Installing Exchange 2007 & 2010 Rollups on Servers That Don’t Have Internet Access
In today’s security conscious organizations, many internal servers don’t have Internet access. This reduces the attack surface for the servers. However, some tasks require Internet access to some degree, such as Windows Updates. That can be mitigated by WSUS or System Center Configuration Manager. But Exchange rollups also look to the Internet, and not having Internet access can cause the rollup installation to take considerably longer, or even fail.
Exchange rollups use signed code, and IE will check http://crl.microsoft.com/pki/crl/products/CSPCA.crl for certificate revocation to validate the code signing. It’s here we time out if there is no Internet connection to that URL.
We can fix this easily by disabling certification revocation in Internet Explorer. Simply open IE, go to Tools>Internet Options>Advanced>Security. Find the “Check for publisher’s certificate revocation” option and uncheck the box.
Click OK and close everything up. Installing the rollup should go much quicker now, since the server won’t check for cert revocation.
If you’re still having other problems with rollup installation, such as managed services not starting (usually affecting Exchange 2007), you may need to tweak some config files. Microsoft has documented this at http://support.microsoft.com/default.aspx/kb/944752 and http://msexchangeteam.com/archive/2008/07/08/449159.aspx