A Forefront UAG DirectAccess deployment needs a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the Forefront UAG DirectAccess server, and the network location server.

The following describe some of the PKI design considerations for deploying Forefront UAG DirectAccess:

Autoenrollment for computer certificates

The Forefront UAG DirectAccess Configuration Wizard allows you to configure the end-to-edge and end-to-end access models that by default use certificates for IPsec peer authentication. The easiest way to install certificates on both DirectAccess clients and servers is to configure autoenrollment for computer certificates. Autoenrollment ensures that all domain members obtain a computer certificate from an enterprise certification authority (CA). For more information, see Configure Computer Certificate Autoenrollment (http://go.microsoft.com/fwlink/?LinkId=169483).

Manual enrollment for network location server and IP-HTTPS certificates

You must also manually enroll the following certificates:

  • An additional certificate on the Forefront UAG DirectAccess server for IP-HTTPS authentication

    Note:
    This certificate must be imported directly to the personal store.
  • An additional certificate for the network location server for HTTPS authentication.

The IP-HTTPS certificate for the Forefront UAG DirectAccess server must have the following properties:

  • In the Subject field, either an Internet Protocol version 4 (IPv4) address of the Internet interface of the DirectAccess server or the fully qualified domain name (FQDN) of the IP-HTTPS uniform resource locator (URL).

  • For the Enhanced Key Usage field, the Server Authentication object identifier (OID).

  • For the CRL Distribution Points field, a certificate revocation list (CRL) distribution point that is accessible by DirectAccess clients that are connected to the Internet.

  • The IP-HTTPS certificate must have a private key.

  • The IP-HTTPS certificate must be imported directly into the personal store.

Note:
Forefront UAG DirectAccess allows the use of IP-HTTPS certificates that have wildcards in their names. These must be configured in the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard.

The HTTPS certificate for the network location server must have the following properties:

  • In the Subject field, either an Internet Protocol (IP) address of the intranet interface of the network location server or the FQDN of the network location URL.

  • For the Enhanced Key Usage field, the Server Authentication OID.

  • For the CRL Distribution Points field, a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet. This CRL distribution point need not be accessible from outside the internal network.

Smart cards for additional authorization

To use smart cards with IPsec tunnel mode authorization, you must first have a PKI deployment and a smart card infrastructure. After your smart card deployment has been completed, you enable smart card authorization on the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard.

Note:
You should design your PKI to replicate the entire smart card certificate chain to the current user certificate store in a timely manner. If the PKI is slow in replicating the certificate chain, users obtain a smart card certificate and leave the intranet, but are unable to use smart card authorization. To correct this, they might have to return to the intranet and logon with their smart card credentials to force the PKI to install the entire certificate chain in the local user’s certificate store.