How to Configure UAG to Publish Your Private Certificate Revocation List


In order for SSTP (Secure Socket Tunneling Protocol) and DirectAccess to work properly the SSTP and DirectAccess client must have access to the CRL (Certificate Revocation List) of the server certificate (if you are using Client Certificate or Smart Card authentication you will also need access from the client to the CRL)

If you are using internal Microsoft Certificate Authority (CA) you can publish the CRL through UAG based on the following procedures:

Important Note:
If you are using Microsoft Certificate Authority (CA) make sure the Root CA certificate (If you are using in intermediate CA, also include the intermediate CA certificate) is located in the Trusted Root Certification Authorities of the Local Computer Store

Steps to Publishing the CRL through UAG

Open UAG management Console, navigate to HTTP Connections, right click, and choose New Trunk

clip_image002

On the Welcome to the Create Trunk Wizard page click Next.

clip_image004

On the Step 1 – Select Trunk Type page, select the Portal trunk option and click Next.

clip_image006

On the Step 2 – Setting the Trunk page, enter the Trunk name and enter the Public host name, this part is very important! You must enter the exact URL that you configured in the CDP (CRL Distribution Point) setting on your certificates, then click Next.

Note:
External clients must be able to resolve the public host name

clip_image008

On the Step 3 – Authentication page, choose any authentication repository (this is not relevant because in next phases we will disable the authentication for this Trunk because access to CRL doesn’t require authentication) then click Next.

clip_image010

On the Step 4 – Endpoint Security page, click Next (you will disable Endpoint Security for this Trunk later so the choice made her is immaterial).

clip_image012

On the Step 5 Endpoint Policies page click Next.

clip_image014

On the Completing the Create Trunk Wizard page click Finish.

clip_image016

 

Configure the New Trunk

Now we will configure an Other Web Application (application specific hostname) application in the new trunk to publish the internal CRL.

In the UAG management console click Add.

clip_image018

On the Step 1 – Select Application page select the Web option and then select the Other Web Application (application specific hostname) option from the drop down list. Click Next.

clip_image020

On the Step 2 – Configure Application page  enter the Application name and in the Application type text box, enter OtherWeb, then click Next.

clip_image022

On the Step 3 – Select Endpoint Policies page click Next.

clip_image024

On the Step 4 – Deploying an Application page click Next.

clip_image026

On the Step 5 – Web Servers page, in the Addresses text box, enter the name on your internal IIS server that hosts the CRL. Change Paths to the path defined for CRL Distribution Point, for example “/CertEnroll/* (your certificate distribution point will likely have a different name, enter the name that you have defined for your CDP). Define the Public host name as configured in the CDP (CRL distribution point). This name should be the same Public host name defined for the trunk. Click Next.

Note:
External clients should be able to resolve this name

clip_image028

On the Step 6 – Authentication page click Next.

clip_image030

On the Step 7 – Portal Link page click Next.

clip_image032

On the Step 8 – Authorization page click Next.

clip_image034

On the Completing the Add Application Wizard page, click Finish.

clip_image036

In the UAG Management Console navigate to the Initial application and choose the application you created (this will allow access directly to the CRL and not through the UAG default portal).

clip_image038

In the UAG Management Console navigate to Trunk Configuration and choose Configure

Disable Require users to authenticate at session logon onthe Authentication tab in the Advanced Trunk Configuration dialog box.

clip_image040

Enable the option “Disable component installation and activation” on Sessions tab of Advanced Trunk Configuration dialog box. You need to do this because UAG client components are not required for publishing CRL. Also enable the option “Disable scripting for portal applications”

clip_image042

This article was originally written by Tarun Sachdeva, Sr. Support Engineer.

Tom Shinder
tomsh@microsoft.com
Microsoft ISD iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
https://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Comments (21)

  1. Anonymous says:

    Hi Markus,

    Yes, you'll need a new DNS entry in your public DNS for the second IP address.

    Thanks!

    Tom

  2. Anonymous says:

    Are you thinking of the CRL for the certificate bound to the IP-HTTPS listener? There's no problem with the internal clients being able to reach that CDP, in fact, you'll need that to support NLS.

    The Test Lab Guide CRL Check Update post was referring to the original TLG. Use the one based on the TLG format that I created for UAG SP1 RC.

    Thanks!

    Tom

  3. Anonymous says:

    Hi Gokham,

    Great! Good to hear you got it working and thanks for the follow up!

    Tom

  4. Anonymous says:

    Hi Chris,

    You will need to include the FQDN for the CDP on your CA.

