#DirectAccess support for wildcard certificates
As you probably might know Forefront UAG DirectAccess deployment requires a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the Forefront UAG DirectAccess server, and the network location server.
Certifcates used by DirectAccess can be catagorized by:
- Autoenrollment for computer certificates
- Manual enrollment for network location server and IP-HTTPS certificates
- Smart cards for additional authorization
Considerations for deploying Forefront UAG DirectAccess for your network location server and IP-HTTPS certificates is to enroll your certs manualy or using a wildcard certificate. As Forefront UAG 2010 RTM supports use of wildcard it is an option for DirectAccess.
Understanding Wildcard Certificates
A wildcard certificate is designed to support a domain and multiple subdomains. For example, configuring a wildcard certificate for *.contoso.com results in a certificate that will work for mail.contoso.com, web.contoso.com, and autodiscover.contoso.com.
Configuring DirectAccess wildcard use
During step 2 (UAG DirectAccess Configuration Wizard) the server certificate must be selected to authenticate DirectAccess clients. In this step you are able to select a wildcard certificat. After selecting the wildcard certifcate you will be prompt for input of the full name. In this example https://da.mydomain.com
Planning CAs and certificates for Forefront UAG DirectAccess SP1
Designing your PKI for Forefront UAG DirectAccess
Leave a Reply