MSMVPS.COM
The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Dr. Tom's ISA Server 2004 Firewall Blog » ISA 2004 RPC Filter Breaks Certificates Snap-in

ISA 2004 RPC Filter Breaks Certificates Snap-in

I really like using the Certificates MMC snap-in because it greatly simplifies issuing certificates to domain members when using an enterprise CA. Sadly enough, the ISA 2004 RPC filter kills the Certificates snap-in, and also the Certificate Request Wizard used to issue certificates to IIS and Exchange Services. Bummer.

The solution is to disable the RPC filter in the Add-ins node and then create an Access Rule that allows all IP traffic between the communicating hosts. Just make sure to remember to disable this rule and re-enable the RPC filter after you've issued the certificates!

If you don't want to go through that hassle, you can always use the Web enrollment site, or create a file for an offline request.

HTH,
Tom

Posted Apr 21 2004, 11:05 AM by shinder
Filed under:

Comments

shinder wrote re: ISA 2004 RPC Filter Breaks Certificates Snap-in
on 07-27-2004 9:26
And it breaks autoenrollment of machine certificates!

It's a DCOM issue: Can't we get Jim on the case to come up with a solution like he has for the SMTP Screener?

Cheers


Paul
shinder wrote re: ISA 2004 RPC Filter Breaks Certificates Snap-in
on 09-21-2004 16:39
Hello,

I came across this same issue, and have resolved it, by ensuring that the "Enforce strict RPC compliance" option is UNCHECKED in the System Policy Editor\Authentication Services\Active Directory\General tab.

See the following website's DCOM section for more info:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/systempolicy.mspx

regards,

jinesh
shinder wrote re:
on 12-30-2004 11:08
Pretty cool! Thank you!
shinder wrote re: ISA 2004 RPC Filter Breaks Certificates Snap-in
on 02-16-2005 20:27
I did this. I disabled the Add-in RPC filter, I disabled the RPC checkbox, and I then also uncheck "Enforce Strict RPC compliance, and it still does not work, e.g. auto-enrollment and manual enrollment through Certificate snap-in.

Is the step to re-apply the Access Rule to all IP traffic absolutely needed?

- Joaquin
shinder wrote re: ISA 2004 RPC Filter Breaks Certificates Snap-in
on 02-16-2005 20:32
If there's a problem of establishing Active Directory site-to-site infrastructure w/ a Enterprise CA integrated into Active Directory, then this ISA Server 2004 becomes a non-solution real fast. Why would anyone use a product that cannot sustain Active Directory sites through VPNs. This problem is really serious.
TrackBack wrote re:ISA 2004 RPC Filter Breaks Certificates Snap-in
on 04-12-2005 23:34
^_^,Pretty Good!
TrackBack wrote re:ISA 2004 RPC Filter Breaks Certificates Snap-in
on 04-16-2005 3:35
^_^,Pretty Good!
shinder wrote re: ISA 2004 RPC Filter Breaks Certificates Snap-in
on 04-27-2005 11:00
Has anyone got this working, I have done all the above, but still my Domain controller in my remote site is unable to obtain its certificate.

Any help would be much appreciated.

James
shinder wrote re: ISA 2004 RPC Filter Breaks Certificates Snap-in
on 04-27-2005 11:34
I found the simplest soloution yet! after weeks investigating this.

When using site to site VPN's select each of your outbound rules from the different networks, right click, goto "Configure RPC" and un-check Enforce... I did not need to do this on the System policy, nor did I have to configure any additional rules or disable the RPC filter.

Hope this can be investigated further.

James
TrackBack wrote re:ISA 2004 RPC Filter Breaks Certificates Snap-in
on 05-19-2005 20:07
^_~,pretty good!csharpsseeoo
TrackBack wrote re:ISA 2004 RPC Filter Breaks Certificates Snap-in
on 07-22-2005 10:27
ISA 2004 RPC Filter Breaks Certificates Snap-inooeess

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems