• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What about CRL Checks for the Network Location Server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What about CRL Checks for the Network Location Server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What about CRL Checks for the Network Location Server? - 12.Jul.2010 11:14:44 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
A key part of any DirectAccess solution is the Network Location Server (NLS). The NLS server is one that can accept SSL connections from machines configured as DirectAccess clients. If the DirectAccess client can connect to the NLS server on the intranet, then the client knows that it's on the intranet and turns off the Name Resolution Policy Table (NRPT) and resolves names using the DNS server configured on the DirectAccess client's NIC - which is going to be a DNS server that is configured to resolve intranet names.

If the Network Location Server isn't detected, then the DirectAccess client assumes that it's not on the intranet and leaves the NRPT enabled and resolves intranet names using the IPv6 address of the UAG DirectAccess server.

A couple of things that you need to know about the NLS server:
* It needs to be highly available
* The CRL of the issuer needs to be available

The CRL is important - if the DirectAccess client can't find the CRL, then it won't be able to connect to the NLS server's SSL site and the NLS check will fail and the client won't turn off the NRPT, which can cause significant problems with intranet name resolution.

So - make sure you have that internal CRL available, and even better, highly available!

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: What about CRL Checks for the Network Location Server? - 12.Jul.2010 6:49:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
...comes back to good PKI design, maybe a good PKI primer for DA would be a good blog subject

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 2
RE: What about CRL Checks for the Network Location Server? - 13.Jul.2010 11:19:51 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I would vote for that!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 3
RE: What about CRL Checks for the Network Location Server? - 13.Jul.2010 7:13:11 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ok, i'll add it to my list

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 4
RE: What about CRL Checks for the Network Location Server? - 14.Jul.2010 10:48:40 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I bet that list is getting pretty long :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 5
RE: What about CRL Checks for the Network Location Server? - 14.Jul.2010 6:15:09 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yep, you know me!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 6
RE: What about CRL Checks for the Network Location Server? - 27.Sep.2010 11:37:02 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
What's your next article going to be about?
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What about CRL Checks for the Network Location Server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts