How to Configure UAG to Publish Your Private Certificate Revocation List
[This article originally appeared in the Edge Man blog at http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx. Feel free to enhance and improve it! --Tom.]
In order for SSTP (Secure Socket Tunneling Protocol) and DirectAccess to work properly the SSTP and DirectAccess client must have access to the CRL (Certificate Revocation List) of the server certificate (if you are using Client Certificate or Smart Card authentication you will also need access from the client to the CRL)
If you are using internal Microsoft Certificate Authority (CA) you can publish the CRL through UAG based on the following procedures:
Important Note:
If you are using Microsoft Certificate Authority (CA) make sure the Root CA certificate (If you are using in intermediate CA, also include the intermediate CA certificate) is located in the Trusted Root Certification Authorities of the Local Computer Store
Steps to Publishing the CRL through UAG
Open UAG management Console, navigate to HTTP Connections, right click, and choose New Trunk
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/6177.clip_5F00_image002_5F00_thumb_5F00_2621B612.jpg
On the Welcome to the Create Trunk Wizard page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/6661.clip_5F00_image004_5F00_thumb_5F00_19475FF4.jpg
On the Step 1 – Select Trunk Type page, select the Portal trunk option and click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/1881.clip_5F00_image006_5F00_thumb_5F00_16BE2E36.jpg
On the Step 2 – Setting the Trunk page, enter the Trunk name and enter the Public host name, this part is very important! You must enter the exact URL that you configured in the CDP (CRL Distribution Point) setting on your certificates, then click Next.
Note:
External clients must be able to resolve the public host name
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/4848.clip_5F00_image008_5F00_thumb_5F00_78FCA376.jpg
On the Step 3 - Authentication page, choose any authentication repository (this is not relevant because in next phases we will disable the authentication for this Trunk because access to CRL doesn't require authentication) then click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/0825.clip_5F00_image010_5F00_thumb_5F00_49EA41D2.jpg
On the Step 4 – Endpoint Security page, click Next (you will disable Endpoint Security for this Trunk later so the choice made her is immaterial).
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/6518.clip_5F00_image012_5F00_thumb_5F00_125480E4.jpg
On the Step 5 Endpoint Policies page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/7181.clip_5F00_image014_5F00_thumb_5F00_7EC72142.jpg
On the Completing the Create Trunk Wizard page click Finish.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/6505.clip_5F00_image016_5F00_thumb_5F00_6E6BA989.jpg
Configure the New Trunk
Now we will configure an Other Web Application (application specific hostname) application in the new trunk to publish the internal CRL.
In the UAG management console click Add.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/4848.clip_5F00_image018_5F00_thumb_5F00_27A2107F.jpg
On the Step 1 – Select Application page select the Web option and then select the Other Web Application (application specific hostname) option from the drop down list. Click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/5432.clip_5F00_image020_5F00_thumb_5F00_3C63E332.gif
On the Step 2 – Configure Application page enter the Application name and in the Application type text box, enter OtherWeb, then click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/0247.clip_5F00_image022_5F00_thumb_5F00_79A497F9.jpg
On the Step 3 – Select Endpoint Policies page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/4786.clip_5F00_image024_5F00_thumb_5F00_6F23C3D9.jpg
On the Step 4 – Deploying an Application page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/1738.clip_5F00_image026_5F00_thumb_5F00_6436BCC4.jpg
On the Step 5 – Web Servers page, in the Addresses text box, enter the name on your internal IIS server that hosts the CRL. Change Paths to the path defined for CRL Distribution Point, for example “/CertEnroll/* (your certificate distribution point will likely have a different name, enter the name that you have defined for your CDP). Define the Public host name as configured in the CDP (CRL distribution point). This name should be the same Public host name defined for the trunk. Click Next.
Note:
External clients should be able to resolve this name
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/7510.clip_5F00_image028_5F00_thumb_5F00_087BA147.gif
On the Step 6 - Authentication page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/0247.clip_5F00_image030_5F00_thumb_5F00_53226914.jpg
On the Step 7 – Portal Link page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/2728.clip_5F00_image032_5F00_thumb_5F00_01B871F7.gif
On the Step 8 - Authorization page click Next.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/0172.clip_5F00_image034_5F00_thumb_5F00_7E56DA4E.jpg
On the Completing the Add Application Wizard page, click Finish.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/5050.clip_5F00_image036_5F00_thumb_5F00_1C54E843.jpg
In the UAG Management Console navigate to the Initial application and choose the application you created (this will allow access directly to the CRL and not through the UAG default portal).
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/0268.clip_5F00_image038_5F00_thumb_5F00_0782EFC3.jpg
In the UAG Management Console navigate to Trunk Configuration and choose Configure
Disable Require users to authenticate at session logon on the Authentication tab in the Advanced Trunk Configuration dialog box.
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/1667.clip_5F00_image040_5F00_thumb_5F00_48BDCC8F.gif
Enable the option “Disable component installation and activation” on Sessions tab of Advanced Trunk Configuration dialog box. You need to do this because UAG client components are not required for publishing CRL. Also enable the option “Disable scripting for portal applications”
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-80-75-metablogapi/1667.clip_5F00_image042_5F00_thumb_5F00_6F0F8A0D.gif
This article was originally written by Tarun Sachdeva, Sr. Support Engineer.
Contact Tom for feedback or questions:
Tom Shinder
tomsh@microsoft.com
Microsoft ISD iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder