For certificate authentication, server and client certificates are checked against a certificate revocation list (CRL). If the CRL has expired, or the certificate appears on the revoked list, Forefront TMG will attempt to update the CRL. The system policy rule allowing Forefront TMG to download a CRL is disabled by default.


To ensure that certificates are checked against a valid, up-to-date CRL, enable the system policy rule by enabling the CRL Download system policy configuration group.

When you click Yes, the CRL Download configuration group, and its corresponding system policy rule, are automatically enabled.

Alternatively, perform the following step:

  • In the System Policy Editor, enable the CRL Download system policy configuration group.

Note that the system policy rule allows HTTP traffic from the Local Host network to All Networks. For best practice, you should strengthen this system policy and specify only the sites needed to request CRLs required by your SSL configuration, instead of All Networks.

CRL download may also be done using other protocols, such as LDAP or FTP. You can see the CRL download site and protocol to use for a specific certificate by viewing the CRL distribution point property of the certificate.

If CRL verification is enabled, and Forefront TMG cannot retrieve the CRL required for verifying a certificate, the certificate is treated as revoked.