Hello

in my test lab i'am deploying SSTP VPN via 3 windows 2012 R2 virtual machines. i have completed all steps but finally i encounter the famous error:

the revocation function was unable... revocation server is offline.

my scenario is :

from external vpn client, i tested whether i can manually open this directory via IE & i was successful:

http://2012-1-G2.HP.Lab/certEnroll

and i was able to see crl & delta crl files inside it. but when establish vpn connection, it seems vpn connection can't make use of this files & distinguish that VPN server's certificate is not revoked !

what additional steps may be required which i have missed?

• Edited by john.s2011 Monday, April 20, 2015 8:24 PM
• Changed type john.s2011 Friday, April 24, 2015 4:48 PM

As stated numerous times before, the URL when working with VPN must be both internally and externally accessible.

From here, the URL http://2012-1-G2.HP.Lab/certEnroll is not an internet accessible URL. Your entire revocation configuration is not setup for VPN/external usage. You must fix the configuration issues prior to getting the VPN to work.

As I have stated to you in numerous threads, the URL must be:

- an HTTP URL

- Available both internally and externally

Yours is not, hence the revocation errors.

Brian

As stated numerous times before, the URL when working with VPN must be both internally and externally accessible.

From here, the URL http://2012-1-G2.HP.Lab/certEnroll is not an internet accessible URL. Your entire revocation configuration is not setup for VPN/external usage. You must fix the configuration issues prior to getting the VPN to work.

As I have stated to you in numerous threads, the URL must be:

- an HTTP URL

- Available both internally and externally

Yours is not, hence the revocation errors.

Brian

mr komar, do you answer to our questions without reading the question itself?

absolutely anyone knows this simple fact that the URL must be accessible internally & externally & it is in my test lab

if you had read my question, I stated that the scenario is in my test lab & I tested it and from internal client & also from external client, I can access that URL & I see both crl files. !

please read the questions carefully before........

unfortunately I have to re-write final part of my question here for you:

" from external vpn client, i tested whether i can manually open this directory via IE & i was successful:

http://2012-1-G2.HP.Lab/certEnroll

and i was able to see crl & delta crl files inside it. but when establish vpn connection, it seems vpn connection can't make use of this files & distinguish that VPN server's certificate is not revoked ! "

• Edited by john.s2011 Tuesday, April 21, 2015 6:51 AM

Hi,

Two questions;

1. You say you can reach the vdir where the crl (and aia...?) files are located, but can you download them? E.g. are there any configuration on the webserver blocking the download?

2. How is your name resolution done? When the client attempts the connect, what IP does it resolve the CRL distribution point to?

Hi,

Two questions;

1. You say you can reach the vdir where the crl (and aia...?) files are located, but can you download them? E.g. are there any configuration on the webserver blocking the download?

2. How is your name resolution done? When the client attempts the connect, what IP does it resolve the CRL distribution poi

Now I remember why I do not answer your questions...

Thanks for the reminder.

Brian

Now I remember why I do not answer your questions...

Thanks for the reminder.

Brian

what ? i don't understand what you say. nobody finds any relation between my question & your sentence:

i believe you first have to learn how to properly read people's question before trying to answer them. in addition of that your answer was irrelevant and useless.

no problem you don't answer me, i have never asked you to answer my questions, you yourself answered to my threat.

no need to your answers, keep them for yourself :-D

hope never get any sentence from abnormal people like you...

• Edited by john.s2011 Tuesday, April 21, 2015 7:14 PM

Can't say what your issue is right away.

You need to run your favorite network sniffer (wireshark, network monitor, message analyzer) on the VPN server and see what happens. Do the same on the client at the same time.

Look at the resulting traces and see if the file is actually passed to and received by the client. Also look in the logs on the web server to see how the request was handled.

Most often when I see issues like this where you can access the CRL manually with a web browser but fails when performing revocation checking it generally deals with authentication. When you open a browser, your browser may be passing authentication along to a proxy or the website itself. In addition, if there is a firewall, it may behalf differently for a user running a web browser versus revocation checking at the machine level.

So I would check to see if any of the publishing rules on 20.1.1.3 are requiring any authentication or would prevent machine pass through. 

You could also attempt to see what the revocation issue is by using the following command against your client certificate

certutil -verify -urlfetch <client.cer>

That will indicate what is failing. Not necessarily why.

Lastly, you could use a tool like Portqry to see if the client machine context can get to the website.

So in summary, look to find out why your user credential can get to the files but the machine can not.

Hi mark. thanks for reply. i performed all of your suggestions & also Anders guides but no result !!!!!!

i am really angry & frustrated. you don't believe but i am working on this problem for months but yet no result & i am now really frustrated. my headache is killing me because of hours & nights i spent time on this problem.

you don't believe i lost a part of my health because of working hard on this issue.

i swear that perhaps no one has deployed such simple scenario, because he would certainly encounter this problem.

microsoft is really poor on documentation. about some products he only delivers new products regardless of good documentations.

i am a network trainer (MCITP & MCSE 2012 ). i have lots of students & they ask us why all people stop on revocation check when deploying SSTP vpn ????!!!! why no solution works ????!!!  why there is not even one step-by-step scenario in microsoft 70-640, & othre books that describes steps to deploy SSTP vpn specially how to resolve revocation function !!

really poor product

• Edited by john.s2011 1 hour 21 minutes ago

Hi mark. thanks for reply. i performed all of your suggestions & also Anders guides but no result !!!!!!

i am really angry & frustrated. you don't believe but i am working on this problem for months but yet no result & i am now really frustrated. my headache is killing me because of hours & nights i spent time on this problem.

you don't believe i lost a part of my health because of working hard on this issue.

i swear that perhaps no one has deployed such simple scenario, because he would certainly encounter this problem.

microsoft is really poor on documentation. about some products he only delivers new products regardless of good documentations.

i am a network trainer (MCITP & MCSE 2012 ). i have lots of students & they ask us why all people stop on revocation check when deploying SSTP vpn ????!!!! why no solution works ????!!!  why there is not even one step-by-step scenario in microsoft 70-640, & othre books that describes steps to deploy SSTP vpn specially how to resolve revocation function !!

really poor product

 

you don't believe i have tested all things you may think.

i have determined that CA publishes CRLs to D:\MyCRLs folder, because i mentioned maybe external client's machine can't access the certenroll directory because it's located in C:\windows\system32.

i also added IIS_Iusers & IUSR account on ACL tab of D:\MyCRLs folder. i also determined CA certificate be published in this new location & this new directory is now set in AIA extension. but again doesn't work.

in my country i am working (teaching) in the best network training institute & one thing is interesting:

i consulted about this issue with all of my friends (they are also experienced trainers ), but all of them has this problem & have not been able to solve this problem for years.

  Microsoft. please remove SSTP & other things which you are not able to deploy it yourself. students ask us & we have to tell them that "MICROSFT & HIS TOP SPECIALISTS THEMSELVES ARE NOT ABLE TO DEPLOY THINGS WHICH THEY THEMSELVES HAVE DEPLOYED & CREATED THEM  " . REALLY VERY RIDICULOUS