Planning for IP-HTTPS

This topic provides information about planning IP-HTTPS in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.

  • Overview

  • Requirements

  • Limitations

  • Planning steps

Overview

IP-HTTPS is a transition technology used to encapsulate IPv6 packets in an IPv4 header. It is used by DirectAccess clients who are unable to connect to the Forefront UAG DirectAccess server using the other IPv6 connectivity methods, or if force tunneling has been configured. For example, when a client is behind a NAT device or firewall with a private IP address, and the NAT device or firewall is configured to allow only HTTP/HTTPS outbound traffic, the client will use IP-HTTPS. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and close the connection. IP-HTTPS is also used as a fallback method when clients are unable to connect using any other method. Performance of IP-HTTPS may not be as good as the other connection protocols, because SSL overhead is added to IPsec overhead, with HTTP as the transport protocol. For more information, see IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification.

After configuring Forefront UAG DirectAccess, the Forefront UAG DirectAccess server is automatically configured to act as the IP-HTTPS Web server. DirectAccess clients receiving the client GPO are automatically configured to connect to the Forefront UAG DirectAccess server through the IPv4 Internet, in order to connect using IP-HTTPS connectivity. Clients are also configured to perform certificate revocation checking the IP-HTTPS certificate submitted by the Forefront UAG DirectAccess server.

Requirements

  1. The Forefront UAG DirectAccess server acting as an IP-HTTPS web server requires a website certificate to authenticate to DirectAccess clients.

  2. DirectAccess clients must trust the certification authority (CA) that issued the website certificate.

  3. DirectAccess clients must be able to contact the certificate revocation list (CRL) site for the certificate.

  4. Using a public CA is recommended, so that CRLs are readily available.

Limitations

In addition to using the IP-HTTPS FQDN for IP-HTTPS connections, it is also used in the Forefront UAG DirectAccess implementation of network access policy (NAP) enforcement, and force tunneling. For force tunneling it is important that the IP-HTTPS FQDN is not resolvable from inside, otherwise unexpected connectivity issues might arise. Even if not using force tunneling, it is recommended that the FQDN is not resolvable from inside the corporate network

Planning steps

  1. No planning steps are required to create the IP-HTTPS Web server. This is configured automatically by the DirectAccess configuration wizard.

  2. Obtain a website certificate for the IP-HTTPS website on the Forefront UAG DirectAccess server. Note the following:

    1. The common name of the certificate should match the name of the IP-HTTPS site.

    2. In the subject field, specify either the IPv4 address of the Internet adapter of the Forefront UAG DirectAccess server, or the FQDN of the IP-HTTPS URL.

    3. For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

    4. For the CRL Distribution Points field, specify a CRL distribution point that is accessible by DirectAccess clients that are connected to the Internet.

    5. The IP-HTTPS certificate must have a private key.

    6. The IP-HTTPS certificate must be imported directly into the personal store.

    7. IP-HTTPS certificates can have wildcards in the name.

  3. Ensure the FQDN of the IP-HTTPS server is resolvable from the Internet.

  4. Ensure that the CRL for the IP-HTTPS certificate can be reached by DirectAccess clients on the Internet.