If you’re been in the ISA game for a while, you might remember that with the introduction of ISA 2004 that there were some “issues” with getting certificates from an online enterprise CA directly from the ISA server. The problem was that the RPC filter, when configured for “strict RPC compliance” didn’t like the encrypted DCOM communications that are attempted between the Certificates console on the firewall and the CA on the internal network.
There were a number of solutions to this problem, and those solutions need to also be applied to the UAG server when you want to request a certificate from the Certificates MMC on the UAG server. Why? Because there is a TMG firewall running under the UAG server and the RPC filter is enabled with strict RPC compliance as part of System Policy.
To fix this, you can follow Ben Bernstein’s instructions over on the UAG Team Blog at:
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)