Hi We have the following Network Setup: A Centralized Data Center at one location hosting AD, DNS, DHCP and other Infra servers. The Data Center serves as a hub for all the other physical locations across the country. We have ample amount of bandwidth between Hub and Spoke sites (minimum 1 GBPs). The Data Center IP Subnet range is 10.80.X.X and remote locations have Subnet ranges like 172.16.97.X. There's no direct IP Routing between the Spoke locations and the Hub (Data Center). The client in the spoke locations send request on 17.16.97.X IP for the servers hosted in Data Center which are translated (NAT Transaltion) by the Router at the Data Center to some 10.80.X.X IP the reverse translation happens when the servers respond back to the client. We wish to use SCCM 2007 in Native Mode to manage clients on the Intranet as well as on the Internet. Native Mode SCCM requires PKI so we're using Microsoft Windows 2008 CA. Our SCCM & CA Server would be placed in the Data Center and the clients would be in various remote locations. Referring to the article--> http://support.microsoft.com/kb/248809, DCOM is not supported across NAT Firewall so wanted to know the following: 1. Since I'm novice in PKI world, can someone please help me understand the step-by-step communication process that client go through while requesting a Certificate, including the communication with Domain Controllers. What are the Ports and Protocols required during each step. 2. Considering our scenario, is it possible that we have 2 NIC (Network Interface Cards) on the CA machine, 1 containing IP Address of Server Subnet (10.80.x.x) and the other NIC containing IP Address of Client Subnet (172.16.97.x) so that when clients request try to establish DCOM call to CA, it can reach the CA on it's actual physical IP Address (172.16.97.x) instead of NAT Firewall configuration coming in between and doing the translation from some 10.x.x.x to 172.x.x.x. 3. What is the default period after which client automatically checks the Certificate Revocation List and hence contacts the CA. Regards zamn

any commnets/suggestions please ....... Regards zamn