To request certificates from Forefront TMG ports need to be opened to allow access from Forefront TMG to the Certificate Authority. This is a known situation and there is a blog post at ISA Server on how to accomplish this.

But if the CA is a Windows Server Core installation, it is a little more tricky to configure the CA to use a static port. It is not possible to remote manage the DCOM part of the CA using the MMC Component Services Add-in.

You can do this directly through the registry using regedit on the Server Core installation.

1. Find the Application ID GUID of the Certificate Server Request component.
2. Update the key to use a fixed port.
3. Restart the Certificate Service.

Find the Application ID GUID

Normally this is done through the MMC Component Services Add-in. However, it is also possible to search within HKEY_CLASSES_ROOT\AppID\ for the CertSrv value since there is only one entry for it.

Configure Fixed Port

Create a new REG_MULTI_SZ value with Endpoints as name and a value of ncacn_ip_tcp,0,<port number> where <port number> can be replaced with an free port number of choice. In above screenshot I chose 9001.

More information on this registry key can be found in KB312960 and Enterprise Services (COM+) Security Considerations under the section “To configure a static endpoint for DCOM”

Restart Certificate Service

From PowerShell run Restart-Service CertSvc

To quickly verify that the configured static port is used run the following command: certutil -ping -config server.domain.com Monitoring network traffic to verify that the new port is used.