This topic provides information about planning certificate requirements in your Forefront UAG DirectAccess deployment.


Forefront UAG DirectAccess uses an authenticated IPv6/IPsec tunnel to connect DirectAccess clients to DirectAccess servers and intranet resources. By default, Forefront UAG DirectAccess supports standard user authentication using a user name and password. Optionally, you can implement two-factor authentication which provides improved security because it requires the user to meet two authentication criteria—a user name and password combination, and a token or certificate.

Forefront UAG DirectAccess provides the following two-factor authentication methods:

  1. PKI smart card—Users are required to insert a smart card in addition to typing in their user credentials. Smart card authentication prevents an attacker who acquires a user’s password (but not the smart card) from connecting to the intranet.

  2. One-time password (OTP)—Users are required to authenticate with an OTP using RSA SecurID or with a RADIUS authentication server.


OTP prerequisites are as follows:

  1. The OTP CA should be a dedicated CA used to issue certificates for OTP authentication.

  2. The OTP CA must be an enterprise CA running Windows Server 2008 R2

  3. OTP requires an RSA SecurID or RADIUS server.

Smart card prerequisites include a smart card infrastructure that should be in place before deploying Forefront UAG DirectAccess.


Limitations include the following:

  1. The OTP CA should not be installed on the Forefront UAG server.

  2. The OTP CA should not be used to issue certificates for IPsec authentication or for NAP, and should not be a parent of the IPsec or NAP CAs.

Planning steps

  1. To use smart cards, plan for deployment of a smart card infrastructure.

  2. To use OTP do the following:

    1. Deploy a dedicated CA

    2. Configure an RSA SecurID server. Add the Forefront UAG server as an authentication agent, and connect the servers. If you are using a RADIUS server, configure the Forefront UAG server as a RADIUS client, and specify a shared key (this key will be entered during DirectAccess deployment.

    3. Decide whether to allow Forefront UAG DirectAccess to automatically configure templates for the CA, or whether to configure them manually.