DirectAccess and renewing SSL with new PKI?

Question

We have deployed DirectAccess in our network for our Windows 7/10 clients which works great. The issue is, the DA server/client certificates are based on a internal PKI we are retiring; we have build another PKI (two-tier, offline rootca and subordinate ca) that we are migrating all our certificates to.

The issue I have is migrating our DA infrastructure over to the new PKI. I will need to issue a new computer certificate template to the client computers (along side the old computer certificate to keep their existing DA capabilities); then once all the clients have a computer certificate from the new PKI, I will update the certificate on the DA server.

The issue (or lack of knowledge) I am having is what happens then? Will clients be able to reconnect to the DA server using the new certificates issued by the new PKI?

Or will this break badly until they are on the network to get latest GPUPDATE.

Anyone go through something like this want to share their experience? What is my best course of action.

Answer 1

If you are migrating to an entirely new PKI hierarchy (as opposed to issuing from a new subordinate CA in an existing hierarchy) this will be disruptive to clients that are outside the network when you make this change. As soon as you specify the new root CA in the Remote Access Management console, all current DirectAccess client connections will be dropped. The only way to re-establish connections will be to come back to the internal network and update group policy. Alternatively, remote clients could connect with VPN and update group policy. If you want to migrate PKI without interruption you will have to deploy a separate instance of DirectAccess configured to use the new PKI. You can then migrate clients from the old to the new DirectAccess deployment and retire the old one after everyone has been successfully migrated.

Let me know if you have any additional questions! :)

--Rich