Multiple OTP CAs provide failover when a request to an OTP CA fails, for example when a CA is non-responsive or misconfigured. When multiple CAs are configured in the Two-Factor Authentication optional settings of the Forefront UAG DirectAccess Configuration Wizard, the following takes place when OTP certificates are issued or renewed:
All selected CAs must chain to a common parent OTP CA. The common parent OTP CA appears in the DirectAccess IPsec connectivity rules as the CA whose certificates open the intranet tunnel. The wizard identifies the common parent CA from the CAs you specify. In a single OTP CA deployment, the dedicated OTP CA is also considered to be the common parent CA. Figure 1, shows a CA deployment with a common parent OTP CA and three dedicated OTP CAs: SubCA1, SubCA2 and SubCA3. Figure 2, shows the configuration of these CAs in the DirectAccess wizard. Figure 3, shows how the common parent CA appears in Group Policy in the DirectAccess intranet IPsec tunnel. Figure 1 Figure 2 Figure 3
When multiple CAs are configured:
Reviewed by Ziv Ayalon
Maheshkumar S Tiwari edited Revision 5. Comment: Added tags