Forum Discussion

Pete_L_112517's avatar
Pete_L_112517
Icon for Nimbostratus rankNimbostratus
Jan 06, 2014

Windows BIG-IP Edge Client cannot verify certificate revocation information

Hi,

 

I have the local Windows firewall on for my test machine ONLY allows access to the IP address of the SSL VPN. This all works fine. However the Windows BIG-IP Edge Client cannot verify certificate revocation information.

 

The funny thing is, Internet Explorer can and doesnt give me any warnings.

 

I've tried making it a trusted site, installing the certificate. I just don't know why IE can check it/trust it, but the Edge Client can't?

 

  • Did you ever find a resolution to this issue? I am experiencing the same problem.

     

  • just taking a guess here, but i can imagine that windows allows internet explorer that extra access but not a stand alone piece of software like the edge client. why cant you also allow the IP of the CA crl location?

     

  • I haven't worked out a fix for this yet - still working on it.

     

    But the issue is that Internet Explorer can't verify the certficates against the Root CA's when a proxy server is enabled (we use a .pac file so I'm not sure of its relevance to the overall issue). Obviously the proxy server and the auto configuration URL are inaccessible to the laptop before connecting to the VPN.

     

    I have added an exclusion to the proxy.pac file to send all traffic to our VPN server's FQDN direct rather than via the proxy. This does help the issue for a small period of time as Windows will cache a copy of this .pac file however after a day or so of the laptop being disconnected from the corporate network the error appears again as I assume the cache of the .pac is deleted. Theres actually a Windows service that handles this caching but I can't find the name of it at the moment.

     

    The best way forward I can see with this at the moment is working out a way of disabling the proxy server settings (or the autoconfig URL setting) when on a public network profile.

     

    Background: My configuration on the laptop is Windows Firewall enabled on Public Network profile and all outbound traffic is disabled except for external IP address of SSL VPN. Also, all connections except for domain profile are treated as public so laptop is quite locked down.

     

    Anyway, when the proxy is off the connection is very quick and I don't get the certificate verification check issue. I can't find a way of turning the proxy on and off easily.

     

    The search continues...

     

  • Hello,

     

    Did you ever find a resolution to this issue? We are experiencing the same problem. The BigIP edge client try to connect to the CRL URL configured in my certificate but actually my private CRL in not accessible from internet. Is it normal that some client have the problem (ex: win10 tab) and other client have not the problem (ex: win8.1 desktop). NB: We use a proxy.pac configuration

     

    Thx