UAG 2010 + AD + Microsoft Certificate Authority Services

I'm working in the test lab to play with UAG and see what problems it solves and creates for me at work.  My test lab is fairly simple set of systems running Server 2008 R2.

• 1 Server running AD Controller running default Certificate Services
• 1 Server running ADFS
• 1 Server running SharePoint 2010
• 1 Server running UAG 2010

My goal is to play with many different ways of publishing sites off UAG by creating multiple UAG trunks with different authentication parameters.   A simple requirement was that I wanted to make sure that UAG could easily add new SSL certs from the local domain certificate authority.  My symptom was UAG could not self-register SSL certificate requests. 

> certutil -ping -config CONUAB-AD.CONAD.CONUAB.COM\CONAD-CONUAB-AD-CA

Server could not be reached:  THe RPC server is unavailable. 0x800706ba (WIN32: 1722)

In trying to resolve this command,  I ran wireshark and noticed a number of strange "DCERPC BInd_ack: call_id: 3 Unknown Result(3)" errors coming from my DC/CA system.  Even stranger, wireshark could see none of the traffic to the DC/CA.   Running wireshark from the DC, I then found out I was getting requests but they were coming through as malformed per the packet analysis.   Looking a legit request from my ADFS server, it appeared that those "invalid" DCEPRC had something to do with how the certificate enrollment process worked.

Searching TMG and UAG and recalling that one of the key features of ISA was to filter RPC for exchange, I then started looking for ways to see this being blocked.  Going to Forefront TMG Management -> Logs & Reports showed a good amount of "FWX_E_CONNECTION_KILLED" for 10.26.2.6 (UAG Inside) -> 10.26.2.1 (DC/CA).   This led me to a technet blog to disable RPC compliance.

TMG Management -> Firewall Policy -> Tasks -> Edit System Policy -> Active Directory -> “Enforce Strict RPC” -> OFF

 Following the articles (1,2,3), what I needed to do was now verify that the firewall was blocking my access and create a firewall rule to permit the UAG box to talk to CA services.   To let it be a "tight" firewall rule, you need to force the CA server to bind to a single port.

On the AD/CA server (disable RPC for CA + bind to a port)

1. certutil -setreg ca\interfaceflag +0x8  
2. dcomcnfg -> Components -> DCOM Config -> CertServ -> Use Static End Point 4001
3. net stop  certsvc
4. net start certsvc
5. certutil -ping (from the CA) to verify things are working again

On the UAG Server:

1. Opened Forefront TMG Management
2. Firewall Policy -> Tasks -> Create Access Rule
3. Named "Permit Access to internal CA"
4. Protocols -> New -> TCP/4001 start/4001 end named "Local Certificate Services"
5. From:  UAG Internal (New Computer) that was my 10.26.2.6 IP.
6. To:  "AD Controller" since my CA was running in AD main box. 
7. Applied rules 

> certutil -ping -config CONAD-AD.CONAD.CONUAB.COM\CONAD-CONUAB-AD-CA CertUTil: -ping command completed successfully!

From the outside, this was much more difficult than I had hoped since I had to dive into TMG to figure out prepwork for UAG.  I did learn a lot more about how CA works.  If there's the support for binding things to a single port, why is that not used more often so it works with firewalls easier?

Update:   Using the UAG generated names caused UAG to not be able to publish rules.  "Firewall settings could not be confgured."  Regenerated a new name for 10.26.2.6