Hi Joyce,
Thanks for the information. I won't worry about this setting then.
I do have another related question. I need to change the certificate used by the SSTP VPN because the one I originally used didn't have a valid CRL which I've subsequently taken care of. I've read the instructions on how to update the certificate
used by SSTP VPN since it seems like changing it is a non trivial process. I've read the following links:
http://support.microsoft.com/kb/947027
http://kingofbytes.wordpress.com/2014/01/05/nightmare-on-vpn-street-with-tmg-and-sstp-part-1-of-4/
Which seem pretty straight forward. My only concern is that when I do the "netsh http show ssl" command on my TMG/SSTP server I get back this:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : aa8903a20156be71f9a7e3047433013574b08c70
Application ID : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : [::]:443
Certificate Hash : aa8903a20156be71f9a7e3047433013574b08c70
Application ID : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
And what I'm concerned about is the Application ID reported here is {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e} while the two links say it should be {ba195980-cd49-458b-9e23-c84ee0adcd75} which is the App ID for the SSTP server. The only thing I can think
of is that my SSTP server and certificate are bound to a different IP address than the default HTTP listener. If I look up the aa8903a20156be71f9a7e3047433013574b08c70 hash in the list of certs it is an old expired machine certificate for the TMG server.
It seems since that this certificate is expired that removing it is ok, but I'm not sure about the other commands that update the SSL certs like "netsh http add sslcert" for example. Do I have to tell that command to use a different IP address?
Thanks
Nick