none
DirectAccess and Managed (Cloud) PKI RRS feed

  • Question

  • Good Afternoon,

    I've been put in charge of researching PKIs for an organization, partly for use with DirectAccess.

    I was curious whether or not DirectAccess can work with a "Managed PKI" cloud service.  We have a fairly small team, so I'm trying to look at options outside of having to stand-up and manage our own PKI for one service.

    Thanks in advance!

    ~Jeeves


    ~Jeeves Murphy

    Wednesday, February 15, 2017 7:58 PM

All replies

  • In order to do DirectAccess the "right way", you'll have machine certificates issued to all of the client computers, from an internal CA server. I think you would really struggle to use a cloud PKI service here, because the DirectAccess server checks in with the CA server for each authentication request. This means you will be better served with an on-site CA server, but will have the benefit of very strong authentication. The requirements for setting this up are very simple. You can have one single CA server running Windows Server, that's all you need. Since it's a small environment, you don't need to go crazy and have multiple tiers of CAs with an offline root - I almost never see that in the field, only with the largest installs. Just a single Windows Server with the CA role installed and you meet the requirements for DirectAccess. In fact, here is a rather old, but still entirely relevant, blog post I put together about what certificates are used by DA: https://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    Your other option is to take the less-secure approach to DirectAccess and set it up without requiring certificates. This limits you on what DA can do, but as long as your clients are all Win8 or Win10 and you don't care to make the DA solution highly available, you can choose to forego certificates as part of the IPsec authentication process and the clients will use something called KerbProxy instead. This is not as secure as certificates, and you'll still need to get an SSL certificate from a public CA for the IP-HTTPS listener, but it's possible to setup DA this way.

    If you couldn't tell, I don't recommend setting up a production instance of DirectAccess without certificates. Implementing a CA server is no big deal, take the time to make sure your environment is as secure as it can be! And let me know if I can ever help: Jordan.Krause@ivonetworks.com

    Thursday, February 16, 2017 2:12 PM