The certificate requirements for clients that are members of the forest can use a certificate with a DNS SAN value, for example: DNSemail@example.com. This means that you can deploy these certificates by using the standard Workstation Authentication certificate template and autoenrollment, which greatly simplifies client certificate deployment. Previously, only a UPN SAN value was supported, which could not be deployed by using autoenrollment. Note that workstations that are not joined to the forest still require manual deployment and the UPN SAN value in their certificate.
Instructions are added for configuring ISA Server for the Internet-based software update point. Separate instructions are required because WSUS does not support client certificates.
Instructions are added for configuring the HTTP methods allowed for the Internet-based management point and distribution point, to help increase security.
Note: HTTP methods for the Internet-based software update point are not included because the HTTP verbs used by WSUS are not documented for the latest WSUS versions. However, previous versions document these as GET, HEAD, and POST and our preliminary testing confirms that these verbs are still used. If you want to increase security for the Internet-based software update point by restricting the HTTP verbs that are allowed, test this configuration yourself by using the instructions "To Modify the Web Publishing Rule to Enable the required HTTP Methods" and for the HTTP methods, substitute the following HTTP verbs: GET, HEAD and POST.
This updated documentation has been published with the Community Content footer, so that you can share additional information about this scenario configuration with other customers.
Our thanks to Jim Harrison (Program Manager for Forefront TMG), Jason Jones (Forefront MVP), and Rachel Aldam (Technical Writer, Identify and Security Division) for their help in updating this documentation for our customers.