DirectAccess and certificates

Hello All,

I am trying to set up UAG/DirectAccess and I read IP-HTTPS needs a certificate to allow clients to connect.
Unfortunately, I´m not a PKI specialist and I know we have an NLS server that holds the certificates (for external use, webservers) and CRLs.
I have also been advised that we should buy a new official certificate for this DirectAccess server.

Can you please be of a help on certificates requirements?

Thanks.


April 4th, 2011 1:14pm

Hi,

1) Public certificate

Type

Web Server

CRL

Reachable on Internet

Subject

public FQDN

Extended Key Usage

Server Authentication

 

2)Private certificate

Type

Computer (L2TP/IPSec)

Extended Key Usage

Server Authentication 

Subject

Internal FQDN

SAN

DNS name of the server

 

3) Client certificate

Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 2:42pm

Have a look at this: http://technet.microsoft.com/en-us/library/ee406213.aspx

I would follow this guidance, but use a certificate from a public CA for the IP-HTTPS elements of UAG DirectAccess.

Cheers

JJ

April 4th, 2011 3:19pm

Thanks Jason.

I think it is possible also to have a server in the DMZ that delivers certificates.

Which one would you recommand in terms of efficiency and security? The cost here is not considered becaus of server virtualization and quite low cost for Public certificate.

Thanks

Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 3:47pm

Just save yourself a world of pain with publishing internal PKI CRLs and get a public certificate ;)
April 4th, 2011 3:49pm

I use internal PKI for DirectAccess, free Windows Azure websites make the publishing of the CRLs very easy!
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2013 8:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics

Type

Computer (L2TP/IPSec)

Extended Key Usage

 Client Authentication

Subject

Internal FQDN

SAN

DNS name of the client