DirectAccess in Windows Server 2012 removes the requirement for PKI infrastructure. In its place, DirectAccess in Windows Server 2012 uses a Kerberos proxy running over HTTPS—meaning that a standard SSL certificate can be used for this deployment scenario. The certificate presumably is signed by a trusted certificate authority (CA) that is trusted by the clients, but a self-signed certificate can also be used. DirectAccess also can generate the self-signed certificate during deployment. One scenario in which a PKI deployment is required is in the case of two-factor authentication using Smart Cards or One-Time Passwords (OTPs).
To use Multisite Remote Access, IPsec authentication must be set to client certificates. This setting is configured within the Authentication page in the Remote Access Setup Wizard (see Figure 3-4).
FIGURE 3-4 Configuring IPsec authentication to use a trusted root CA.
