A Forefront UAG DirectAccess deployment needs a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the Forefront UAG DirectAccess server, and the network location server.
The following describe some of the PKI design considerations for deploying Forefront UAG DirectAccess:
- Autoenrollment for computer
certificates
- Manual enrollment for
network location server and IP-HTTPS certificates
- Smart cards for additional
authorization
Autoenrollment for computer certificates
The Forefront UAG DirectAccess Configuration Wizard allows you to configure the end-to-edge and end-to-end access models that by default use certificates for IPsec peer authentication. The easiest way to install certificates on both DirectAccess clients and servers is to configure autoenrollment for computer certificates. Autoenrollment ensures that all domain members obtain a computer certificate from an enterprise certification authority (CA). For more information, see Configure Computer Certificate Autoenrollment (http://go.microsoft.com/fwlink/?LinkId=169483).
Manual enrollment for network location server and IP-HTTPS certificates
You must also manually enroll the following certificates:
- An additional certificate on the Forefront
UAG DirectAccess server for IP-HTTPS authentication
Note: This certificate must be imported directly to the personal store. - An additional certificate for the network
location server for HTTPS authentication.
The IP-HTTPS certificate for the Forefront UAG DirectAccess server must have the following properties:
- In the Subject field, either an Internet
Protocol version 4 (IPv4) address of the Internet interface of the
DirectAccess server or the fully qualified domain name (FQDN) of
the IP-HTTPS uniform resource locator (URL).
- For the Enhanced Key Usage field, the Server
Authentication object identifier (OID).
- For the CRL Distribution Points field, a
certificate revocation list (CRL) distribution point that is
accessible by DirectAccess clients that are connected to the
Internet.
- The IP-HTTPS certificate must have a private
key.
- The IP-HTTPS certificate must be imported
directly into the personal store.
Note: |
---|
Forefront UAG DirectAccess allows the use of IP-HTTPS certificates that have wildcards in their names. These must be configured in the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard. |
The HTTPS certificate for the network location server must have the following properties:
- In the Subject field, either an Internet
Protocol (IP) address of the intranet interface of the network
location server or the FQDN of the network location URL.
- For the Enhanced Key Usage field, the Server
Authentication OID.
- For the CRL Distribution Points field, a CRL
distribution point that is accessible by DirectAccess clients that
are connected to the intranet. This CRL distribution point need not
be accessible from outside the internal network.
Smart cards for additional authorization
To use smart cards with IPsec tunnel mode authorization, you must first have a PKI deployment and a smart card infrastructure. After your smart card deployment has been completed, you enable smart card authorization on the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard.
Note: |
---|
You should design your PKI to replicate the entire smart card certificate chain to the current user certificate store in a timely manner. If the PKI is slow in replicating the certificate chain, users obtain a smart card certificate and leave the intranet, but are unable to use smart card authorization. To correct this, they might have to return to the intranet and logon with their smart card credentials to force the PKI to install the entire certificate chain in the local user’s certificate store. |