IP-HTTPS is a transition technology used by DirectAccess clients connecting over IPv4. The Forefront UAG DirectAccess server acts as an IP-HTTPS Web server and uses its server certificate to authenticate to IP-HTTPS clients.
The IP-HTTPS certificate must contain the URL of the Forefront UAG DirectAccess server that is resolvable through the Internet.
DirectAccess clients:
- Are automatically configured to connect to
the Forefront UAG DirectAccess server through the IPv4 Internet, in
order to create IP-HTTPS based connectivity.
- Perform certificate revocation checking the
IP-HTTPS certificate submitted by the Forefront UAG DirectAccess
server.
To select the server
certificate that authenticates the Forefront UAG DirectAccess
server to the DirectAccess client
-
In the DirectAccess Server section of the wizard, on the IP-HTTPS Certificate page, click Browse.
-
Select the certificate that authenticates the Forefront UAG DirectAccess server to a DirectAccess client connecting using IP-HTTPS, and click OK.
Note:- DirectAccess clients must trust the
certification authority that issues the server certificate.
- If you use a private Secure Sockets Layer
(SSL) certificate, you must ensure that the certificate revocation
list (CRL) distribution points configured in this certificate are
accessible and available from the Internet. If these CRL
distribution points are not accessible to DirectAccess clients,
authentication fails for IP-HTTPS-based DirectAccess
connections.
For information about configuring CRL distribution points for Active Directory Certificate Services (AD CS), see Specify CRL Distribution Points (http://go.microsoft.com/fwlink/?LinkId=154420).
Important:If you intend deploying NAP note the following: - The Forefront UAG DirectAccess server uses an
IP-HTTPS listener to accept incoming IP-HTTPS connections from
DirectAccess clients on the Internet. To connect to the IP-HTTPS
listener on the Forefront UAG DirectAccess, the DirectAccess client
needs to be able to resolve the FQDN of the IP-HTTPS server,
configured in the client GPO.
NAP integration configures the HRA URL based on the same FQDN as the IP-HTTPS server chosen for IP-HTTPS. If the IP-HTTPS URL is not resolvable clients may still have DA connectivity using Teredo or 6to4. However when NAP is in enforcement mode and the IP-HTTPS URL is not resolvable, no DirectAccess clients will retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet
- Ensure that the IP-HTTPS certificate you
select in the Forefront UAG DirectAccess Configuration Wizard is
valid before you apply the Forefront UAG DirectAccess
configuration. NAP uses this IP-HTTPS certificate, and if the
IP-HTTPS certificate is changed in the Forefront UAG DirectAccess
Configuration Wizard once the configuration has been applied and
the HRA and NPS have been created on the Forefront UAG DirectAccess
server, DirectAccess clients will be unable retrieve a health
certificate, and all DirectAccess clients will be prevented from
accessing the intranet.
- DirectAccess clients must trust the
certification authority that issues the server certificate.
-
Click Next.
Note:- When there is no IPv6 infrastructure on your
intranet, the Forefront UAG DirectAccess server is automatically
configured as an ISATAP router. It derives 6to4-based organization,
IP-HTTPS and NAT64 IPv6 prefixes, and skips to the IPsec
Certificate Authentication page.
- When there is an existing IPv6 infrastructure
on your intranet, the Prefix Configuration page appears.
- When there is no IPv6 infrastructure on your
intranet, the Forefront UAG DirectAccess server is automatically
configured as an ISATAP router. It derives 6to4-based organization,
IP-HTTPS and NAT64 IPv6 prefixes, and skips to the IPsec
Certificate Authentication page.