ISA Firewall Certificate Revocation Checking
Did you know that the ISA Firewall is automatically configured to check for revoked certificates?
You can control this behavior by going to the General node located under the Configuration node in the left pane of the ISA Firewall console. In the middle pane of the General node, you'll see a link saying Specify Certificate Revocation Settings. Click that and you'll see the dialog box that appears in the figure below.
There are two sections: Client Certificates (User Certificates) and Server Certificates.
By default, the Verify that incoming client certificates are not revoked option is enabled. When this is enabled, the ISA Firewall will check to make sure that User Certificates presented to the ISA Firewall for User Certificate authentication are not revoked.
Another default setting has the Verify that incoming server certificates are not revoked in a forward scenario. This option enables the ISA Firewall to check whether or not the server certificate from a Web server that the ISA Firewall is connecting to (or an upstream Web proxy, if the ISA Firewall is a downstream member of a Web proxy chain) has been revoked. If revoked, the connection request will be denied.
The other Server Certificate option, which is not enabled by default, applies to Web Publishing Scenarios where you're using SSL to SSL bridging. When this option is enabled, the ISA Firewall will check to see if the Web site certificate presented to the ISA Firewall by the published Web server has been revoked. If so, then connections to the published Web server are denied. This option is disabled by default for performance reasons, because it's assumed that you're in control and paying attention to the certificate status on your published Web servers.