Hi I am having windows root CA installed on one of member server.This server and Clients netwrok are on different subnet: for getting client certificates, i have opened 135 port from client netwrok to CA but getting error in certificate installation "RPC server is unavailable" After doing some research, i found that certificates works on Dcom traffic.Does it mean to open dynamic ports between client netwrok to CA network ? Moreover, if i need to open few dynamic ports like 25000-25100 in between, can i bind these ports to CA server by editing registry key ? If yes, do i need to find other servers also like DC or the number of client for getting certificate from CA server. Any suggestions please....... Regards, Ankur

Remove the firewall from between the clients and the CA <G>. If you really need to get through a firewall, you need to restrict the CA response to a single port. With the Windows CA, you either restrict to a single port (returned by the query to TCP 135), or you have to open 1024-65534. Here is a wiki post by Kurt Hudson that describes what you need to do: http://social.technet.microsoft.com/wiki/contents/articles/how-to-set-a-static-dcom-port-for-ad-cs.aspx?wa=wsignin1.0 Brian