We are trying to figure out how to pass the traffic from the Proxies to the Responders. Is there a "how to" article on OCSP Proxy configuration? Not looking for Responder configuration. Thank you,

Hi, Thanks for your post. Before we go further, I would like to confirm if you are asking the Online Responder Web proxy component. The Online Responder Web proxy is a component of the Online Responder role service. As far as I know, it cannot be installed separately. Online Responder Web proxy is the service interface for the Online Responder. It is implemented as an Internet Server API (ISAPI) extension hosted by Internet Information Services (IIS). The Web proxy receives and decodes requests, and caches responses for a configurable period of time. Components of an Online Responder http://technet.microsoft.com/en-us/library/cc732956.aspx Please feel free to let me know, if I have misunderstood your question. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Hi,I am following up on the original question with more details.I understand the normal internal workings of the OCSP Reponder itself. I understand the web proxy service on the OCSP will cache responses for 2 minutes by default, RFC2560,and such. However, this resides on the OCSP Responder server - this is not what we are looking for.http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspxFigure 3.1 shows an IIS server acting as a reverse proxy in the DMZ for a protected OCSP Responder. This is the type of proxy we are referring to, not the Responder's web proxy service.I tried certutil -vocsproot on the proxy server, which create the ocsp virtual directory, but there were no supporting DLLs or anything, it was just assigned to the ISAPI extension and that was about it. I could copy the DLLs over from the Responder and register them, but 1) I'm not sure if this would work, 2) I'm not sure that this wouldn't make things worse, and 3) I would thing that doing this might violate licensing as the Responders and Proxies are not the same OS editions.Should this just be a plain old HTTP Redirection using the built-in redirection module in IIS7, or is there anything fancy (or not so fancy) that needs to be done? We are not finding anything for documentation in relation to this piece of the diagram for how it is supposed to be configured.We are looking for a server that the public can access for revocation checking without accessing the Responder directly.At the moment we do not have the ability to just try it and see if it works for a few more days, but would like a little more information to make sure we got it right so we can put it into production as soon as possible afterwards.It seems like there should be something special so it knows to not cache error responses from the Responder, e.g. "internalError",so follow-up requests could be handled appropriately without having to flush the proxy. Maybe I'm just hoping for too much from the 2008 Server implementation, or I am just missing something.Thanks in advance...

Hi, Based on my understanding, the IIS server in the figure 3.1 only functions as a simple HTTP redirector. To enable this deployment model we need to do two things: 1. Publish the OCSP Responder Create a publish rule at the ISA/TMG between the DMZ and the internal network 2. Create a pass-through proxy at the IIS in the DMZ. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.