none
Direct Access 2012 & Third Party Certs

    Question

  • Hi

    I know several other folks have asked the same question. I am a bit confused and very new to CA. I would appreciate if someone can please explain this to me step by step. Below is how I have configured the my environment.

    1. AD Server
    2. CA & IIS Server
    3. DA Server

    I used the IIS to generate a CSR and got it signed by external CA, using IIS i then completed the certificate request. I imported the Intermediate using the CA Management. All paths are ok and cert also states I have a private key so all ok there.

    Afterwards for the certs to get published across other servers i used command certutils -pulse and thought I will see the cert in DA but couldn't. I then exported the certs from CA server as .pfx and imported it into DA server, was that right way ? or did i do something wrong here.

    Then I opened the remote access configuration and modified step 2, in Authentication ticked Use an Intermediate certificate and finished the config. 

    From what I understand

    1. I need to issue machine certs using my internal CA , ok how & why ? can some one please explain how this works I have obtained a cert from Public CA how does this procedure works  
    2. I would like to use the built in template and then auto enrol from AD. I understand the Auto enrol part i can use a GPO to do that  but template part i cant i know where to find them but how do i configure the template

    I would appreciate if someone can please explain and talk me through.

    Many Thanks

    Alam

    Thursday, September 12, 2013 8:32 PM

Answers

  • The IP-HTTPS cert is the SSL cert that goes onto the DirectAccess server. This is typically a certificate that you obtain from a public CA (like GoDaddy, VeriSign, etc). To obtain this certificate, you can generate a CSR from IIS on the DirectAccess server, then request the cert from the CA, then when you receive the cert from them you import it also from inside IIS on the DA server.

    Each client needs a "Computer" certificate issued to them from the internal CA server. This is different from a self-signed certificate (the CA is doing the signing, not the clients themselves). Can you confirm that the certificate you put onto all of your clients was issued based off of the built-in "Computer" template of the Windows CA role?

    • Marked as answer by HammerRodx Saturday, September 14, 2013 8:57 AM
    Friday, September 13, 2013 6:50 PM

All replies

  • Take a look here for an explanation on the different certs that are used by DA. Hopefully this will clear up some confusion: http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    I also walk through certificates and how to install them as part of the book I recently finished on DA. It's not quite shipping yet but will be soon if you are ever interested: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book

    Friday, September 13, 2013 1:49 PM
  • Hi Jordan,

    Many thanks for the reply. I have been on the first URL also have read some of your replay's, using the info I tried applying certs, I am sure I have done something wrong because now non my clients will not connect to the workspace at all, my DA server is working. HELP!!

    Has the book got steps defined is it like step by step, reading don't make things so clear to me unless I have practically done it.

    Thanks for the link when it is read I might buy it, will it available in electronic format so i can read it on my tab . 

    Friday, September 13, 2013 5:39 PM
  • Hi Jordan,

    Many thanks for the reply. I have been on the first URL also have read some of your replay's, using the info I tried applying certs, I am sure I have done something wrong because now non my clients will not connect to the workspace at all, my DA server is working. HELP!!

    Has the book got steps defined is it like step by step, reading don't make things so clear to me unless I have practically done it.

    Thanks for the link when it is read I might buy it, will it available in electronic format so i can read it on my tab . 

    Sorry, when is the book going to be available ? I am a bit desperate to get DA working. I have got it working with selfsigned certs but want to know how exactly it works with third party certs. 

    Thanks

    Friday, September 13, 2013 6:14 PM
  • Yes, the book will have more step-by-step directions on how to get the certs into place. It is very important that you do not use self-signed certs for your production environment, as that pretty much negates any security that certificates give you whatsoever.

    I haven't heard an official release date from the publisher yet, but yes there is an eBook format available. I expect it to be very soon, probably by the end of this month.

    The only place you need a certificate from a third-party CA is on the DirectAccess server itself, the SSL cert that you use for IP-HTTPS. All other certificates can come from your internal CA server. The public cert that you use for IP-HTTPS doesn't have anything to do with your machine certs, they are completely separate. Also, you mentioned choosing "intermediary" in Step 2 of the wizards, but if you only have a single CA server, that CA server will be a Root and you should choose the Root option in that step.