    Tom

  5. Anonymous says:

    Hello Tom/Markus,

    Looks like we have two trunks over here using the same IP address. Each trunk should have its own unique IP.

    Trunk 1: my https

    Trunk 2 my CRL

    Either disable one of the trunks (by right clicking on the trunk name and using "Disable" option) and activate the configuration or use another IP for the second trunk by using the steps below:

    1) Add another IP address to the external NIC,

    2) Use File menu, Reload configuration

    3) Select this new IP on one of these trunks

    4) Activate the configuration.

  6. Markus says:

    Hi Tom,

    perfect post…many thanks.

    Unfortunately I always get an error saying

    Error: Trunk "Filter of trunk my https trunk" cannot be activated due to the following: The trunk uses an IP address/port number combination already in use by the portal 'my CRL' trunk.

    What do I am missing on my set up?

    Thanks,Markus

  7. Tom Shinder says:

    Hi Markus,

    It might be that the original HTTPS trunk is using Port 80 too?

    Check the configuration of the other trunk and let me know.

    Thanks!

    Tom

  8. Markus says:

    Hi Tom,

    Thank you for the answer. I may forgot to add that I am a 100% new user on UAG and doing my first steps..

    The only hint on the HTTPS trunk that I can see [as a new user] is under the application portal and its properities. Under the tab web servers is an entry with http ports = auto.

    Am I on the right path for a solution?

    Thanks,Markus

  9. Tom Shinder says:

    Hi Markus,

    Hmmm. Not sure. Let me see if I can find someone who can help us with this.

    Thanks!

    Tom

  10. Hi Tarun says:

    First of all many thanks to both of you for support.

    I can see

    Trunk1: my https with my IP w.x.y.1 and port 443

    Trunk2: my CRL with my IP w.x.y.1 and port 80

    Would your comment mean that I need to change either trunk1 or trunk2 to IP address w.x.y.2? Even each trunk is unique because of different port?

    If so, as I already configured 2 IP addresses, I would be forced to change my DNS entry. As both hostnames are linked to the same IP.

    Regards,

    Markus

  11. Hi Tom says:

    OK then…thanks for this information. Good to know.

    Cheers,

    Markus

  12. Chris says:

    Hey Folks!

    Very informative. As far as DirectAccess goes, do we need to define the CRL trunk URL on the CA so that the DA clients where to go to reference it?

    Thanks,

    Chris

  13. Chris says:

    Well, by nature the CRL for UAG is not reachable from the inside. Would this cause a problem if defined on the CA?

    Also, on your Test Lab Guide CRL Check Update document, you mention unchecking " Include in the CDP extension of issued certificates" for the ldap:\…is this something I also need to do?

    Thanks,

    Chris

  14. Gokhan says:

    Hi Tom

    Thanks for the great article, but I have a minor problem.  When I try to access the CRL file I receive "You have attempted to access a restricted URL. The URL is blocked by one or more Forefront UAG out-of-the-box rules." error message.

    I'll appreciate it if you can help me out.

    Thanks in advance

    Gokhan

  15. Gokhan says:

    Hello Again.

    Never mind the problem, I found the cause.  My CRL had invalid characters in it so UAG was blocking it.

  16. Chris says:

    Well, by nature the CRL for UAG is not reachable from the inside. Would this cause a problem if defined on the CA?

    Also, on your Test Lab Guide CRL Check Update document, you mention unchecking " Include in the CDP extension of issued certificates" for the ldap:\…is this something I also need to do?

    Thanks,

    Chris

  17. DC says:

    after following these steps I am able to access some .crt files in the the directory, however file names with "(" or ")" are blocked as a restricted URL. If look in TMG and monitor the traffic I see the following error

    "user to trunk crltrunk; Secure=0 failed due to an error with a predefined global rule. The error code is Illegal character – (()."

  18. Martin says:

    Hi, Can I use one of the DirectAccess ip-addressess to publish CRL?

  19. Gareth says:

    Good article, thanks for making that very easy.

    Only changes I had to make where updating the global out-of-the-box rules to allow brackets '()' characters as per this article – myitforum.com/…/global-out-of-the-box-rules-troubleshooting.aspx

    My CRL list is now available externally, however I am ahving trouble with my delta CRL file with the '+' in it. I am not able to download this.  

    Is anyone else having this problem with their delta.

    '+' is in my allowed character list.

  20. SF says:

    Do we need to create policies/ACLs  in TMG to secure UAG trunks?

  21. Rasheed says:

    How to configure the UAG portal page