Planning the Placement of CRL Distribution Points

Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2

Important

This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).
CRL checking is enforced in Windows 7 and cannot be disabled. CRL checking is automatically disabled in Windows 8 and Windows 8.1.

Certificate revocation list (CRL) distribution points are a critical component of the following aspects of DirectAccess:

  • DirectAccess clients use certificate revocation checking to validate the DirectAccess server certificate for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) connections. Without a reachable CRL distribution point on the Internet, all IP-HTTPS-based DirectAccess connections will fail.

  • DirectAccess clients use certificate revocation checking to validate the certificate for the HTTPS connection to the network location server. Without a reachable CRL distribution point on the intranet, intranet detection fails, which can impair intranet connectivity for DirectAccess clients.