Using a self signed cert, if the CRL (Certificate revocation location) is not available the client cannot connect. This can be easily fixed with a registry key to disable checking of the certificate on the client:

The fix – on the client, create a new registry key (DWORD) with value of 1:

HKLM > SYSTEM > CurrentControlSet > Services > SstpSvc > Parameters >

Name: NoCertRevocationCheck
Type: DWORD(32 Bit)
Value: 1

Error 0x80092013: The revocation function was unable to check revocation because the revocation server was offline

I’ve been having some real ‘fun’ with this today – with a /29 range you would expect to be able to configure an X550e with XTM 11.1 to be able to listen for incoming SSL connections on only 1 IP address – especially as the configuration screen for the SSL asks which address to listen to…. but no – it will listen on all, regardless. All I wanted to do was NAT 443 on the next available public IP to a server in the DMZ, but no – SSL grabs the connection first.

I even tried amending the auto created SSL rule to replace the ‘firebox’ under To to only listen to the IP I wanted. But no – the damn thing listens on all. Call currently open with WatcGuard whilst I scan the change notes in the later versions…