I have a problem with a UAG DirectAccess client whereby when it uses IPHTTPS for connectivity, it only connects if the latest revocation lists (base and delta are defined) are physically pre-loaded on the client. An external CDP is present with a public address and resolves via nslookup. I have used the DA client's computer certificate and run 'certutil -url cert' to verify the retrieval of the AIA ands CDP URLs. I have a web.config on the IIS server that enforces the double escaping to allow the delta CRl to be served up. The DA client can access the external CDP via IE and view the directory where the CRLs are stored (directory browsing was temporarily enabled to check this). Everything looks like it should work. names can be resolved, URLs have been validated, but the base and delta CRL don't seem to be downloaded from the external CDP to the external DA clients. I'd appreciate any advice that could help me troubleshoot the problem further. Note: there is a posting at http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/c5acea9f-57d7-4469-a605-b6bec3cecc2a/ that discusses the DirectAccess issues in further detail. Steve G

Hi Steve, Thanks for posting here. Are you also using TMG or any other firewall device in this scenario ? If yes, you may first check if the CRL Download system policy configuration group have been enabled and also check if the necessary ports have also been enabled on your edge device. The CRL download system policy is disabled http://technet.microsoft.com/en-us/library/dd897106.aspx System service name: CertSvc Application protocol Protocol Ports RPC TCP 135 Randomly allocated high TCP ports¹ TCP random port number between 1024 - 65535 random port number between 49152 - 65535² ¹ For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section. ² This is the range in Windows Server 2008 and in Windows Vista. For more information please refer to the links below: Selecting an IP-HTTPS certificate on the Forefront UAG DirectAccess server in SP1 http://technet.microsoft.com/en-us/library/gg274316.aspx Configuring Certificate Revocation http://technet.microsoft.com/en-us/library/cc771079.aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Steve, If there is any update on this issue, please feel free to let us know. We are looking forward to your reply. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Tiger, Sorry for the lack of an update, but I'm on holiday at present. I'm returning to the customer site on Monday, so I'll provide an update then. Steve G

This now seems to be resolved. There were some problems with the proxy settings. Steve G