Export (0) Print
Expand All

Selecting an IP-HTTPS certificate on the Forefront UAG DirectAccess server in SP1

Published: October 21, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

IP-HTTPS is a transition technology used by DirectAccess clients connecting over IPv4. The Forefront UAG DirectAccess server acts as an IP-HTTPS Web server and uses its server certificate to authenticate to IP-HTTPS clients.

The IP-HTTPS certificate must contain the URL of the Forefront UAG DirectAccess server that is resolvable through the Internet.

DirectAccess clients:

  • Are automatically configured to connect to the Forefront UAG DirectAccess server through the IPv4 Internet, in order to create IP-HTTPS based connectivity.

  • Perform certificate revocation checking the IP-HTTPS certificate submitted by the Forefront UAG DirectAccess server.

  1. In the DirectAccess Server section of the wizard, on the IP-HTTPS Certificate page, click Browse.

  2. Select the certificate that authenticates the Forefront UAG DirectAccess server to a DirectAccess client connecting using IP-HTTPS, and click OK.

    noteNote:

    • DirectAccess clients must trust the certification authority that issues the server certificate.

    • If you use a private Secure Sockets Layer (SSL) certificate, you must ensure that the certificate revocation list (CRL) distribution points configured in this certificate are accessible and available from the Internet. If these CRL distribution points are not accessible to DirectAccess clients, authentication fails for IP-HTTPS-based DirectAccess connections.

      For information about configuring CRL distribution points for Active Directory Certificate Services (AD CS), see Specify CRL Distribution Points (http://go.microsoft.com/fwlink/?LinkId=154420).

    ImportantImportant:
    If you intend deploying NAP note the following:

    • The Forefront UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. To connect to the IP-HTTPS listener on the Forefront UAG DirectAccess, the DirectAccess client needs to be able to resolve the FQDN of the IP-HTTPS server, configured in the client GPO.

      NAP integration configures the HRA URL based on the same FQDN as the IP-HTTPS server chosen for IP-HTTPS. If the IP-HTTPS URL is not resolvable clients may still have DA connectivity using Teredo or 6to4. However when NAP is in enforcement mode and the IP-HTTPS URL is not resolvable, no DirectAccess clients will retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet

    • Ensure that the IP-HTTPS certificate you select in the Forefront UAG DirectAccess Configuration Wizard is valid before you apply the Forefront UAG DirectAccess configuration. NAP uses this IP-HTTPS certificate, and if the IP-HTTPS certificate is changed in the Forefront UAG DirectAccess Configuration Wizard once the configuration has been applied and the HRA and NPS have been created on the Forefront UAG DirectAccess server, DirectAccess clients will be unable retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet.

  3. Click Next.

    noteNote:

    • When there is no IPv6 infrastructure on your intranet, the Forefront UAG DirectAccess server is automatically configured as an ISATAP router. It derives 6to4-based organization, IP-HTTPS and NAT64 IPv6 prefixes, and skips to the IPsec Certificate Authentication page.

    • When there is an existing IPv6 infrastructure on your intranet, the Prefix Configuration page appears.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft