none
Certificate Basics RRS feed

  • Question

  • Certificate Basics,

     

    I am trying to set-up UAG and I am at the certificate step.   The documentation speaks way past a fundamental step-by-step understanding of how this is intended to work.  In the set-up wizard under authentication options it says “Browse and select a root or intermediate certificate that verifies certificates sent by direct access clients”

     

    1)      The documentation could stand some elaboration here.   Root or Intermediate, Which one?  Why? What’s the difference in deployment or client functionality?

    2)      When I select a certificate from the list in my case verisign I get a warning message on the bottom of the dialog box that says “ the computer certified issues by CA=dc ……. Could not be found on the server.   Ti enable IPsec authentication ensure that a computer certificate is installed on all array members”       English Please?

     

     

    Next it says: “ Select the certificate that authenticates the UAG direct access server to clients connecting using IP-HTTPS. “

     

    1)      Again What certificate?   A public cert issues by a CA with the FQDN of my UAG box?  If so how?  I presume I need to create a CSR somewhere, but where. No documentation!

     

    Any help would be greatly appreciated

    Friday, November 19, 2010 2:53 AM

Answers

  • Certificate Basics,

     

    I am trying to set-up UAG and I am at the certificate step.   The documentation speaks way past a fundamental step-by-step understanding of how this is intended to work.  In the set-up wizard under authentication options it says “Browse and select a root or intermediate certificate that verifies certificates sent by direct access clients”

     

    1)      The documentation could stand some elaboration here.   Root or Intermediate, Which one?  Why? What’s the difference in deployment or client functionality?

    2)      When I select a certificate from the list in my case verisign I get a warning message on the bottom of the dialog box that says “ the computer certified issues by CA=dc ……. Could not be found on the server.   Ti enable IPsec authentication ensure that a computer certificate is installed on all array members”       English Please?

     

     

    Next it says: “ Select the certificate that authenticates the UAG direct access server to clients connecting using IP-HTTPS. “

     

    1)      Again What certificate?   A public cert issues by a CA with the FQDN of my UAG box?  If so how?  I presume I need to create a CSR somewhere, but where. No documentation 

    Any help would be greatly appreciated


    Hi dpharig,

    UAG is fundamentally dependant upon certificates and PKI, which in itself isn't one of the easiest technologies to get your head around. A lot of the documention does assume you have a good understanding of PKI concepts and associated terminology. An overview of PKI requirements for UAG DA are dicsussed here: http://technet.microsoft.com/en-us/library/ee406213.aspx

    With regard to your specific questions:

    A1: In my experience, most deployments specify a Root CA here but it depends on your PKI design. The following article may fill in some of the blanks: http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/27/deep-dive-into-uag-directaccess-certificates.aspx

    A2: Every DA client (and the UAG servers) require certificates in order provide authentication for the IPsec tunnels used by DA. Due to the number of DA clients and to reduce cost, it is recommended to use a private or internal Certificate Authority (CA) to issue these certs, as opposed to using a public provider/issuer (like Verisign or similar). The Root CA or Intermediate CA from A1 above is usually based upon this internal PKI solution.

    A3: When a DA client cannot establish a 6to4 or Teredo connection, it will fallback to using a HTTPS connection as this ubiquitous protocol is more likely to allow DA connectivity. In order to provide this functionality the UAG server needs an SSL certificate (just like a secure web server at an online shopping site). Although you can use a certificate from your internal PKI, it is actually recommended to use an IP-HTTPS certificate from a public CA (like Verisign or similar) for this particular scenario. 

    Overall, the DA wizard assumes that you already have all of these certificates issued and present in the Local computer certificate store on the UAG server. There are quite a few ways to get the certificates issues, so a lot of the DA documentation assumes you know how to do this...MS also have to appear PKI solution agnostic in the official documentation (I think).

    Have you seen the UAG DirectAccess test lab guides? I think these would be a great start for you and also include a basic PKI setup to get you started: http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx  

    Cheers

    JJ  


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, November 19, 2010 11:09 PM
    Moderator

All replies

  • Hi,

    you can start here http://blog.concurrency.com/infrastructure/uag-directaccess-certificates-groups-and-client-requirements/2010/07/29 to get basic information and you can use the step-by-step guide http://www.microsoft.com/downloads/en/details.aspx?familyid=8D47ED5F-D217-4D84-B698-F39360D82FAC&displaylang=en which will walk you through the process of setting up the things you need.

    Regards,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/
    Friday, November 19, 2010 6:55 AM
  • Another starting point can be found here http://technet.microsoft.com/en-us/library/ee690443.aspx

    Regards,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/
    Friday, November 19, 2010 7:01 AM
  • Certificate Basics,

     

    I am trying to set-up UAG and I am at the certificate step.   The documentation speaks way past a fundamental step-by-step understanding of how this is intended to work.  In the set-up wizard under authentication options it says “Browse and select a root or intermediate certificate that verifies certificates sent by direct access clients”

     

    1)      The documentation could stand some elaboration here.   Root or Intermediate, Which one?  Why? What’s the difference in deployment or client functionality?

    2)      When I select a certificate from the list in my case verisign I get a warning message on the bottom of the dialog box that says “ the computer certified issues by CA=dc ……. Could not be found on the server.   Ti enable IPsec authentication ensure that a computer certificate is installed on all array members”       English Please?

     

     

    Next it says: “ Select the certificate that authenticates the UAG direct access server to clients connecting using IP-HTTPS. “

     

    1)      Again What certificate?   A public cert issues by a CA with the FQDN of my UAG box?  If so how?  I presume I need to create a CSR somewhere, but where. No documentation 

    Any help would be greatly appreciated


    Hi dpharig,

    UAG is fundamentally dependant upon certificates and PKI, which in itself isn't one of the easiest technologies to get your head around. A lot of the documention does assume you have a good understanding of PKI concepts and associated terminology. An overview of PKI requirements for UAG DA are dicsussed here: http://technet.microsoft.com/en-us/library/ee406213.aspx

    With regard to your specific questions:

    A1: In my experience, most deployments specify a Root CA here but it depends on your PKI design. The following article may fill in some of the blanks: http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/27/deep-dive-into-uag-directaccess-certificates.aspx

    A2: Every DA client (and the UAG servers) require certificates in order provide authentication for the IPsec tunnels used by DA. Due to the number of DA clients and to reduce cost, it is recommended to use a private or internal Certificate Authority (CA) to issue these certs, as opposed to using a public provider/issuer (like Verisign or similar). The Root CA or Intermediate CA from A1 above is usually based upon this internal PKI solution.

    A3: When a DA client cannot establish a 6to4 or Teredo connection, it will fallback to using a HTTPS connection as this ubiquitous protocol is more likely to allow DA connectivity. In order to provide this functionality the UAG server needs an SSL certificate (just like a secure web server at an online shopping site). Although you can use a certificate from your internal PKI, it is actually recommended to use an IP-HTTPS certificate from a public CA (like Verisign or similar) for this particular scenario. 

    Overall, the DA wizard assumes that you already have all of these certificates issued and present in the Local computer certificate store on the UAG server. There are quite a few ways to get the certificates issues, so a lot of the DA documentation assumes you know how to do this...MS also have to appear PKI solution agnostic in the official documentation (I think).

    Have you seen the UAG DirectAccess test lab guides? I think these would be a great start for you and also include a basic PKI setup to get you started: http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx  

    Cheers

    JJ  


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, November 19, 2010 11:09 PM
    Moderator
  • Hey guys,

    Thanks for the thumbs up on the Test Lab Guides! :)

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 22, 2010 4:58 PM
    Moderator