Hello, I am building a two tier hierarchy with a SSTP vpn on a TMG server, and I have some difficulties about that... I have an offline root, an online root subordinate my TMG server, my domain controler and my client. I tried to find the solutions to it but I couldn't find any. I'm trying to connect with my client and I have this error : the revocation function was unable to check revocation because the revocation server was offline. I published my CRL on the SubCA server, I use a computer certificate on my client and on the TMG server to check the CRL with http://sub/SubCA.crl but this URL doesn't seem to work. So I tried with an other URL: \\sub\crldist$\SubCA.crl and it doesn't seem to work either so there is my question: - Do I need to publish the CRL on the TMG server or is my computer when it connects is going to check the CRL on the SubCA server? (I'm having a hard time trying to understand how the checking works... If my computer is outside the network is it able to check the CRL even if it is behind TMG?). - Can I have on my certificate more than a URL to check my CRL? (for example a http// and a \\...\...crl). Thanks. John

Hi John, You can have multiple URLs for your CRL list. It is also possible to integrate the CRL in your Active Directory. This only works for users connected to your internal network. For external users you need to publish your internal certenroll website to an external address (for example: crl.yourcompany.com). You will then need to enter the external address on the available CRL lists on your subordiante CA.KPN Consulting - Technical Consultant www.bart-timmermans.nl

Hi John, I would save yourself some pain and use a public CA certificate for the SSTP listener... However, if you want to use a private CA, note that SSTP requires access to the CRL BEFORE it can establish the connection; hence you will have to publish your CRLs anonymously to the Internet like this: http://blog.msfirewall.org.uk/2008/06/publishing-certificate-revocation-lists.html Cheers JJJason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Hi John, Was your question answered by Jason and me? Or do you have more questions? Regards, BartKPN Consulting - Technical Consultant www.bart-timmermans.nl

be careful - although you CAN have MULTIPLE URLs to various CRL locations (such as the HTTP:// or LDAP:// etc.), starting with Windows 7 (Windows Server 2008 R2 as well), the client processes only the FIRST URL of each type. So if you include two HTTP paths, only the first one will be checked and validated. If the first HTTP path in that case is not accessible, the client DOES NOT try the second HTTP at all. It just proceeds with another type of CRL URL if available. If you want to load-balance CRL on HTTP, the only option is to balance the HTTP server itself, such as by using NLB (Network Load Balancing) or some other content switch technology or proxy, such as ISA/TMG/UAG Web Publishing. Yes, if you plan to use your certificates from outside of the network, you need to have the HTTP URL externally resolvable (use FQDN - Fully Qualified Domain Name for the server name) and yes, you will have to make it exteranally accessible through whatever firewall you have. There are commmonly two approaches to this - either publish the real HTTP location on the CA server itself, or develop a method for automatic/manual copy of the .CRL files to some external web server. If you have a CA hierarchy, you will have to publish all the CRL paths of all the CAs that are forming the chain - meaning RootCA, any Intermediate CAs if existing and the IssuingCA. ondrej.

Can you tried to enable a CRL at TMG and set the networks? You can put a external site with a CertServer and a Internal server too.