We have an issue with auto-enrollment of windows stations though Cisco ASA. When certificates are provisioned manually, all is ok.
Windows DC is situated behind the outside ASA interface and Windows clients are situated behind inside interface.
When bypass from clients to DC is enabled all works fine.
What can be the reason? Is there any way to allow or inspect such communication?