If your Forefront 2010 is member of AD domain and you have problem to automatically enroll computer certificate for TMG 2010 like below:

tmg-cert-enr-issue-1.png

do the following:

– disable”Enforce strict RPC compliance” in System Policy Editor

tmg-cert-enr-issue-2.png

because in my infrastructure CA servers ARE NOT domain controllers it is not sufficient solution.

DCOM is using random ports and after RPC to DC it asks CA servers on tcp/59655 for enrollment(see below, traffic to is blocked) for certificate enrollment.

tmg-cert-enr-issue-3.png

to fix this create rule to allow traffic to CA servers initiated from Local Host(Forefront TMG) to CA servers on high ports (1024-65535)

tmg-cert-enr-issue-4.png

after this change I could obtain certificate

tmg-cert-enr-issue-5.png

good option is also to use fixed port range for DCOM on CA servers to limit port range,e.g. from 6500-6590

 

dzbanek 2013-01-07