3

We have a number of Exchange servers without access to the internet. When updating Exchange, the fact that all .NET assemblies are signed means the installer needs to check Microsoft's CRL during the update process. Is there a definitive list of URLs that we can add to our firewall or proxy rules? I've scoured the internet to the best of my ability but can't find a good answer or KB/Technet article.

I'm aware that CRL checking can be disabled, but this is not the preferred solution for our organization.

visualtrey
  • 61
  • 1
  • 6
  • A mail server without Internet access.. Puzzling. I guess these are mailbox servers, but why so strict rules? – pauska Aug 01 '13 at 23:16
  • They are mailbox, client access and hub transport servers. Messages destined for the internet are relayed through Postfix. There is incoming access (through a rev. proxy) for OWA/ActiveSync, but no outbound access. – visualtrey Aug 02 '13 at 14:46

1 Answers1

2

If you browse to %WINDIR%\Microsoft.NET\assembly\GAC* and look at some of the DLLs in there, which are .NET assemblies, you will notice a "Digital Signatures" tab on them when you right click one of the DLLs and look at its properties.

(Right-click picture and open if new tab if too small to see)

enter image description here

The CDPs (CRL Distribution Points) of the certificates involved in signing these assemblies are listed here. These are the URLs that you need access to in order to validate the CRLs.

As the above screenshot shows, the answer is crl.microsoft.com. If you allow internet access to crl.microsoft.com, you should be good to go.

Here's some more info: http://social.technet.microsoft.com/wiki/contents/articles/2303.understanding-access-to-microsoft-certificate-revocation-list.aspx

When starting a .NET application, the .NET Framework will attempt to download the CRL for any signed assembly. If the system that you are running does not Internet access, or is restricted from accessing the Microsoft.com domain, you might face a delay starting up or running some applications. All managed code goes through a certificate check against crl.microsoft.com by .net runtime before startup as stated in this article

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • I was not aware it was just that URL. I could have sworn I've seen traffic to other URL's when Microsoft begins any CRL check. Thanks for the answer. – visualtrey Aug 05 '13 at 13:18