Certificate revocation list (CRL) distribution points are a critical component of Forefront UAG DirectAccess:
- DirectAccess clients use certificate
revocation checking to validate the Forefront UAG DirectAccess
server certificate for IP-HTTPS connections. Without a reachable
CRL distribution point on the Internet, all IP-HTTPS-based
DirectAccess connections will fail.
- DirectAccess clients use certificate
revocation checking to validate the certificate for the HTTPS
connection to the network location server. Without a reachable CRL
distribution point on the intranet, intranet detection fails, which
can impair intranet connectivity for DirectAccess clients.
The following design considerations need to be addressed when planning CRL distribution points:
Where to Place the CRL Distribution Points
You need certificate revocation list (CRL) distribution points on both the intranet (for intranet detection) and the Internet (for IP-HTTPS connections).
The following describe the CRL location requirements:
- Intranet location for intranet
detection—For intranet detection, you must configure your
public key infrastructure (PKI) to publish the CRL in a location
that is resolvable and accessible from DirectAccess clients on the
intranet during intranet detection. Use either a fully qualified
domain name (FQDN) that does not match the intranet namespace or
add the FQDN in the Name Resolution Policy Table (NRPT) as an
exemption rule. For more information on applying an exemption rule,
see, Identifying
DNS servers.
Note:If the above FQDN is resolved to an IPv6 address, you should also add an IPsec exemption rule.The CRL distribution point should be hosted on an intranet Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity. - Internet location for IP-HTTPS
connections— For IP-HTTPS connections, you must configure your
PKI to publish the CRL in a location that is resolvable and
accessible from DirectAccess clients on the Internet. Use either an
FQDN that does not match the intranet namespace or add the FQDN in
the NRPT as an exemption rule.The CRL distribution point should be
hosted on an Internet-facing and publically accessible Web or file
server that provides high availability and, depending on the number
of DirectAccess clients, high capacity.
When using a 3rd party IP-HTTPS certificate, a CRL is normally provided by the 3rd party.
Planning Redundancy for CRL Distribution Points
If the intranet certificate revocation list (CRL) distribution point becomes unavailable, intranet detection will fail for DirectAccess clients on the intranet. If the Internet CRL distribution point becomes unavailable, DirectAccess clients on the Internet will be unable to use IP-HTTPS-based connections to the Forefront UAG DirectAccess server.
For redundancy for CRL distribution points, you can do the following:
- For a single CRL distribution point, you can
configure redundancy for Internet Information Services (IIS)-based
Web servers or Windows Server 2008 R2 or Windows
Server 2008-based file servers, with Network Load Balancing.
For more information, see Overview of the Network Load Balancing Deployment
Process (http://go.microsoft.com/fwlink/?LinkId=169487).
- You can also configure multiple CRL
distribution points on different Web or file servers on your
intranet or the Internet.