New Certificate Chain and TMG Reverse Proxy

After you install or upgrade the new CA and certificate chain in your environment, you need to verify that all the servers and network devices trust the new authorities.  This also applies to the reverse proxy and sometimes it gets little more complicated.

This is a scenario that the client certificate was issued by the new issuing CA.  When user tried to access ActiveSync published by Microsoft Forefront TMG, the browser got this:


On the TMG side, it showed a similar error.  The description from Microsoft is the same for error 12221 and 12321: The client certificate used to establish the SSL connection with the Forefront TMG computer is not trusted.

But when you checked the chain that installed in TMG, they look fine.  Also the client certificate itself is okay.  So where could be the problem?  First, it is almost sure that the error was given from the listener in the publishing policy in TMG.  In the listener, you can choose the client authentication method.  The client certificate part is in Advanced Options.  There, if you go to Client Certificate Trust List, you will see what the existing setting is.  Double check if the listener accepts any client cert trusted by TMG, or only from those checked in the list below.  If your new root CA is not there, check it and test again.

What’s next?  My test gave me HTTP code 500 -  The certificate is revoked with error code 0x80092010.


That’s not possible, right?  The TMG has a system policy that allows local to all destination on port 80, it is specifically for CRL communication.  So is there anywhere else we can check in TMG?  Yes, there is.  We can loose the setting a bit on TMG, it is not a good idea for security, but at least we can move forward and verify something further to the CA.  Here is the setting that you can uncheck in TMG Console – Web Access Policy – Tasks – Configure Certificate Revocation.


After this, you should be able to reach the site, then focus on the CRL Delta issue in the new CA, according this TechNet article:


Improvements in customizing UI in UAG

There are few improvements, the major improvement is the portal (PortalHomePage) which is ASP.NET with Ajax and now you have CSS and XML for strings.
You can read the Forefront UAG customization guide:

The following topics describe:

  • Customizing the portal—The customizations you can make to the Forefront UAG portal to modify the look and feel as well as some of the functionality.
  • Customizing the InternalSite—The customizations you can make to the Web application (also known as the InternalSite); for example, modifying text or the login and logoff pages.
  • Customizing the detection module—How to modify the detection module, which identifies the type of device connecting to the portal and presents the correct portal pages.
  • Customizing endpoint components—How to create a custom script to detect applications on client endpoint devices, and how to modify which endpoint components are downloaded to client devices.
  • Manipulating HTTP responses with AppWrap—How to use the Application Wrapper (AppWrap) configuration file to manipulate HTTP responses from backend Web servers to end user client devices; for example, removing the logoff button from applications published in the portal.
  • Customizing the Web Monitor—How to customize the Web Monitor; for example, modifying the layout of charts displayed in Web Monitor, or modifying the user interface presented to the end user.