Dr. Tom's ISA Server 2004 Firewall Blog

Dr. Tom Shinder's ISA Server Firewall Blog

ISA 2004 RPC Filter Breaks Certificates Snap-in

I really like using the Certificates MMC snap-in because it greatly simplifies issuing certificates to domain members when using an enterprise CA. Sadly enough, the ISA 2004 RPC filter kills the Certificates snap-in, and also the Certificate Request Wizard used to issue certificates to IIS and Exchange Services. Bummer.

The solution is to disable the RPC filter in the Add-ins node and then create an Access Rule that allows all IP traffic between the communicating hosts. Just make sure to remember to disable this rule and re-enable the RPC filter after you've issued the certificates!

If you don't want to go through that hassle, you can always use the Web enrollment site, or create a file for an offline request.

HTH,
Tom

Posted: Apr 21 2004, 11:05 AM by shinder | with 11 comment(s)
Filed under:

Comments

shinder said:

And it breaks autoenrollment of machine certificates!

It's a DCOM issue: Can't we get Jim on the case to come up with a solution like he has for the SMTP Screener?

Cheers


Paul
# July 27, 2004 9:26 AM

shinder said:

Hello,

I came across this same issue, and have resolved it, by ensuring that the "Enforce strict RPC compliance" option is UNCHECKED in the System Policy Editor\Authentication Services\Active Directory\General tab.

See the following website's DCOM section for more info:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/systempolicy.mspx

regards,

jinesh
# September 21, 2004 4:39 PM

shinder said:

Pretty cool! Thank you!
# December 30, 2004 11:08 AM

shinder said:

I did this. I disabled the Add-in RPC filter, I disabled the RPC checkbox, and I then also uncheck "Enforce Strict RPC compliance, and it still does not work, e.g. auto-enrollment and manual enrollment through Certificate snap-in.

Is the step to re-apply the Access Rule to all IP traffic absolutely needed?

- Joaquin
# February 16, 2005 8:27 PM

shinder said:

If there's a problem of establishing Active Directory site-to-site infrastructure w/ a Enterprise CA integrated into Active Directory, then this ISA Server 2004 becomes a non-solution real fast. Why would anyone use a product that cannot sustain Active Directory sites through VPNs. This problem is really serious.
# February 16, 2005 8:32 PM

TrackBack said:

^_^,Pretty Good!
# April 12, 2005 11:34 PM

TrackBack said:

^_^,Pretty Good!
# April 16, 2005 3:35 AM

shinder said:

Has anyone got this working, I have done all the above, but still my Domain controller in my remote site is unable to obtain its certificate.

Any help would be much appreciated.

James
# April 27, 2005 11:00 AM

shinder said:

I found the simplest soloution yet! after weeks investigating this.

When using site to site VPN's select each of your outbound rules from the different networks, right click, goto "Configure RPC" and un-check Enforce... I did not need to do this on the System policy, nor did I have to configure any additional rules or disable the RPC filter.

Hope this can be investigated further.

James
# April 27, 2005 11:34 AM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 19, 2005 8:07 PM

TrackBack said:

ISA 2004 RPC Filter Breaks Certificates Snap-inooeess
# July 22, 2005 10:27 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)