If your Forefront 2010 is member of AD domain and you have problem to automatically enroll computer certificate for TMG 2010 like below:


do the following:

– disable”Enforce strict RPC compliance” in System Policy Editor


because in my infrastructure CA servers ARE NOT domain controllers it is not sufficient solution.

DCOM is using random ports and after RPC to DC it asks CA servers on tcp/59655 for enrollment(see below, traffic to is blocked) for certificate enrollment.


to fix this create rule to allow traffic to CA servers initiated from Local Host(Forefront TMG) to CA servers on high ports (1024-65535)


after this change I could obtain certificate


good option is also to use fixed port range for DCOM on CA servers to limit port range,e.g. from 6500-6590


dzbanek 2013-01-07