Replacing your expiring IP-HTTPS certificate

DirectAccess has the ability to utilize certificates in a couple of different ways. Depending on how you configure DA, there are different places that certificates may or may not be used, but one common variable in all DirectAccess implementations is IP-HTTPS. This is a transition technology that is always enabled on a DA server, and it requires an SSL certificate to work properly. IP-HTTPS traffic comes in from the Internet, and so I always recommend that the SSL certificate used for the IP-HTTPS listener should be one purchased from a public CA entity.

As with any SSL certificate, they are only valid for a certain time period. Typically, these certificates are purchased on a one-, two-, or three-year basis. This means that eventually, you will have to renew that certificate and figure out how to make DirectAccess recognize and utilize the new one. IP-HTTPS makes use of a web listener inside IIS, and so it is a natural assumption that, when you need to change your certificate, you do so inside IIS. This is an incorrect assumption. What's worse is that you can actually dig into the site inside IIS and change the certificate binding, and cause it to work for a while. This is not the correct place to change the certificate! If you simply change the binding inside IIS, your change will eventually be reversed and it will go back to using the old certificate. Unfortunately, I get calls quite regularly from customers who do this and then have all sorts of users unable to connect remotely because the DA server has reverted to using the old, now expired, certificate.

Let's work through this recipe together to configure our DirectAccess to utilize a new certificate that was recently purchased and installed onto our server.

Getting ready

We have DirectAccess up-and-running on our Windows Server 2016 Remote Access server. Our SSL certificate that we use for IP-HTTPS is about to expire and we have renewed it with our CA. The new copy of the certificate has already been downloaded and installed onto the server itself, so now we just need to figure out where it needs to be adjusted for DirectAccess to start using it.

How to do it…

To adjust the DirectAccess configuration to start using a new certificate for the IP-HTTPS listener, follow these steps:

  1. Open Remote Access Management Console on your DirectAccess server.
  2. In the left window pane, browse to Configuration | DirectAccess and VPN.
  3. Under Step 2 of the configuration, click on Edit….

    How to do it…

  4. Click Next.
  5. You will now see the currently assigned certificate for IP-HTTPS. This is the certificate that is about to expire. Go ahead and click on the Browse… button.

    How to do it…

  6. Now simply choose the new certificate with the new expiration date from the newly opnened list of available certificates.
  7. Click Next a couple more times to finish up theStep 2 wizard.

    Tip

    Keep in mind that the IP-HTTPS certificate is a per-node setting. If you have an array of multiple DirectAccess servers, you make all changes from the primary server's console, but you must install the certificate on each server and then make the certificate change on each node separately within the configuration.

  8. At this point, nothing has actually been changed with the live configuration. To make this change active, you need to press the Finish… button, which is near the bottom of Remote Access Management Console.

    How to do it…

  9. If everything in the review looks good, click on Apply, and this will push your changes into action. The new certificate is now in place and working to validate those IP-HTTPS connections.

How it works…

Replacing the SSL certificate that is used by IP-HTTPS is a regular and necessary task for any DirectAccess server administrator, but one that only comes maybe once per year. This generally means that, by the time your certificate expiration date rolls around, you have probably forgotten where this setting is in the configuration. I hope this recipe can be a quick reference to alleviate that worry.

I always check the certificate from outside the network after making the change to ensure the new certificate is really the one that is now live on the system. If you take a computer outside of your network on the Internet, try browsing to a dummy site from your public DNS record on your DirectAccess server. For example, if the public DNS record that you are using on your server is directaccess.contoso.com, try browsing to https://directaccess.contoso.com/test. You can expect to get a 404 error because the page we are requesting doesn't actually exist, but when you get the 404 error you have the ability (depending on what browser you are using; I tend to prefer Chrome for this task) to view which certificate is being used to validate your web traffic. Click to view the certificate details and make sure that it is your new certificate with the newest validity dates. Further, if you encounter any kind of certificate warning message when you are trying to browse to this test website, this probably indicates that there is some kind of problem with the certificate and you may need to investigate it further.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.24.36