New Certificate Chain and TMG Reverse Proxy

After you install or upgrade the new CA and certificate chain in your environment, you need to verify that all the servers and network devices trust the new authorities.  This also applies to the reverse proxy and sometimes it gets little more complicated.

This is a scenario that the client certificate was issued by the new issuing CA.  When user tried to access ActiveSync published by Microsoft Forefront TMG, the browser got this:

12221

On the TMG side, it showed a similar error.  The description from Microsoft is the same for error 12221 and 12321: The client certificate used to establish the SSL connection with the Forefront TMG computer is not trusted.

But when you checked the chain that installed in TMG, they look fine.  Also the client certificate itself is okay.  So where could be the problem?  First, it is almost sure that the error was given from the listener in the publishing policy in TMG.  In the listener, you can choose the client authentication method.  The client certificate part is in Advanced Options.  There, if you go to Client Certificate Trust List, you will see what the existing setting is.  Double check if the listener accepts any client cert trusted by TMG, or only from those checked in the list below.  If your new root CA is not there, check it and test again.

What’s next?  My test gave me HTTP code 500 -  The certificate is revoked with error code 0x80092010.

http500

That’s not possible, right?  The TMG has a system policy that allows local to all destination on port 80, it is specifically for CRL communication.  So is there anywhere else we can check in TMG?  Yes, there is.  We can loose the setting a bit on TMG, it is not a good idea for security, but at least we can move forward and verify something further to the CA.  Here is the setting that you can uncheck in TMG Console – Web Access Policy – Tasks – Configure Certificate Revocation.

clientcertrevokecheck

After this, you should be able to reach the site, then focus on the CRL Delta issue in the new CA, according this TechNet article: http://blogs.technet.com/b/sooraj-sec/archive/2013/09/19/activesync-on-some-smartphones-in-this-scenario-iphones-with-client-certificate-authentication-does-not-work-it-works-for-some-other-phones-including-iphones-and-windows-phones-as-well-as-android-phones.aspx

Advertisements