Certificate deployment involves several planning stages, including planning the computer name and adding a static IP, both which would likely already be done in an enterprise-level deployment. Other steps include the configuration of the certificate authority itself.
Three scenarios are identified for certificates as they relate to Remote Access:
- IPsec authentication
- IP-HTTPS server
- Network location server
IPsec certificate considerations
IPsec authentication uses an internal certificate authority (CA). The internal CA issues certificates to both the clients and the Remote Access server. With DirectAccess in Windows Server 2012, the Remote Access server can proxy Kerberos requests over Secure Sockets Layer (SSL), thus making the use of IPsec no longer a requirement for this scenario. However, multisite deployments cannot use Kerberos proxying and therefore must use certificates for this scenario.
When certificates are used for IPsec, the following requirements and recommendations are noted:
- An enterprise CA should be set up.
- Group policy–based auto enrollment should be used to ensure that all domain members receive the certificate from an enterprise CA.
- The certificate needs to have client authentication Extended Key Usage (EKU).
- The trust chains for the client and server certificates should connect to the same root certificate, which is configured in the DirectAccess configuration.
When installed, Remote Access listens for HTTPS requests and, as a result, requires a certificate for this communication. A public CA signs the certificate for the IP-HTTPS scenario, but an internal CA or self-signed certificate can also work, assuming that the Certificate Revocation List (CRL) distribution point is available to external clients.
IP-HTTPS certificate considerations
A public CA certificate should be used for HTTPS-based Remote Access so that clients have the best compatibility. Also, the subject field of the certificate should specify the IPv4 address or the Fully Qualified Domain Name (FQDN) of the Remote Access server, and the common name of the certificate should match the name of the site or use a wildcard certificate. The EKU field should use the Server Authentication object identifier. The certificate must be imported into the personal store.
Network location server certificate considerations
The certificate should use the IP address or FQDN of the network location URL for the Subject field in the certificate, and the EKU field uses the Server Authentication object identifier.
