Renew CA-ROOT and crl lists to use with Forefront UAG Direct Access.

And hi again.

Today a customer had problems with Forefront AUG Direct Access.

Recently they had renewed CA-Root -certificate and then crl and delta crl -lists got renewed also with name ca-root(1).crl and ca-root(1)+.crl

They are using a internal CA-Root -certificate for IP-HTTPS.

So the problem was that client machines got this error with “netsh int http show int”


 So the reason was that crl -lists were indeed published to externally available website, but UAG showed this error message:

“You have attempted to access a restricted. The URL is blocked by on or more Forefront UAG out-of-the-box rules”

And below are the instructions how to allow them.


BUT WAIT! It wasn’t so easy. I didn’t find any out-of-the-box security configuration in the trunk config …

So this must a older version then. Here is the correct way:

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *