Welcome to ISAserver.org

What about CRL Checks for the Network Location Server?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What about CRL Checks for the Network Location Server?

Page: [1]

Message

<< Older Topic Newer Topic >>

What about CRL Checks for the Network Location Server? - 12.Jul.2010 11:14:44 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

A key part of any DirectAccess solution is the Network Location Server (NLS). The NLS server is one that can accept SSL connections from machines configured as DirectAccess clients. If the DirectAccess client can connect to the NLS server on the intranet, then the client knows that it's on the intranet and turns off the Name Resolution Policy Table (NRPT) and resolves names using the DNS server configured on the DirectAccess client's NIC - which is going to be a DNS server that is configured to resolve intranet names.

If the Network Location Server isn't detected, then the DirectAccess client assumes that it's not on the intranet and leaves the NRPT enabled and resolves intranet names using the IPv6 address of the UAG DirectAccess server.

A couple of things that you need to know about the NLS server:
* It needs to be highly available
* The CRL of the issuer needs to be available

The CRL is important - if the DirectAccess client can't find the CRL, then it won't be able to connect to the NLS server's SSL site and the NLS check will fail and the client won't turn off the NRPT, which can cause significant problems with intranet name resolution.

So - make sure you have that internal CRL available, and even better, highly available!

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

Post #: 1

Featured Links*

RE: What about CRL Checks for the Network Location Server? - 12.Jul.2010 6:49:52 PM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

...comes back to good PKI design, maybe a good PKI primer for DA would be a good blog subject

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)

Post #: 2

RE: What about CRL Checks for the Network Location Server? - 13.Jul.2010 11:19:51 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

I would vote for that!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)

Post #: 3

RE: What about CRL Checks for the Network Location Server? - 13.Jul.2010 7:13:11 PM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Ok, i'll add it to my list

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)

Post #: 4

RE: What about CRL Checks for the Network Location Server? - 14.Jul.2010 10:48:40 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

I bet that list is getting pretty long :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)

Post #: 5

RE: What about CRL Checks for the Network Location Server? - 14.Jul.2010 6:15:09 PM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Yep, you know me!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)

Post #: 6

RE: What about CRL Checks for the Network Location Server? - 27.Sep.2010 11:37:02 AM