This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Revocation Check failed

Hello,

i have a problem with my exchange server certificate. Ever since from the beginning it says "Revocation Check failure"

All around the internet it is claimed as a proxy error so i tried to:

- skip or set the proxy for the normal user via netsh winhttp command

- skip or set the proxy for the normal user via IE settings

- skip or set the proxy for NT-Authority/SYSTEM User via netsh winhttp command

- skip or set the proxy for NT-Authority/SYSTEM User via IE settings

- Made an Exception in Filtering Options of the UTM to the Revocation URL shown in the Certificate

- Made an execption to the whole URL of the CA

I can download the CRL via Internet Explorer but the Exchange console still shows "Revocation Check Failure"

Nothing helps and i'm running out of ideas.

What can i do?

This thread was automatically locked due to age.

Parents

0 FormerMember over 3 years ago

Hi Revan,

Thank you for reaching out to the Community!

Could you please tell us about the configured web filtering operation mode on your firewall? Is it transparent or standard proxy?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Revan over 3 years ago in reply to FormerMember

No one with an idea?
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to Revan

Hello Revan,

are you sure, that you configured netsh winhttp set proxy FQDN_of_Sophos-FW:8080 bypass-list="crl.cahost.com" (Example)

correctly? Please try with and withput bypass-list.

Standard-mode on the UTM uses port 8080 as default-proxy-port, which is not automatically chosen by "netsh winhttp set proxy"

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 PhilippRusch over 3 years ago in reply to Revan

Hello Revan,

are you sure, that you configured netsh winhttp set proxy FQDN_of_Sophos-FW:8080 bypass-list="crl.cahost.com" (Example)

correctly? Please try with and withput bypass-list.

Standard-mode on the UTM uses port 8080 as default-proxy-port, which is not automatically chosen by "netsh winhttp set proxy"

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Revan over 3 years ago in reply to PhilippRusch

Hi,

yes i tried it excessively. With fqdn, with ip address, with bypass list and without, as normal user, as system user.

Always waited min 30mins afterwards, mostly even more.
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to Revan

Did you use port 8080 for the proxy-setting?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to PhilippRusch

Hello Revan,

could you show us your command lines for setting winhttp proxy?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Revan over 3 years ago in reply to PhilippRusch

sorry for the late answer, was on vacation.

Yes, i used port 8080
Cancel
Vote Up 0 Vote Down

Cancel
0 Revan over 3 years ago in reply to PhilippRusch

netsh winhttp set proxy proxy-server="ip_of_the_server:8080" bypass-list="*.domain.local"

netsh winhttp set proxy proxy-server="fqdn_of_the_server:8080" bypass-list="*.domain.local"

netsh winhttp set proxy ip_of_the_server:8080

netsh winhttp set proxy fqdn_of_the_server:8080

netsh winhttp import proxy source =ie

netsh winhttp reset proxy

I also tried to change the proxy settings via psexec session as LOCAL SYSTEM User

netsh winhttp show proxy always tell me if the settings were applied
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to Revan

Can you show us your EXACT command lines?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Revan over 3 years ago in reply to PhilippRusch

What do you mean?

netsh winhttp set proxy proxy-server="10.10.0.10:8080" bypass-list="*.domain.local"

netsh winhttp set proxy proxy-server="utm.domain.local:8080" bypass-list="*.domain.local"
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to Revan

Hello revan,

that looks ok.

Did you try this method here: https://docs.microsoft.com/en-us/archive/blogs/bshukla/certificate-revocation-checked-failed

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Revan over 3 years ago in reply to PhilippRusch

Yes, thats what i meant with LOCAL SYSTEM User
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to Revan

Did you check proxy settings under that account?

I mean, did you do "netsh winhttp show proxy" under that account?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel