A client that is trying to access an SSL enabled application on a backend server (e.g. Exchange) that is published through the Forefront UAG portal gets an error, specifically:
“An unknown error occurred while processing the certificate. Contact the site administrator”.
The cause:
The problem has nothing to do with the UAG certificates themselves, but is most likely caused by an invalid certificate on the backend server. By default, Forefront UAG validates both the certificate and the revocation list of each SSL certificate in the backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, users are denied access to that given backend server. This is also the case if the CRL distribution point is unavailable for any reason. Let's assume that the certificate is valid, but UAG is not able to reach the CRL distribution point for some reason. As per Microsoft, internet should be enabled in the UAG servers for proper working. Although, we understand that this may not be an appropriate solution for most companies because of their stringent company policies.
The Solution:
- Disable the CRL check in the UAG as mentioned at http://blogs.technet.com/b/edgeaccessblog/archive/2010/03/31/an-unknown-error-occurred-while-processing-the-certificate.aspx
- Enable internet on the UAG which will do the CRL check for you. You can do either by allowing internet traffic from UAG or by using a proxy setting in the internet explorer. Internet Explorer proxy settings are system wide but sometimes they may not work as expected. If not, then configure the UAG to use proxy via the WINHTTP proxy settings. To do so first run the following command to check the current settings:
Netsh winhttp show proxy
It should come-back with “Direct access (no proxy server)”, if no previous winhttp settings were defined.
Then, run the following command:
Netsh winhttp set proxy <proxy name>:<proxy port>
For example:
Netsh winhttp set proxy WebProxy.company.com:8080
Content courtesy nAppliance Support team