Note: This article was originally published in 2013. Some steps, commands, or software versions may have changed. Check the current TMG 2010 documentation for the latest information.
In this step-by-step guide, you’ll learn use the certificate enrollment mmc in the tmg host machine. Microsoft Forefront Threat Management Gateway (TMG) 2010 was a network firewall and web proxy that provided secure access to applications and data.
Prerequisites
Before you begin, make sure you have:
- Forefront TMG 2010 installed
- TMG Management Console access
- Understanding of firewall and proxy concepts
How to: Use the Certificate Enrollment MMC in the (http://en.wikipedia.org/wiki/Telegraph_Media_Group “Telegraph Media Group”) host machine
Behavior:
When you are using the Certificate MMC snap-in and/or try to perform a certificate auto-enrollment in your localhost/TMG server you’ll most likely run into an (http://en.wikipedia.org/wiki/Error_message “Error message”) on-screen that reads ” RPC failure ”. If you try requesting a certificate on other computers joined to your domain you won’t be experiencing this issue, only on your TMG
Solution:
(http://en.wikipedia.org/wiki/Distributed_Component_Object_Model “Distributed Component Object Model”) is required in order to request a certificate and if you take a look at your TMG’s System Firewall Policy you will see that your (http://en.wikipedia.org/wiki/Anno_Domini “Anno Domini”) connectivity has both flags selected: Enable RPC and Enable strict RPC compliance. For some reason having selected the Enable strict RPC compliance option blocks the DCOM traffic and hence you get an RPC failure when requesting a certificate. One proposed solution is rather simple: Disable that option when you are requesting certificates from your Active Directory (http://en.wikipedia.org/wiki/Certificate_authority “Certificate authority”) (AD CA). I am sure there must be a way to create a rule with higher priority and force that DCOM / RPC traffic to go through a static port… too much hassle for me. Hopefully you won’t mind checking and unchecking some boxes, and if strict RPC compliance is not a business need then might as well considering leaving that check box unselected. Hope this helps! Additional resources:
- (http://blogs.technet.com/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx)
Related articles
- (http://technology.bauzas.com/files/2013/03/151301910_80_80.jpg)](http://technology.bauzas.com/microsoft/servers/windows-servers/how-to-manage-the-certificate-store-on-your-local-machine-using-the-command-prompt-or-powershell/)(http://technology.bauzas.com/microsoft/servers/windows-servers/how-to-manage-the-certificate-store-on-your-local-machine-using-the-command-prompt-or-powershell/)
(http://img.zemanta.com/zemified_h.png?x-id=e73b3fc8-b913-4884-9b20-f4397b177be0)](http://www.zemanta.com/?px “Enhanced by Zemanta”)
Summary
You’ve successfully learned use the certificate enrollment mmc in the tmg host machine. If you run into any issues, double-check the prerequisites and ensure your TMG 2010 environment is properly configured.