This topic describes the following methods of authentication that Forefront UAG DirectAccess provides, and how to configure them:
- Root and intermediate certificates—The
Forefront UAG DirectAccess server uses root or intermediate
certificates to verify the certificates sent by the DirectAccess
client computers during IPsec authentication. Root certificates
identify root certification authorities, and intermediate
certificates identify intermediate certification authorities.
- IP-HTTPS certificates—The certificate
that authenticates the Forefront UAG DirectAccess server to an
IP-HTTPS client. The IP-HTTPS certificate contains the URL of the
Forefront UAG DirectAccess server that is resolvable through the
Internet. DirectAccess clients are automatically configured to
connect to the Forefront UAG DirectAccess server through the IPv4
Internet, in order to create IP-HTTPS based connectivity.
DirectAccess clients perform certificate revocation checking on the
IP-HTTPS certificate submitted by the Forefront UAG DirectAccess
server. If you use a private Secure Sockets Layer (SSL)
certificate, you must ensure that the certificate revocation list
(CRL) distribution points configured in this certificate are
accessible and available from the Internet. If these CRL
distribution points are not accessible to DirectAccess clients,
authentication fails for IP-HTTPS-based DirectAccess
For information about configuring CRL distribution points for Active Directory Certificate Services (AD CS), see Specify CRL Distribution Points (http://go.microsoft.com/fwlink/?LinkId=154420).
- Health certificates—Network Access
Protection (NAP) controls access to network resources based on a
client endpoint’s identity and compliance with corporate governance
policy. If a DirectAccess client endpoint is not compliant, NAP
provides a mechanism to automatically bring the client back into
compliance, and then dynamically increase its level of network
access. For DirectAccess client endpoints that do not comply with
health requirement policies, their access is limited to management
servers and domain controllers.
- Smart card—Smart card authentication
takes place on the IPsec gateway. When this option is selected,
remote clients must use a smart card to be authenticated by the
IPsec gateway (Forefront UAG DirectAccess server). Users can log on
to their computers, have access to the infrastructure servers, and
access the Internet without a smart card, but they require smart
card authentication to access other intranet resources.
- IPsec Cryptography settings—When
DirectAccess clients and the Forefront UAG DirectAccess server
communicate, IPsec performs a two-phase operation that establishes
a secured connection between the two computers. During the first
phase, the two computers establish a secure, authenticated channel,
called the main mode security association (SA). The main mode SA is
then used during the second phase to allow secure negotiation of
the quick mode SA. The quick mode SA specifies the protection
settings for matching TCP/IP data transferred between the two
computers. The cryptography settings that IPsec uses should be
identical on both computers. If your organization has existing
cryptography settings enforced on client machines using group
policy, you must ensure that the current organization main mode key
exchange settings used for all IPsec negotiations are identical to
the cryptography settings in Forefront UAG DirectAccess. For more
information see, Customizing IPsec settings
To configure the authentication options
In the DirectAccess Server section of the wizard, on the Authentication Options page, select the root or intermediate certificate that verifies certificates sent by DirectAccess clients, as follows:
- To use a root certificate, click
Browse, select the required root certificate, and then click
- To use an intermediate certificate, click
Use intermediate certificate, click Browse, select
the required intermediate certificate, and then click
- To use a root certificate, click Browse, select the required root certificate, and then click OK.
Select the certificate that authenticates the Forefront UAG DirectAccess server to a client connecting using IP-HTTPS, by clicking Browse, selecting the required IP-HTTPS certificate, and then clicking OK.
If you want to change the IPsec cryptography settings, click Edit IPsec cryptography settings and select the relevant Integrity, Encryption and Key exchange algorithm, and then click OK.
Note: Forefront UAG DirectAccess (UP1 release), supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7
Select the following authentication options, if they are deployed in your organization:
- Clients that log on using a PKI smart
card—When selected, client endpoints must use PKI smart
- Computers that comply with your
organization's NAP policy—When selected, NAP policy is applied
to client endpoints.
- Clients that log on using a PKI smart card—When selected, client endpoints must use PKI smart cards.
For instructions on how to configure the next stage of the Forefront UAG DirectAccess configuration wizard, see Specifying the network location server.