The ClearTunnel certificate wizard may fail with an RPC error even when all fields are correct. There are two possible solutions.

There is a known limitation with the ISA RPC filter that prevents the ISA server from connecting to the certificate server's RPC interface.

There are two approaches to solve this problem.

Short solution

  1. Create a temporary "allow all" rule between ISA and the certificate server machine.
  2. After you have run the certificate wizard successfully, disable or remove this rule.

Long but more correct solution

  1. Disable "Strict RPC" in the System Policies, Authentication Services, Active Directory rule group

  2. Configure the Certificate Server to operate on a predefined RPC port as outlined in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

  3. Create a custom protocol that describes your custom CertSvr protocol

  4. Create a computer set that includes all cert servers in your environment

  5. Create an Access Rule that allows this prtoocol from the local host network to your Cert Servers computer set.

After you do this, your ISA will be able to auto-enroll for any certificates it needs (including running the ClearTunnel Certificate Wizard)