Selecting the CA for IPsec authentication in SP1
Published: October 21, 2010
Updated: February 1, 2011
Applies To: Unified Access Gateway
DirectAccess uses Internet Protocol security (IPsec) authentication to protect the tunnels between the Forefront UAG DirectAccess server and the DirectAccess client. This requires the use of digital certificates in the local computer stores issued by a public key infrastructure (PKI). For successful certificate authentication in DirectAccess, the two IPsec endpoints (the Forefront UAG DirectAccess server and the DirectAccess client), must trust a common root or intermediate certification authority (CA) that issues the certificates. Forefront UAG DirectAccess, uses a common, single root or intermediate CA which is trusted by IPsec on both the Forefront UAG DirectAccess server and the DirectAccess client.
When DirectAccess clients and the Forefront UAG DirectAccess server communicate, IPsec performs a two-phase operation that establishes a secured connection between the two computers. During the first phase, the two computers establish a secure, authenticated channel, called the main mode security association (SA). The main mode SA is then used during the second phase to allow secure negotiation of the quick mode SA. The quick mode SA specifies the protection settings for matching TCP/IP data transferred between the two computers. The cryptography settings that IPsec uses should be identical on both computers. If your organization has existing cryptography settings enforced on client machines using group policy, you must ensure that the current organization main mode key exchange settings used for all IPsec negotiations are identical to the cryptography settings in Forefront UAG DirectAccess. For more information see, Customizing IPsec settings (http://go.microsoft.com/fwlink/?LinkId=166914).
This topic describes how to select the root or intermediate CA that issues the IPsec certificates.
In the DirectAccess Server section of the wizard, on the IPsec Certificate Authentication page, depending on your certificate issuing CA, click Use a certificate from a trusted root CA, or Use a certificate from an intermediate CA, and then click Browse.
Select a certificate, and click OK.
If you want to change the IPsec cryptography settings, click Edit IPsec advanced security settings, click the Main Mode tab, and select the relevant Integrity, Encryption and Key exchange algorithm, and then click OK. To edit the IPsec Quick mode settings, click the Quick Mode tab, and select the relevant Protocol, Integrity, and Encryption, and then click OK.
Note: Forefront UAG DirectAccess, supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7.
To complete the DirectAccess server section of the wizard, click Finish.