
The ClearTunnel certificate wizard may fail with an RPC error even when all fields are correct. There are two possible solutions.
There is a known limitation with the ISA RPC filter that prevents the ISA server from connecting to the certificate server's RPC interface.
There are two approaches to solve this problem.
Short solution
- Create a temporary "allow all" rule between ISA and the certificate server machine.
- After you have run the certificate wizard successfully, disable or remove this rule.
Long but more correct solution
-
Disable "Strict RPC" in the System Policies, Authentication Services, Active Directory rule group
-
Configure the Certificate Server to operate on a predefined RPC port as outlined in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
-
Create a custom protocol that describes your custom CertSvr protocol
-
Create a computer set that includes all cert servers in your environment
-
Create an Access Rule that allows this prtoocol from the local host network to your Cert Servers computer set.
After you do this, your ISA will be able to auto-enroll for any certificates it needs (including running the ClearTunnel Certificate Wizard)