I'm currently having the following setup, all servers are Windows 2012 R2:
- Intune subscription
- Web Application Proxy server
- Offline CA
- Issuing CA
- NDES server with SCCM CRP
- SCCM 2012 R2
- Windows Phone 8.1 device
My issue is as follows, I have made a root CA profile and SCEP profile in SCCM, deployed it to Intune user collection. When I try to connect to the NDES server (https://ndes.bla.com) from the Windows Phone 8.1, I can successfully load pages. After I do a Workplace Join on the Windows Phone 8.1 device, at one point, WAP is no longer forwarding requests to the NDES server, they timeout. This results that the device will not get a certifiacte from the NDES server. Any request that I send to the https://ndes.bla.com fails from the WP8.1 or any other browser, other published websites on the WAP server (e.g., https://fs.bla.com) do keep responding. Restarting the Web Application Proxy Service on the WAP server, allows me to access the NDES externally again (including from the device), until I join the Windows Phone 8.1 device again.
The HTTPERR1.log on the WAP server shows entries as follows:
2014-08-14 23:31:10 xxx.xxx.xxx.xxx 56872 yyy.yyy.yyy.yyy 443 HTTP/1.1 GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=PKIOperation&message=MIJLHAYJKo (truncated, total request 2048 bytes) 2qNaTJX/kpZ - - Client_Reset -
2014-08-14 23:32:10 xxx.xxx.xxx.xxx 56873 yyy.yyy.yyy.yyy 443 HTTP/1.1 GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=PKIOperation&message=MIJLHAYJK (truncated, total request 2048 bytes) tJQKpRz2qNaTJX/kpZ - - Client_Reset -
2014-08-15 01:29:04 xxx.xxx.xxx.xxx 56953 yyy.yyy.yyy.yyy 443 HTTP/1.1 GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=MDM - - Client_Reset -
But only after I tried to activate the Windows Phone, if I do a manual GET from the phone beforehand it will let me download the files, then again the first two could be truncated in the logs as well...
- Using publicly trusted CA certificates on the WAP server and NDES server.
- Deploying SCEP profile succeeds when clients are in the local network, thus bypassing the WAP server.
- I've added the MaxFieldLength and MaxRequestBytes at 65534 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters on the WAP server.
- From the internal successfull client certificate deployment, I wish I could see the complete request, so I can try it manually from external connection, any tips on that would be welcome.
This is a known limitation of Web Application Proxy. It happens because NDES headers larger than WAP can handle. The team is aware of this and from what I understand they are working on solving this. Stay tuned.