outbound Traffic seems to cure the problem too.

HTH,
Stefaan

]]>