Configure TMG 2010 for certificate request from internal CA

There are times when you need to request a computer certificate directly from your TMG server, and the easiest way is to use the certificates store console, instead of the internal CA web page. You just click next a couple of times and the certificate is installed and ready to be used. When you do that without configuring the TMG System Policies you get an error during the certificate request wizard.

The error pops-up even if you allow all internal traffic between TMG and the CA server, and this is because system policies are processed before user policies.

To solve this problem open the TMG management console, click the Firewall object then on the Tasks pane click Edit System Policies.

Here go to Remote Management > Microsoft Management Console (MMC) and make sure the Enable this configuration group box is checked.

Go to the From tab, select Remote Management Computers then click the Edit button. In the new window add the CA computer by clicking the Add button, then click OK twice.

     

Don’t close the System Policies Editor window, instead go to Authentication Services > Active Directory and clear the Enforce strict RPC compliance check box.

Don’t forget to hit the Apply button to save the changes to the TMG configuration store.

Try again to request a certificate using the MMC. It should work now.