Planning the placement of CRL distribution points

Updated: February 1, 2010

Applies To: Unified Access Gateway

Certificate revocation list (CRL) distribution points are a critical component of Forefront UAG DirectAccess:

  • DirectAccess clients use certificate revocation checking to validate the Forefront UAG DirectAccess server certificate for IP-HTTPS connections. Without a reachable CRL distribution point on the Internet, all IP-HTTPS-based DirectAccess connections will fail.

  • DirectAccess clients use certificate revocation checking to validate the certificate for the HTTPS connection to the network location server. Without a reachable CRL distribution point on the intranet, intranet detection fails, which can impair intranet connectivity for DirectAccess clients.

The following design considerations need to be addressed when planning CRL distribution points:

  • Where to Place the CRL Distribution Points

  • Planning Redundancy for CRL Distribution Points

Where to Place the CRL Distribution Points

You need certificate revocation list (CRL) distribution points on both the intranet (for intranet detection) and the Internet (for IP-HTTPS connections).

The following describe the CRL location requirements:

  • Intranet location for intranet detection—For intranet detection, you must configure your public key infrastructure (PKI) to publish the CRL in a location that is resolvable and accessible from DirectAccess clients on the intranet during intranet detection. Use either a fully qualified domain name (FQDN) that does not match the intranet namespace or add the FQDN in the Name Resolution Policy Table (NRPT) as an exemption rule. For more information on applying an exemption rule, see, Identifying DNS servers.

    Note

    If the above FQDN is resolved to an IPv6 address, you should also add an IPsec exemption rule.The CRL distribution point should be hosted on an intranet Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity.

  • Internet location for IP-HTTPS connections— For IP-HTTPS connections, you must configure your PKI to publish the CRL in a location that is resolvable and accessible from DirectAccess clients on the Internet. Use either an FQDN that does not match the intranet namespace or add the FQDN in the NRPT as an exemption rule.The CRL distribution point should be hosted on an Internet-facing and publically accessible Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity.

    When using a 3rd party IP-HTTPS certificate, a CRL is normally provided by the 3rd party.

Planning Redundancy for CRL Distribution Points

If the intranet certificate revocation list (CRL) distribution point becomes unavailable, intranet detection will fail for DirectAccess clients on the intranet. If the Internet CRL distribution point becomes unavailable, DirectAccess clients on the Internet will be unable to use IP-HTTPS-based connections to the Forefront UAG DirectAccess server.

For redundancy for CRL distribution points, you can do the following: