Export (0) Print
Expand All

Where to Place the CRL Distribution Points

Updated: April 12, 2011

Applies To: Windows 7, Windows Server 2008 R2

ImportantImportant
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).

You need certificate revocation list (CRL) distribution points on both the intranet (for intranet detection) and the Internet (for Internet Protocol over Secure Hypertext Transfer Protocol [IP-HTTPS] connections).

For intranet detection, you must configure your public key infrastructure (PKI) to publish the CRL in a location that is resolvable and accessible from DirectAccess clients on the intranet. Use either a fully qualified domain name (FQDN) that does not match the intranet namespace or add the FQDN in the Name Resolution Policy Table (NRPT) as an exemption rule.

The CRL distribution point should be hosted on an intranet Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity.

For IP-HTTPS connections, you must configure your PKI to publish the CRL in a location that is resolvable and accessible from DirectAccess clients on the Internet. Either use an FQDN that does not match the intranet namespace or add the FQDN in the NRPT as an exemption rule.

The CRL distribution point should be hosted on an Internet-facing and publically accessible Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity.

For more information, see Configure Active Directory Certificate Services for CRL Locations and Configure a CRL Distribution Point for Certificates in the DirectAccess Deployment Guide.

noteNote
For ease of configuration, the DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613) uses the URL http://crl.contoso.com/crld/corp-DC1-CA.crl for both Internet and intranet CRL distribution points. For the intranet, an A record in the intranet DNS resolves the name crl.contoso.com to the intranet IPv4 address of EDGE1, the DirectAccess server. For the Internet, an A record in the Internet DNS resolves the name crl.contoso.com to an Internet IPv4 address of EDGE1.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft