Planning CAs and certificates for Forefront UAG DirectAccess SP1

This topic provides information about planning certificate requirements in your Forefront UAG DirectAccess deployment.

  • Overview

  • Requirements

  • Limitations

  • Planning steps

Overview

A Forefront UAG DirectAccess deployment requires the following certificates:

  • DirectAccess client computer—Each DirectAccess client computer requires a computer certificate that is used as follows:

    • When establishing the IPsec connection between the client and the DirectAccess server.

    • When using-HTTPS. The DirectAccess server validates the certificate before allowing the IP-HTTPS connection over the Internet.

  • DirectAccess server—The DirectAccess server requires a computer certificate to establish IPsec connections with DirectAccess client computers.

  • IP-HTTPS server—HTTPS is an IPv6 transition technology that enables DirectAccess clients to connect to the DirectAcces server over the IPv4 Internet. After running the Forefront UAG DirectAccess Configuration Wizard, the Forefront UAG DirectAccess server is automatically configured to act as the IP-HTTPS Web server. The IP-HTTPS site requires a Web site certificate, and DirectAccess clients must be able to contact the certificate revocation list (CRL) site for the certificate.

  • Network location server—The network location server is a Web site used to detect whether DirectAccess clients are located in the corporate network. The network location server requires a Web site certificate. DirectAccess clients must be able to contact the CRL site for the certificate.

  • Network access protection (NAP)—You can optionally deploy NAP in order to enforce health requirements for DirectAccess client computers. The Health Registration Authority (HRA) server obtains health certificates on behalf of NAP clients determined as compliant with network health requirements. These health certificates are later used to authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet.

  • OTP authentication—Optionally, you can deploy Forefront UAG DirectAccess with two-factor authentication using a one-time password (OTP).

  • Smartcard authentication—You can optionally implement two-factor authentication with smartcards.

Requirements

Certificate requirements are as follows:

  1. An internal CA is required to issue computer certificates to the Forefront UAG DirectAccess server and clients for IPsec authentication.

  2. A CA is required to issue certificates for the IP-HTTPS server and the network location server. For IP-HTTPS, using an external CA ensures that the CRL is available externally.

  3. A CA is required if you are deploying OTP authentication. A dedicated CA must be used.

  4. A Windows-based CA must be used if you are deploying NAP. We recommend that a dedicated CA is used.

  5. If you want to use smart card authentication and you want to implement extended authentication and encryption to internal application servers, you must use Windows Server 2008 R2 AD DS.

Limitations

The following limitations apply:

  • We recommend not running CAs on the Forefront UAG DirectAccess server.

  • The CA used for OTP must be an enterprise CA running Windows Server 2008 R2.

  • The CA used for OTP must be located in the same forest as the Forefront UAG DirectAccess server. It should not be installed on the domain controller.

  • The CA used for OTP should not be used to issue other certificates for DirectAccess. Specifically, each OTP CA (and the parent CA it chains to) must not be the equal or parent of the CA used for IPsec authentication, or of the CA used for NAP.

  • The CA used to issue NAP health certificates must be a Windows-based CA. We recommended that in a large deployed a dedicated CA is used for performance purposes.

Planning steps

Planning steps are summarized in the following table.

Planning stage Planning steps

Planning computer certificates for the Forefront UAG DirectAccess server and clients

When you configure DirectAccess settings in the Forefront UAG Management console, the Forefront UAG DirectAccess server and clients are configured by default to use certificates for IPsec authentication. The simplest way to install the required certificates it to configure group-policy based auto enrollment for computer certificates. This ensures that all domain members obtained a certificate from an enterprise CA. For more information, see Configure computer certificate autoenrollment in the TechNet library.

Planning website certificates for IP-HTTPS

Because the Forefront UAG DirectAccess server acts as an IP-HTTPS listener, you must manually install an HTTPS website certificate on the server. Note the following when obtaining the certificate:

  1. Using a public CA is recommended, so that CRLs are readily available.

  2. In the subject field, specify either the IPv4 address of the Internet adapter of the Forefront UAG DirectAccess server, or the FQDN of the IP-HTTPS URL.

  3. The common name of the certificate should match the name of the IP-HTTPS site.

  4. For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

  5. For the CRL Distribution Points field, specify a CRL distribution point that is accessible by DirectAccess clients that are connected to the Internet.

  6. The IP-HTTPS certificate must have a private key.

  7. The IP-HTTPS certificate must be imported directly into the personal store.

  8. IP-HTTPS certificates can have wildcards in the name.

Planning website certificates for the network location server

  1. In the Subject field, specify either an IP address of the intranet interface of the network location server or the FQDN of the network location URL.

  2. For the Enhanced Key Usage field, use the Server Authentication OID.

  3. For the CRL Distribution Points field, a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet. This CRL distribution point should not be accessible from outside the internal network.

Planning for NAP certificates

  1. An HRA must be associated with at least one NAP CA in order to obtain and issue NAP health certificates to compliant NAP client computers. If you install the Network Policy Server (NPS) and HRA roles on the Forefront UAG DirectAccess server during DirectAccess configuration, you must specify the CA used by the HRA. If you are using NPS and HRAs installed on a separate server, DirectAccess assumes that you already have a working dedicated CA for NAP.

  2. For optimal performance, it is recommended that you use a dedicated subordinate or root CA to issue health certificates.

  3. Enrollment and autoenrollment permissions for health certificates must be granted only to Forefront UAG DirectAccess servers.

  4. The NAP CAs must be in the same chain of the Root or intermediate CA that verifies certificates sent by the DirectAccess clients.

  5. If you install the NPS and HRAs on the Forefront UAG DirectAccess server during DirectAccess configuration, the default health policies of the Windows Security Health Validator (WSHV) are enforced on the HRA.

  6. Forefront UAG DirectAccess servers must be granted Manage CA permission on the CA.

  7. Templates can be configured to use the subject name during a certificate request. This results in a security warning that it is not secure to work in this mode when automatically issuing the certificate without administrator approval. By ensuring that enrollment and autoenrollment permissions are granted only to Forefront UAG DirectAccess servers, the security risk is reduced.

  8. The Forefront UAG DirectAccess server must be able to perform DNS reverse resolution of the CAs listed for NAP, so the CAs are contactable by the server.

  9. Issued health certificate lifetimes are configured as follows:

    1. For an enterprise CA, it is configured in the template.

    2. For a standalone CA, it is configured by changing the following registry key value: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\HealthCertValidityPeriod. The HealthCertValidityPeriod key represents the time in minutes that the health certificate is valid. The default setting is 4 hours.

Planning for OTP certificates

Configure a dedicated enterprise CA running Windows Server 2008 that is not used for other purpose. Note the following:

  1. We recommend you use an intermediate CA with the root CA offline. With this model, if the intermediate CA is breached, the root CA can simply revoke its certificate.

  2. You can specify multiple CAs for OTP, but must all be chained to a single common CA.

  3. The CA must be used for OTP only.

  4. The CA should be working and available before deploying DirectAccess. During DirectAccess deployment connectivity to CAs is validated. Note connectivity to CAs with IPv6 addresses only is not validated during deployment, although they can be used for OTP authentication.

  5. You can create CA certificate templates before deploying Forefront UAG DirectAccess. Alternatively, you can decide to let Forefront UAG DirectAccess automatically configure selected CA templates when the Forefront UAG administrator runs the DirectAccess Configuration Wizard.

  6. To use manually configured templates, you create customized templates based on the user and workstation templates. After creating the templates, ensure that all other templates on the CA are deleted.

  7. The customized user template is used to issue OTP certificates for DirectAccess users. If you are creating it manually note the following:

    • The Forefront UAG DirectAccess server (or each array member), should have read and enroll permissions for the templates. Authentication users require read permissions. All other users should be denied access.

    • The lifetime of issued certificates should not be more than 24 hours. 8 hours is recommended to align with the Kerberos ticket lifetime.

    • We recommend that you do not publish the certificate in Active Directory, in order to reduce storage requirements and improve performance.

    • The private key of the certificate must not be exportable.

    • The subject name of the certificate should be set to be supplied in the request. This ensures that the subject name matches the OTP user name, and not the name of the DirectAccess server that actually performs the certificate request.

    • Certificates and requests should not be stored in the CA database.

  8. The customized workstation template is installed on the Forefront UAG DirectAccess server. Note the following:

    • Each Forefront UAG DirectAccess server (or array member) should have read, enroll, and autoenroll permissions. Authenticated users require read permissions. Deny Enroll permissions to all other users.

Planning for smartcard certificates

Smart card authentication in DirectAccess can be used in addition to standard authentication using a computer certificate, user name, and password. Smart card authentication takes place on the IPsec gateway. DirectAccess clients must use a smart card to be authenticated by the Forefront UAG DirectAccess. Users can log on to their computers, access infrastructure servers, and the Internet without a smart card. Smart card authentication is requirement to connect to internal resources. Note the following:

  • You should design your PKI to replicate the entire smart card certificate chain to the current user certificate store in a timely manner. If the PKI is slow in replicating the certificate chain, users obtain a smart card certificate and leave the intranet, but are unable to use smart card authorization. To correct this, they might have to return to the intranet and logon with their smart card credentials to force the PKI to install the entire certificate chain in the local user’s certificate store.