none
NLS and CRL from the Internet

    Question

  • Hi,

    I am a bit confused by the documentation from technet:

    To ensure that DirectAccess clients can correctly detect when they are on the Internet, you can configure IIS on the DirectAccess server to deny connections from Internet-based clients with the IP and Domain Restrictions Web server (IIS) role service or ensure that the CRL distribution point location in the certificate being used for network location cannot be accessed from the Internet.

    On the other hand the install step by step guide specifies to configure on the CA server a publication of the CRL that is available from an http location so  i assumed it should be accessible from the Internet:

    To successfully authenticate an Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based connection, DirectAccess clients must be able to check for certificate revocation of the secure sockets layer (SSL) certificate submitted by the DirectAccess server. To successfully perform intranet detection, DirectAccess clients must be able to check for certificate revocation of the SSL certificate submitted by the network location server. This procedure describes how to do the following:

    • Create a Web-based certificate revocation list (CRL) distribution point using Internet Information Services (IIS)
    • Configure permissions on the CRL distribution shared folder
    • Publish the CRL in the CRL distribution shared folder

    what is the correct requirement?

    mercredi 24 avril 2013 08:29

Réponses

  • Hi,

    You only have to publish the CRL for the IP-HTTPS certificate IF you are not using a public provider.

    The NLS must only be available on the internal network.

    NLS and IP-HTTPS are two different certificates for two different jobs.

    The guides are just that for a test lab and you might not have a public certificate available. 


    Regards, Rmknight

    • Marqué comme réponse ReMark-IT vendredi 3 mai 2013 14:55
    mercredi 24 avril 2013 09:08

Toutes les réponses

  • Hi,

    You only have to publish the CRL for the IP-HTTPS certificate IF you are not using a public provider.

    The NLS must only be available on the internal network.

    NLS and IP-HTTPS are two different certificates for two different jobs.

    The guides are just that for a test lab and you might not have a public certificate available. 


    Regards, Rmknight

    • Marqué comme réponse ReMark-IT vendredi 3 mai 2013 14:55
    mercredi 24 avril 2013 09:08
  • If you follow a couple of DirectAccess best practices you don't need to worry about any of this:

    For the IP-HTTPS certificate, use one from a public CA and then you don't have to worry about CRLs whatsoever.

    For the NLS website, use a website that is external of the DirectAccess server itself. This is a best practice for a number of reasons, one of them being that you don't have to worry about making sure that external DA computers cannot access it or the CRL.

    jeudi 25 avril 2013 12:14
  • Understood thanks.

    So you do not need the CRL accessible from Internet for vaildating the computer certificates that are used by Win7 clients?

    It is only used for validating the Direct Access certificate, right?

    jeudi 2 mai 2013 10:12
  • Correct, the only CRL that is being checked over the internet is the IP-HTTPS SSL certificate.
    jeudi 2 mai 2013 13:27
  • my conern is

    Ensure that the FQDN in the IP-HTTPS URL on the DirectAccess client matches the Subject field of the IP-HTTPS certificate on the DirectAccess server. –

    If I have wild card cert on DA server does that look ok ?

    i mean lets say my fqdn is http://vpn.abc.com:443/ip-https

    and subject field on DA server is *.abc.com 

    does that sound ok?

    jeudi 2 mai 2013 16:49
  • Yes, wildcards are completely supported for IP-HTTPS. Many of my installs use wildcard certs. SAN certificates are NOT supported, as far as I know, just an FYI.
    jeudi 2 mai 2013 17:34