Forefront TMG 2010 Computer Certificate Request or Renewal Fails

April 21, 2014

When attempting to request or renew a computer certificate on the Forefront TMG 2010 firewall, you may receive the following error message:

Status: Failed
The RPC server is unavailable.

 

forefront_tmg_2010_certificate_01

This occurs because the Forefront TMG 2010 firewall does not, by default, allow the protocols and ports required to request or renew a certificate from a Certificate Authority (CA). Common workarounds suggest stopping the firewall completely or creating a rule allowing all protocols and ports from the TMG firewall to the CA. However, both of these workarounds are problematic. Stopping the firewall is a manual process that will cause a service disruption. It also leaves the firewall in an unprotected state. For edge deployment scenarios, the underlying operating system will be exposed directly to untrusted networks, which is a serious security risk. Creating an open access rule is not desirable because it violates the basic security principle of least privilege by allowing more access than is required.

To properly address this issue and allow for the secure request and renewal of certificates without disruption and with the least exposure, it will be necessary to create an access rule on the Forefront TMG 2010 firewall to allow all dynamic ports (TCP 49152-65535) from the local host network to the IP address of the CA for all users.

forefront_tmg_2010_certificate_02

Note: Allowing all dynamic ports (TCP 49152-65535) might also be considered too much access from the Forefront TMG 2010 firewall to the CA. It is possible to restrict the dynamic ports used by TMG and further tighten the access rule, if required. For information about restricting dynamic ports, click here.

In addition to the access rule allowing all dynamic ports, it will also be necessary to make a change to a system policy rule. To do this, right-click the Firewall Policy node in the navigation tree and choose All Tasks, System Policy, and then Edit System Policy. In the Authentication Services group highlight Active Directory and clear the checkbox next to Enforce strict RPC compliance.

forefront_tmg_2010_certificate_03

Once these changes have been made you can now request or renew a computer certificate on the Forefront TMG 2010 firewall successfully.

forefront_tmg_2010_certificate_04

Categories: Forefront TMG 2010, ISA 2006 Configuration, ISA 2006 Enterprise, ISA 2006 General, ISA 2006 Standard, Networking, Security, Threat Management Gateway Tags: , , , , , , , , , , ,
  1. Tom Aafloen
    April 22, 2014 at 10:09 am

    Instead of reducing dynamic ports for the whole CA server you can configure the CA service to use a static port. I wrote a blog post about how you do it. I know, shameless self plug 🙂
    http://mssec.se/2014/02/20/configure-ad-cs-to-use-a-static-dcom-port/

  2. Richard Hicks
    April 22, 2014 at 10:43 am

    Very cool! When I have some time I’ll be sure to test that out. 🙂

  1. No trackbacks yet.
Comments are closed.