    Friday, September 13, 2013 6:33 PM
  • Hi,

    Thanks for reply, please let me know when the book gets released officially. I think this is the bit I am doing wrong then "The public cert that you use for IP-HTTPS doesn't have anything to do with your machine certs, they are completely separate. Also, you mentioned choosing "intermediary" in Step 2 of the wizards, but if you only have a single CA server, that CA server will be a Root and you should choose the Root option in that step."

    Ok so I have applied selfsigned certs to my clients can you please tell me a bit more about "public cert that you use for IP-HTTPS" how do I do this bit what step do I need to take

    thanks

    Friday, September 13, 2013 6:41 PM
  • The IP-HTTPS cert is the SSL cert that goes onto the DirectAccess server. This is typically a certificate that you obtain from a public CA (like GoDaddy, VeriSign, etc). To obtain this certificate, you can generate a CSR from IIS on the DirectAccess server, then request the cert from the CA, then when you receive the cert from them you import it also from inside IIS on the DA server.

    Each client needs a "Computer" certificate issued to them from the internal CA server. This is different from a self-signed certificate (the CA is doing the signing, not the clients themselves). Can you confirm that the certificate you put onto all of your clients was issued based off of the built-in "Computer" template of the Windows CA role?

    • Marked as answer by HammerRodx Saturday, September 14, 2013 8:57 AM
    Friday, September 13, 2013 6:50 PM
  • I used the IIS on my CA to generate the CSR and then did most of what you have explained. Actually I wanted to get windows 8 working first hence I just used the selfsigned certs generated by DA. Afterwards when Windows clients were working I got to Windows7, using the CA server built-in templates 'Workstation Authentication' I I generated certificates and then using GPO's enrolled to the workstations. I then connected my Windows 7 clients and all this worked pretty well. 

    Things went wrong when I started fiddling with the third party cert I got from public CA, atm I am trying to revert back to an earlier snapshot when things weren't wrong.

    Thanks  

    Friday, September 13, 2013 7:01 PM
  • HI Jordan, 

    I must say 'You Are A Star', i got it working last night or should i say early hours of morning :).

    I am really looking forward to your book now I hope I will learn more from it specially how to troubleshoot DA.

    If you don't mind can also ask , When installing DA it generates self signed certificates

    1. DirectAccess-NLS.domain.local
    2. DirecAcess_RADIUS_Encrypt 

    Correct me if I am wrong "DirectAccess-NLS.domain.local" is used by IPsec what is the other one used for?

    Secondly, atm they are self signed certs can I regenerate them and get them signed by my Internal CA ? or how do you generate them again when they expire ?

    Thirdly what type of certs are they ? for example for my clients the template I used from my Internal CA store was 'Workstation Authentication' what template I can use for the above certs.

    I am sure your book will have more answers to my questions. Thanks once again I was getting really frustrated but with your HELP it is all working.

    Thanks once again 

    Saturday, September 14, 2013 8:56 AM
  • Glad to hear it is working! Offhand I'm not sure what the RADIUS certificate is used for. RADIUS can be used in two different places by DirectAccess. One if you are using OTP (one time passwords like RSA tokens) for user authentication then RADIUS is used to communicate with the OTP servers. The other is for logging, you can choose for DirectAccess to logs its information off to a RADIUS server. So the cert may be related to one of those features which you are probably not using.

    The NLS certificate is something you should do some thinking about. The NLS (Network Location Server) is a simple HTTPS website. This website is a critical piece of the puzzle on how the DirectAccess clients determine when they are inside or outside of the network. Basically, the DA client looks for the NLS website. If it sees it, then it assumes it's inside the network and turns off DA. If it doesn't see the NLS site, then it assumes it is outside of the network and turns on DA. By default if you run through the Getting Started Wizard for DirectAccess (which is not a good practice in the first place), the NLS website gets put right onto the DirectAccess server itself. This is fine for a Proof-of-Concept or a testing environment, but I strongly recommend for production that you turn up a website on a different webserver to be your NLS website. Since there is a self-signed cert for NLS on your DirectAccess server, I assume that your NLS site is running on your DA server and you really shouldn't leave it like this long-term.

    The book also has more information on NLS and best practices surrounding it, but if you want to make changes in the meantime or discuss this further you can also feel free to reach out to me directly. We can setup a phone call and talk it over if you would like.

    jordan.krause@ivonetworks.com

    Monday, September 16, 2013 2:55 PM