Certificate revocation checking

The following types of connections require a certificate revocation check:

1. **The IP-HTTPS connection between the DirectAccess client and the Forefront UAG DirectAccess server—**If the certificate revocation check fails, DirectAccess clients cannot make IP-HTTPS-based connections to a Forefront UAG DirectAccess server. Thus, an Internet-based CRL distribution point location must be present in the IP-HTTPS certificate and accessible by DirectAccess clients that are connected to the Internet.

2. The HTTPS-based connection between the DirectAccess client and the network location server—If the certificate revocation check fails, DirectAccess clients cannot successfully access an HTTPS-based URL on the network location server, and cannot determine whether they are connected to the intranet. This can cause domain connectivity issues. Thus, an intranet-based CRL distribution point location must be present in the network location server certificate and accessible by DirectAccess clients that are connected to the intranet, even when there are DirectAccess rules in the NRPT.

In both cases, the CRL distribution point must be highly accessible. CRL distribution points can be accessed through the following:

1. Web servers using an HTTP-based URL, such as https://crl.corp.contoso.com/crld/corp-DC1-CA.crl

2. File servers accessed through a universal naming convention (UNC) path, such as \\crl.corp.contoso.com\crld\ corp-DC1-CA.crl

If your intranet CRL distribution points are only reachable over IPv6, you must configure a Windows Firewall with Advanced Security connection security rule, to exempt IPsec protection from the IPv6 address space of your intranet to the IPv6 addresses of your CRL distribution points. This can also be configured by adding the IPv6 address of the CRL to the UAG_NID_ADDRESS static parameter. For more information, see Modifying the Forefront UAG DirectAccess export script.

Enabling CRL checking for IPsec authentication

By default, IPsec peer authentication with certificates does not perform certificate revocation checking. If you revoke the computer certificate of a DirectAccess client, the client can still make IPsec-authenticated connections to the Forefront UAG DirectAccess server. Enabling certificate revocation checking for IPsec authentication and revoking computer certificates is one way of blocking DirectAccess for specific DirectAccess clients. A simpler and preferred method is to disable the computer account in Active Directory. This method immediately prevents DirectAccess connections, such as when a laptop is lost or stolen, and does not have the delay associated with propagating the new CRL.If you want to use certificate revocation checking for certificate-based IPsec authentication, there are two levels:

1. In the first level, known as weak CRL checking, certificate revocation checking fails only if the validating computer confirms that the certificate has been revoked by checking the CRL. Forefront UAG DirectAccess uses weak CRL checking by default.

2. In the second level, known as strong CRL checking, certificate revocation checking fails if the validating computer confirms that the certificate has been revoked or for any error encountered during certificate revocation checking, including the inability to access the CRL distribution point. Note the following:

   1. If you enable strong CRL checking and the Forefront UAG DirectAccess server cannot reach the CRL distribution point, certificate-based IPsec authentication for all DirectAccess connections fails.

   2. If you are using NAP with Forefront UAG DirectAccess and you enable strong CRL checking, certificate-based IPsec authentication for all DirectAccess connections fails. Health certificates do not contain CRL distribution points because their lifetime is on the order of hours, instead of years for computer certificates.