Where to Place the CRL Distribution Points

Applies To: Windows 7, Windows Server 2008 R2

You need certificate revocation list (CRL) distribution points on both the intranet (for intranet detection) and the Internet (for Internet Protocol over Secure Hypertext Transfer Protocol [IP-HTTPS] connections).

Intranet location for intranet detection

For intranet detection, you must configure your public key infrastructure (PKI) to publish the CRL in a location that is resolvable and accessible from DirectAccess clients on the intranet. Use either a fully qualified domain name (FQDN) that does not match the intranet namespace or add the FQDN in the Name Resolution Policy Table (NRPT) as an exemption rule.

The CRL distribution point should be hosted on an intranet Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity.

Internet location for IP-HTTPS connections

For IP-HTTPS connections, you must configure your PKI to publish the CRL in a location that is resolvable and accessible from DirectAccess clients on the Internet. Either use an FQDN that does not match the intranet namespace or add the FQDN in the NRPT as an exemption rule.

The CRL distribution point should be hosted on an Internet-facing and publically accessible Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity.

For more information, see Configure Active Directory Certificate Services for CRL Locations and Configure a CRL Distribution Point for Certificates in the DirectAccess Deployment Guide.