This topic provides information about planning IP-HTTPS in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.
- Planning steps
IP-HTTPS is a transition technology used to encapsulate IPv6 packets in an IPv4 header. It is used by DirectAccess clients who are unable to connect to the Forefront UAG DirectAccess server using the other IPv6 connectivity methods, or if force tunneling has been configured. For example, when a client is behind a NAT device or firewall with a private IP address, and the NAT device or firewall is configured to allow only HTTP/HTTPS outbound traffic, the client will use IP-HTTPS. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and close the connection. IP-HTTPS is also used as a fallback method when clients are unable to connect using any other method. Performance of IP-HTTPS may not be as good as the other connection protocols, because SSL overhead is added to IPsec overhead, with HTTP as the transport protocol. For more information, see IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification (http://go.microsoft.com/fwlink/?LinkId=169501).
After configuring Forefront UAG DirectAccess, the Forefront UAG DirectAccess server is automatically configured to act as the IP-HTTPS Web server. DirectAccess clients receiving the client GPO are automatically configured to connect to the Forefront UAG DirectAccess server through the IPv4 Internet, in order to connect using IP-HTTPS connectivity. Clients are also configured to perform certificate revocation checking the IP-HTTPS certificate submitted by the Forefront UAG DirectAccess server.
- The dashort server acting as an IP-HTTPS Web server requires
Web site certificate to authenticate to DirectAccess clients.
- DirectAccess clients must trust the certification authority
(CA) that issued the Web site certificate.
- DirectAccess clients must be able to contact the certificate
revocation list (CRL) site for the certificate.
- Using a public CA is recommended, so that CRLs are readily
In addition to using the IP-HTTPS FQDN for IP-HTTPS connections, it is also used in the Forefront UAG DirectAccess implementation of network access policy (NAP) enforcement, and force tunneling. For force tunneling it is important that the IP-HTTPS FQDN is not resolvable from inside, otherwise unexpected connectivity issues might arise. Even if not using force tunneling, it is recommended that the FQDN is not resolvable from inside the corporate network
- No planning steps are required to create the IP-HTTPS Web
server. This is configured automatically by the DirectAccess
- Obtain a Web site certificate for the IP-HTTPS Web site on the
Forefront UAG DirectAccess server. Note the following:
- The common name of the certificate should match the name of the
- In the subject field, specify either the IPv4 address of the
Internet adapter of DirectAccess server, or the FQDN of the
- For the Enhanced Key Usage field, use the Server Authentication
object identifier (OID).
- For the CRL Distribution Points field, specify a CRL
distribution point that is accessible by DirectAccess clients that
are connected to the Internet.
- The IP-HTTPS certificate must have a private key.
- The IP-HTTPS certificate must be imported directly into the
- IP-HTTPS certificates can have wildcards in the name.
- The common name of the certificate should match the name of the IP-HTTPS site.server.
- Ensure the FQDN of the IP-HTTPS server is resolvable from the
- Ensure that the CRL for the IP-HTTPS certificate can be reached
by DirectAccess clients on the Internet.