This topic describes the following methods of authentication that Forefront UAG DirectAccess provides, and how to configure them:

• Root and intermediate certificates—The Forefront UAG DirectAccess server uses root or intermediate certificates to verify the certificates sent by the DirectAccess client computers during IPsec authentication. Root certificates identify root certification authorities, and intermediate certificates identify intermediate certification authorities.
  
  
• IP-HTTPS certificates—The certificate that authenticates the Forefront UAG DirectAccess server to an IP-HTTPS client. The IP-HTTPS certificate contains the URL of the Forefront UAG DirectAccess server that is resolvable through the Internet. DirectAccess clients are automatically configured to connect to the Forefront UAG DirectAccess server through the IPv4 Internet, in order to create IP-HTTPS based connectivity. DirectAccess clients perform certificate revocation checking on the IP-HTTPS certificate submitted by the Forefront UAG DirectAccess server. If you use a private Secure Sockets Layer (SSL) certificate, you must ensure that the certificate revocation list (CRL) distribution points configured in this certificate are accessible and available from the Internet. If these CRL distribution points are not accessible to DirectAccess clients, authentication fails for IP-HTTPS-based DirectAccess connections.
  
  For information about configuring CRL distribution points for Active Directory Certificate Services (AD CS), see Specify CRL Distribution Points (http://go.microsoft.com/fwlink/?LinkId=154420).
  
  
• Health certificates—Network Access Protection (NAP) controls access to network resources based on a client endpoint’s identity and compliance with corporate governance policy. If a DirectAccess client endpoint is not compliant, NAP provides a mechanism to automatically bring the client back into compliance, and then dynamically increase its level of network access. For DirectAccess client endpoints that do not comply with health requirement policies, their access is limited to management servers and domain controllers.
  
  
• Smart card—Smart card authentication takes place on the IPsec gateway. When this option is selected, remote clients must use a smart card to be authenticated by the IPsec gateway (Forefront UAG DirectAccess server). Users can log on to their computers, have access to the infrastructure servers, and access the Internet without a smart card, but they require smart card authentication to access other intranet resources.
  
  
• IPsec Cryptography settings—When DirectAccess clients and the Forefront UAG DirectAccess server communicate, IPsec performs a two-phase operation that establishes a secured connection between the two computers. During the first phase, the two computers establish a secure, authenticated channel, called the main mode security association (SA). The main mode SA is then used during the second phase to allow secure negotiation of the quick mode SA. The quick mode SA specifies the protection settings for matching TCP/IP data transferred between the two computers. The cryptography settings that IPsec uses should be identical on both computers. If your organization has existing cryptography settings enforced on client machines using group policy, you must ensure that the current organization main mode key exchange settings used for all IPsec negotiations are identical to the cryptography settings in Forefront UAG DirectAccess. For more information see, Customizing IPsec settings (http://go.microsoft.com/fwlink/?LinkId=166914).
  
  

---

Copyright © 2010 by Microsoft Corporation. All rights reserved.