As I mentioned earlier, the SSL connection will fail unless clients can download the Certificate Revocation List (CRL). The CRL is located on the Enterprise Certificate Authority and already has a URL assigned to it. We have to figure out what this URL is, and then make it externally accessible. To do so, follow these steps:
- Open the Server Manager and navigate through the console tree to Server Manager | Roles | Web Server (IIS) | Internet Information Services (IIS) Manager.
- When the Internet Information Services (IIS) Manager Console opens, select your VPN server from the console tree.
- Double-click on the Server Certificates icon.
Vista VPN setup guide, part 2 Learn how to configure Windows Vista workstations in part 2 of our Vista VPN setup guide.
- You should now see the certificate that has been assigned to the server. Double-click on the certificate to reveal its properties sheet.
- Go to the properties sheet's Details tab and select the CRL Distribution Points option.
- The Certificate Revocation List URL should be listed in the text at the bottom of the window. This text contains multiple URLs, so you want to look for the URL that starts with URL=HTTP://
- Create a public DNS record that associates this URL with your VPN server's IP address.
- Go back to the Server Manager console and navigate through the console tree to Server Manager | Roles | Network Policy and Access Services | Routing and Remote Access | IPV4 | NAT.
- In the results pane, right-click on your server's external NIC and choose the Properties command from the resulting shortcut menu.
- When Windows displays the connection's properties sheet, select the properties sheet's Services and Ports tab.
- Select the Web Server (HTTP) check box. Windows will display the Edit Service check box.
- Enter the Enterprise Certificate Authority's IP address into the Private Address field, and click OK.
- Click OK to close the properties sheet.
Vista VPN setup guide, part 1
Set up a domain controller
Install DHCP services
Install Active Directory Certificate Services
Request a machine certificate
Install the Routing and Remote Access Service role
Configure the VPN server
Publish the Certificate Revocation List
Make the CRL accessible
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in May 2008