Tuesday, April 12, 2011

Certificate Revocation List's in combination with the RD Gateway

Nice blog today by the Microsoft RDS team on Certificate Revocation List's in combination with the RD Gateway.

The RD Gateway client will, by default, not check whether the certificate that is used on the RD Gateway server is revoked or not. To enable the clients to check if the certificate is revoked or not and only proceed the connection if it's not, you can run the following command on client:

reg add "HKCU\Software\Microsoft\Terminal Server Gateway\Transports\Rpc" /v CheckForRevocation /t REG_DWORD /d 1

The publishing and maintenance of the CRL is an integral part of the public key infrastructure (PKI) and is external to RD Gateway. Please do not enable certificate revocation checking on RD Gateway clients until you have confirmed that your infrastructure can support this; otherwise, even the basic connection to an end resource through the RD Gateway server will not work. This is the reason why certificate revocation checking is disabled by default on the RD Gateway client, and the recommendation is to turn it on as a security best practice only after ensuring that the CRL is accessible from the Internet.

Source: http://blogs.msdn.com/b/rds/archive/2011/04/11/how-to-enable-certificate-revocation-checking-on-a-remote-desktop-gateway-client.aspx

No comments:

Post a Comment