locked
UAG DirectAccess Certificate Questions RRS feed

  • Question

  • A couple of questions about the UAG DirectAccess Certificate configuration.  In the prerequisites it states that we need to have the following:

    1.  A certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable fully qualified domain name (FQDN).

    Is this CRL distribution point for the web certificate on the UAG server or do we need to publish our internal CA CRL externally also?  We use an external Certificate Authority for our websites so the CRL is already published.  Our internal CA CRL is not and would need to be published externally if this is a requirement.

    2.  A web certificate used for IP-HTTPS authentication. The certificate subject should be the URL of the Forefront UAG DirectAccess server.

    Does this mean that Wildcard Certificates will not work with DirectAccess?

    Thanks!

    Eric

    Tuesday, August 11, 2009 5:31 PM

Answers

  • Hi Eric,

    1. If you use a public certificate for your IP-HTTPS you don't need to make your corporate CRL accessible on the Internet.

    2. We haven't tested it with wildcard certificate but it suppose to work if its subject includes the URL of the UAG.

    Thanks,
            Meir :->
    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    Tuesday, August 11, 2009 9:48 PM