Automatic Certificate Enrollment Fails on the ISA Firewall
You’ve done the footwork ahead of time and created your PKI, complete with an Enterprise CA. You know that one of the major advantages to using an enterprise CA is that the CA certificates are automatically placed in each domain member’s machine certificate store. This includes the ISA firewall’s machine certificate store.
However, when you check the ISA firewall’s machine certificate store you don’t have the CA’s certificate in the Trusted Root Certification Authorities machine certificate store. What’s up with that? The problem is that the autoenrollment mechanism uses DCOM and by default the ISA firewall’s System Policy Rules block DCOM traffic from the ISA firewall to the default Internal Network (where the enterprise CA is most likely located). What to do?
You have two options:
- Configure System Policy to allow DCOM traffic
- Disable the RPC Filter and allow all traffic to and from the Enterprise CA and then re-enable the RPC filter and remove the allow rule
The first option is the officially supported method. However, I find that it does not always work. If you find the first option doesn’t work for you, try the second method. Remember to re-enable the RPC filter after you obtain the CA certificate if you use the second option.
For the first option, here are the steps:
1. In the ISA firewall console, click Firewall Policy:
- For ISA Server 2004 Enterprise Edition, for array-level firewall policy, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand the array name, and click Firewall Policy.
- For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand the server name, and then click Firewall Policy.
2. On the Tasks tab, click Edit System Policy.
3. From the Configuration Groups list, click Active Directory.
4. On the General tab, do not select Enforce strict RPC compliance checkbox.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls