Performance issues when an Enterprise Vault server has no Internet connection

If your Enterprise Vault server does not have a connection to the Internet administrators and users can experience delays while Windows tries to check digital certificates.

This issue arises because Enterprise Vault files are digitally signed with a VeriSign certificate. By default, when these files are accessed, Windows checks to determine whether the file's digital certificate has been revoked. If no Internet connection is available, the Web application pauses while Windows tries to check the certificate.

The delays are obvious at the following times:

When you run Setup.exe to install Enterprise Vault.
When you start the Administration Console.
When users access Web applications such as Archive Explorer or the integrated search.

If you use Enterprise Vault on a server without an Internet connection, you can prevent the Windows check for digital certificates that have been revoked. You can use the following methods to prevent certificate revocation checks:

You can use .config files to prevent the checks for individual processes.
You can use Internet Explorer settings to prevent the checks for all processes that run under a particular account. If you choose this method you must change the Internet Explorer settings on each Enterprise Vault server for every account that runs an Enterprise Vault service.

To turn off certificate revocation checking Enterprise Vault per process

Use a plain-text editor such as Windows Notepad to create a configuration file that contains the following lines:
```
<configuration>
  <runtime>
	<generatePublisherEvidence enabled="false"/>
  </runtime>
</configuration>
```
Save the file as No_Connection.config in any convenient location, such as C:\.
Copy the No_Connection.config file to the following names and locations:
- To file w3wp.exe.config in the same folder as w3wp.exe. For example:
  
  %windir%\system32\inetsrv
  
  This turns off checks by all web applications on the server.
- On a 32-bit Windows system: To file mmc.exe.config in the same folder as mmc.exe.
  
  For example: %windir%\System32\mmc.exe.config
  
  On a 64-bit Windows system: To file mmc.exe.config in the same folder as mmc.exe. For example:
  
  %windir%\SysWOW64\mmc.exe.config
  
  This turns off checks by the Enterprise Vault System Status MMC snapin.
- To file RegAsm.exe.config in the same folder as RegAsm.exe. For example:
  
  %windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.config
  
  This turns off checks by the self-registration routines in the Enterprise Vault installer.
- To file InstallUtil.exe.config in the same folder as InstallUtil.exe. For example:
  
  %windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe.config
  
  This turns off checks by the self-installation routines in the Enterprise Vault installer.

If the Enterprise Vault server gains Internet access in the future, delete the files to enable signature checking again.

For more information on the generatePublisherEvidence element, see the following article on the Microsoft Web site:

http://msdn.microsoft.com/en-us/library/bb629393.aspx

There is an alternative method that you can use to turn off certificate revocation checking. This alternative method is specific to the Vault Service account and any other accounts that you use to run Enterprise Vault services. There is no requirement for you to use this alternative method.

To turn off certificate revocation checking for a particular user account

Log on to the Enterprise Vault server as an account that runs Enterprise Vault services on that server. This account is typically the Vault Service account.
In Windows Control Panel, double-click Internet Options.
In the Internet Properties dialog box, click the Advanced tab.
In the Security section, uncheck Check for publisher's certificate revocation.
Click OK.