none
IPSec certificate for multisite RRS feed

  • Question

  • Hi,

    I have to configure DirectAccess with multi-site on windows server 2012 R2 in Azure. I have configured DA Server but while configuring the Multi-site its mandatory to select the use computer certificate on the authentication on remote access Server setup and issue here is i am selecting the IPSec Certificate (Issued from my internal CA Server) but its rolling back when i am completing the finish button on Remote access Setup. 

    There must be a problem with the certificate so can anyone help me which certificate i have to use while the configuration or how i should issue the certificate from my internal CA server.

    Thanks,

    Roshan

    Friday, August 11, 2017 7:03 AM

Answers

  • hi,

    It got resolved i was using IPSec template and simply it require old computer certificate from internal CA..

    Thanks,

    Roshan


    • Marked as answer by roshan kr Friday, August 18, 2017 5:51 AM
    • Edited by roshan kr Friday, August 18, 2017 6:06 AM
    Friday, August 18, 2017 5:51 AM

All replies

  • First of all, you should know that doing DirectAccess on an Azure VM is "officially" not supported: https://support.microsoft.com/en-us/kb/2721672

    However, I have gotten it to work many times. I have never tried Multi-Site inside Azure though, and so you may be bumping into an issue specific to Multi-Site rather than the certificate itself. I know that the way Azure networking is, I would never expect to be able to do NLB amongst Azure DA servers.

    Are you using a custom template for issuing this certificate? Or the built-in "Computer" template? The Computer template contains everything that DA needs, but is a generic OID that is known, so most folks prefer setup a custom template for issuing these certificates. If yours is custom, make sure it has the following criteria:
    - The Subject Name of the certificate should be "common name" (FQDN of the client)
    - The SAN of the certificate should be the "DNS name" (also FQDN of the client)
    - "Intended Purpose" of the certificate (EKU) should have both Client Authentication as well as Server Authentication - some will say server auth shouldn't be necessary, but I've seen issues when you don't have both checked in your DA template.

    I would test setting up a single DA server inside Azure that is requiring certificates, before you click on anything to do with Multi-Site. Make sure you can successfully get through the wizards and get DA working with certs first, and then worry about getting through the Multi-Site part of the configuration.

    Monday, August 14, 2017 3:24 PM
  • hi jordan,

    i am using built-in Computer template and i have verified the single DA sever (configured with the certificate). Now i wanted to move tom multisite but somehow the IPSec Sertificate is not working.

    Thanks,

    Roshan

    Thursday, August 17, 2017 4:34 AM
  • hi,

    It got resolved i was using IPSec template and simply it require old computer certificate from internal CA..

    Thanks,

    Roshan


    • Marked as answer by roshan kr Friday, August 18, 2017 5:51 AM
    • Edited by roshan kr Friday, August 18, 2017 6:06 AM
    Friday, August 18, 2017 5:51 AM