This topic provides information about planning certificate requirements in your Forefront UAG DirectAccess deployment.
A Forefront UAG DirectAccess deployment requires the following certificates:
- DirectAccess client computer—Each
DirectAccess client computer requires a computer certificate that
is used as follows:
- When establishing the IPsec connection
between the client and the DirectAccess server.
- When using-HTTPS. The DirectAccess server
validates the certificate before allowing the IP-HTTPS connection
over the Internet.
- When establishing the IPsec connection between the client and the DirectAccess server.
- DirectAccess server—The DirectAccess
server requires a computer certificate to establish IPsec
connections with DirectAccess client computers.
- IP-HTTPS server— HTTPS is an IPv6
transition technology that enables DirectAccess clients to connect
to the DirectAcces server over the IPv4 Internet. After running the
Forefront UAG DirectAccess Configuration Wizard, the Forefront UAG
DirectAccess server is automatically configured to act as the
IP-HTTPS Web server. The IP-HTTPS site requires a Web site
certificate, and DirectAccess clients must be able to contact the
certificate revocation list (CRL) site for the certificate.
- Network location server—The network
location server is a Web site used to detect whether DirectAccess
clients are located in the corporate network. The network location
server requires a Web site certificate. DirectAccess clients must
be able to contact the CRL site for the certificate.
- Network access protection (NAP)—You
can optionally deploy NAP in order to enforce health requirements
for DirectAccess client computers. The Health Registration
Authority (HRA) server obtains health certificates on behalf of NAP
clients determined as compliant with network health requirements.
These health certificates are later used to authenticate NAP
clients for IPsec-protected communications with other NAP clients
on an intranet.
- OTP authentication—Optionally, you can
deploy Forefront UAG DirectAccess with two-factor authentication
using a one-time password (OTP).
- Smartcard authentication—You can
optionally implement two-factor authentication with smartcards.
Certificate requirements are as follows:
- An internal CA is required to issue computer certificates to
the DirectAccess server and clients for IPsec authentication.
- A CA is required to issue certificates for the IP-HTTPS server
and the network location server. For IP-HTTPS, using an external CA
ensures that the CRL is available externally.
- A CA is required if you are deploying OTP authentication. A
dedicated CA must be used.
- A Windows-based CA must be used if you are deploying NAP. We
recommend that a dedicated CA is used.
- If you want to use smart card authentication and you want to
implement extended authentication and encryption to internal
application servers, you must use Windows Server 2008 R2 AD DS.
The following limitations apply:
- We recommend not running CAs on the Forefront
UAG DirectAccess server.
- The CA used for OTP must be an enterprise CA
running Windows Server 2008 R2.
- The CA used for OTP must be located in the
same forest as the Forefront UAG DirectAccess server. It should not
be installed on the domain controller.
- The CA used for OTP should not be used to
issue other certificates for DirectAccess. Specifically, each OTP
CA (and the parent CA it chains to) must not be the equal or parent
of the CA used for IPsec authentication, or of the CA used for
- The CA used to issue NAP health certificates
must be a Windows-based CA. We recommended that in a large deployed
a dedicated CA is used for performance purposes.
Planning steps are summarized in the following table.
|Planning stage||Planning steps|
Planning computer certificates for the DirectAccess server and clients
When you configure DirectAccess settings in the Forefront UAG Management console, the DirectAccess server and clients are configured by default to use certificates for IPsec authentication. The simplest way to install the required certificates it to configure group-policy based auto enrollment for computer certificates. This ensures that all domain members obtained a certificate from an enterprise CA. For more information, see Configure computer certificate autoenrollment in the TechNet library.
Planning Web site certificates for IP-HTTPS
Because the Forefront UAG DirectAccess server acts as an IP-HTTPS listener, you must manually install an HTTPS Web site certificate on the server. Note the following when obtaining the certificate:
Planning Web site certificates for the network location server
Planning for NAP certificates
Planning for OTP certificates
Configure a dedicated enterprise CA running Windows Server 2008 that is not used for other purpose. Note the following:
Planning for smartcard certificates
Smart card authentication in DirectAccess be used in addition to standard authentication using a computer certificate, user name, and password. Smart card authentication takes place on the IPsec gateway. DirectAccess clients must use a smart card to be authenticated by the Forefront UAG DirectAccess. Users can log on to their computers, access infrastructure servers, and the Internet without a smart card. Smart card authentication is requirement to connect to internal resources. Note the following: