Configuring authentication options

Published: January 11, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes the following methods of authentication that Forefront UAG DirectAccess provides, and how to configure them:

  • Root and intermediate certificates—The Forefront UAG DirectAccess server uses root or intermediate certificates to verify the certificates sent by the DirectAccess client computers during IPsec authentication. Root certificates identify root certification authorities, and intermediate certificates identify intermediate certification authorities.

  • IP-HTTPS certificates—The certificate that authenticates the Forefront UAG DirectAccess server to an IP-HTTPS client. The IP-HTTPS certificate contains the URL of the Forefront UAG DirectAccess server that is resolvable through the Internet. DirectAccess clients are automatically configured to connect to the Forefront UAG DirectAccess server through the IPv4 Internet, in order to create IP-HTTPS based connectivity. DirectAccess clients perform certificate revocation checking on the IP-HTTPS certificate submitted by the Forefront UAG DirectAccess server. If you use a private Secure Sockets Layer (SSL) certificate, you must ensure that the certificate revocation list (CRL) distribution points configured in this certificate are accessible and available from the Internet. If these CRL distribution points are not accessible to DirectAccess clients, authentication fails for IP-HTTPS-based DirectAccess connections.

    For information about configuring CRL distribution points for Active Directory Certificate Services (AD CS), see Specify CRL Distribution Points (

  • Health certificates—Network Access Protection (NAP) controls access to network resources based on a client endpoint’s identity and compliance with corporate governance policy. If a DirectAccess client endpoint is not compliant, NAP provides a mechanism to automatically bring the client back into compliance, and then dynamically increase its level of network access. For DirectAccess client endpoints that do not comply with health requirement policies, their access is limited to management servers and domain controllers.

  • Smart card—Smart card authentication takes place on the IPsec gateway. When this option is selected, remote clients must use a smart card to be authenticated by the IPsec gateway (Forefront UAG DirectAccess server). Users can log on to their computers, have access to the infrastructure servers, and access the Internet without a smart card, but they require smart card authentication to access other intranet resources.

  • IPsec Cryptography settings—When DirectAccess clients and the Forefront UAG DirectAccess server communicate, IPsec performs a two-phase operation that establishes a secured connection between the two computers. During the first phase, the two computers establish a secure, authenticated channel, called the main mode security association (SA). The main mode SA is then used during the second phase to allow secure negotiation of the quick mode SA. The quick mode SA specifies the protection settings for matching TCP/IP data transferred between the two computers. The cryptography settings that IPsec uses should be identical on both computers. If your organization has existing cryptography settings enforced on client machines using group policy, you must ensure that the current organization main mode key exchange settings used for all IPsec negotiations are identical to the cryptography settings in Forefront UAG DirectAccess. For more information see, Customizing IPsec settings (

To configure the authentication options

  1. In the DirectAccess Server section of the wizard, on the Authentication Options page, select the root or intermediate certificate that verifies certificates sent by DirectAccess clients, as follows:

    • To use a root certificate, click Browse, select the required root certificate, and then click OK.

    • To use an intermediate certificate, click Use intermediate certificate, click Browse, select the required intermediate certificate, and then click OK.

  2. Select the certificate that authenticates the Forefront UAG DirectAccess server to a client connecting using IP-HTTPS, by clicking Browse, selecting the required IP-HTTPS certificate, and then clicking OK.

  3. If you want to change the IPsec cryptography settings, click Edit IPsec cryptography settings and select the relevant Integrity, Encryption and Key exchange algorithm, and then click OK.

    Forefront UAG DirectAccess (UP1 release), supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7

  4. Select the following authentication options, if they are deployed in your organization:

    • Clients that log on using a PKI smart card—When selected, client endpoints must use PKI smart cards.

    • Computers that comply with your organization's NAP policy—When selected, NAP policy is applied to client endpoints.

  5. Click Finish.

For instructions on how to configure the next stage of the Forefront UAG DirectAccess configuration wizard, see Specifying the network location server.