Renew CA-ROOT and crl lists to use with Forefront UAG Direct Access.

Posted by Harri Jaakkonen Posted on 21/08/2014 0 Comments on Renew CA-ROOT and crl lists to use with Forefront UAG Direct Access.
Posted in Certificates, Direct Access, UAG

And hi again.

Today a customer had problems with Forefront AUG Direct Access.

Recently they had renewed CA-Root -certificate and then crl and delta crl -lists got renewed also with name ca-root(1).crl and ca-root(1)+.crl

They are using a internal CA-Root -certificate for IP-HTTPS.

So the problem was that client machines got this error with “netsh int http show int”

 

 So the reason was that crl -lists were indeed published to externally available website, but UAG showed this error message:

“You have attempted to access a restricted. The URL is blocked by on or more Forefront UAG out-of-the-box rules”

And below are the instructions how to allow them.

 

BUT WAIT! It wasn’t so easy. I didn’t find any out-of-the-box security configuration in the trunk config …

So this must a older version then. Here is the correct way:

https://i0.wp.com/blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-73-55-metablogapi/1460.clip_5F00_image004_5F00_2.jpg?w=760

http://blogs.technet.com/b/ben/archive/2011/10/13/illegal-characters.aspx

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *