Sunday 20 October 2013

Direct Access Easy Step 2: Certificates

Back to Direct Access main menu

Welcome back to "Direct Access in 5 easy steps". Step 2 describes the certificates required for the process and their configuration.


IPHTTPS

IPHTTPS simply means IP over HTTPS. This protocol allows for an IP tunnel to be created through a secure HTTPS connection. Direct Access uses IPHTTPS listeners which are available to respond to client requests.

You have several options when choosing a certificate for the IPHTTPS listener
  • Self-signed certificate (I am not a fan of using external facing self-signed certificates)
  • PKI (you can use your own Certificate Authority to generate the required certificate)
  • 3rd Party SSL (this is my preferred method - in this guide I will be using a Comodo SSL Certificate) 

When you use a 3rd Party certificate it must be configured to use the external FQDN that we previously used for the external DNS record (eg da.contoso.com).

NLS

The NLS certificate should be configured to use the internal FQDN of the NLS server. It is quite acceptable to use the self-signed certificate in this case.


Request Certificate

Open Internet Services Manager on your Direct Access Server.

Select the server name on the left pane and double-click the "Server Certificates" button in the Security Section.


In the "Actions" menu on the right, click on "Create Certificate Request".


This will open the "Request Certificate Wizard"


Enter your details. Remember the Common Name should be the FQDN that we used for our DNS record earlier (eg da.contoso.com).


Enter the required details in Cryptographic Service Provider Properties (Comodo recommend Bit Length of 2048).


Save the Certificate Request.

Open the saved file.

When you make your online application, make sure you copy the CSR in its entirety into the appropriate section of the enrolment form

----BEGIN CERTIFICATE REQUEST-----

to


-----END CERTIFICATE REQUEST-----


Install Certificate

Within a few hours the certificate will be available for download from the Comodo website.

Open Internet Services Manager.
 
Select the server name on the left pane and double-click the "Server Certificates" button in the Security Section.



This time choose to "Complete the Certificate Request".

The SSL certificate will now be available when we are configuring the IPHTTPS listener.

5 comments:

  1. Great information! Does the clients need the DA cert or do they just need the computer cert? My clients have a computer cert from a CA, My DA has a DA cert from the CA and my web prob has a web Cert from the CA. Am I missing something?

    Thanks!

    ReplyDelete
    Replies
    1. The clients do not need the certificates I've described above. Windows 8 clients do not need certificates at all.

      Delete
  2. This is exactly what I was looking. I agree too this seems the best way to do it!

    ReplyDelete
  3. Do you need to restart any DA services once you have done this step?
    Once it is completed, restart 'Routing and Remote Access' service

    ReplyDelete
  4. If I currently have a self-signed cert installed and deployed on our DirectAccess server, will the clients need to update the client GPO in order for the clients to reestablish connection to the edge server? I want to deploy a third-party cert, but I don't want the client connections to dump out until they come into the office to get an updated GPO.

    ReplyDelete