To request certificates from Forefront TMG ports need to be opened to allow access from Forefront TMG to the Certificate Authority. This is a known situation and there is a blog post at ISA Server on how to accomplish this.

But if the CA is a Windows Server Core installation, it is a little more tricky to configure the CA to use a static port. It is not possible to remote manage the DCOM part of the CA using the MMC Component Services Add-in.

You can do this directly through the registry using regedit on the Server Core installation.

1. Find the Application ID GUID of the Certificate Server Request component.
2. Update the key to use a fixed port.
3. Restart the Certificate Service.

Continue reading →