Good morning, In the Microsoft OCSP technet documentation "Installing, Configuring and Troubleshooting the Online Responder," on page 13 of the hardcopy, "Deployment Models for Extranet Scenarios," it shows an IIS server in the DMZ acting as a relay to an internal OCSP responder. Does anyone know if there are published instructions for how to setup the IIS instance in the DMZ to provide the relay function? Also, I am looking to confirm how I know if I need to provide multiple servers & load balance my OCSP setup. It will be supporting less than 10,000 users, each with signing & encryption certs. TechNet documentation reference: http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspx Thanks.

All you are doing is HTTP port 80 forwarding from any firewall (in most typical setups). As for the back-end. OCSP can be set up in a LBS cluster and you would then forward the requests to the LBS IP address. Brian

Thanks - so, I could setup a DNS name like ocsp.mycompany.com, and simply forward public traffic to this name at port 80 inside to my OCSP responder? I know load balanced cluster is an option, my question is, what design critera dictates that I need a cluster, as opposed to a single server? What load suggests a cluster is needed (perhaps in number of users or certificates issued)? Mark

To be honest, a cluster is almost a must-have. Consider this, all Windows Vista/7/Server2008/Server2008R2 clients will *prefer* OCSP over CRL checking. This means that for *every* certificate that is validated, a request will be sent to the OCSP server *before* any request is made to download a CRL. If you look at that amount of traffic, I think you will lean towards a cluster. Another thing to ponder, when you download a CRL at a client, you can then view the cached version (base or delta) CRL until it TTL expires. For an OCSP response, you will also cache the response, but it is only for a *single* certificate. The next certificate that needs to be validated results in another request/response to the OCSP server (unless the server implements OCSP stapling of course) HTH, Brian

Update: I dug into this a little further and found out from Microsoft that the IIS relay scenario is not supported as shown in the documentation. Since then, the TechNet article has been updated March 6, 2011 and that diagram is removed. I'm referring to Figure 3: Extranet Deployment Model here: http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspx Figure 3 is now only a single diagram showing ISA firewall as a reverse proxy. The explanatory note reads: You may also be able to use other products that provide HTTP proxy capabilities, such as IIS with the Application Routing Request Module (AAR) (http://go.microsoft.com/fwlink/?LinkId=212525) or Forefront Threat Management Gateway (TMG) (http://go.microsoft.com/fwlink/?LinkId=212524) in this scenario.