We have an issue where host checker is taking a long time to run and it is because our machines do not have internet access and cannot check the CRL lists. We have disabled the checking in internet explorer of which we are using a mix of IE7 and IE8, but still it continues to try and check the CRL lists. Is it possile that host checker or any other juniper apps are trying to go out and check for CRLs?
I have tried to use process explorer to find which process is trying to talk to them, but the source ports never seem to show up.
Host Checker will only do certificate checking if you specifically enable it as part of the client certificate definition.
What do you mean by client certificate definition, is this an option within the certificate or on the SA its self?
What I meant was that with Host Check you specify the cert to check for. That cert is defined under:
System / Configuration / Certificates / Trusted Client CAs
The only terms certs will be checked for "status" - IE revoked or not, is if within the cert definition you have specifed to use OSCP / CRL for cert checking.
Hope clarifies my explaination.
ah ok, that makes sense. We do not have any of this selected and it is definately turned off in IE. I have checked the registry and its definately off, but there is still something that is checking and they can be stuck doing the host check for about 8 minutes while it keeps on trying to check CRLs.
It happens on all ESAP's. We update the ESAP every month. We use Netscreen and SSG firewalls and we cannot specify wildcard domain names, so we are having to use a proxy server to allow the traffic out.
that is odd; there is only two or three versions that we know in which this happens. what versions are you seeing this happen?