Specifying how endpoints request certificates
Updated: February 1, 2011
Applies To: Unified Access Gateway
If you are deploying certified endpoints using certificates issued from a local certification authority (CA), after the Certified Endpoint Enrollment application is added to the trunk, you must add the appropriate tools to the end-user pages. The available tools depend on whether you are using the default portal home page or your own custom page.
If you are using the default portal home page, the following happens automatically:
The Certified Endpoint button is added to the Forefront UAG toolbar.
A Certified Endpoint link is added to the portal home page.
If you are using a custom page, you must ensure that one or both of the following happen, so that end users can request certified endpoint status:
The Forefront UAG toolbar is added to the custom page. When the toolbar is added, the Certified Endpoint button is automatically added to the page.
A Certified Endpoint link is added to the custom page.
For a client endpoint to be considered as a certified endpoint, end users must do the following:
Submitting a certificate request─Submit a request for a certificate to be issued and the endpoint to be considered as a certified endpoint.
Checking the request status─If defined in the certification authority policy, end users check whether the request for certified endpoint status was approved. If the certified endpoint status was approved, end users install the certificate.
Note
The Certified Endpoint button is not displayed on handheld devices. To grant certified endpoint status to such a device, you should request certified endpoint status on a remote computer, ensure that the certificate is created with the option to export the private key, then after the request has been approved, install the certificate on the remote computer and export it to the handheld device. Ensure that you include the private key when you export the certificate.
Installing and logging in as a certified user
Submitting a certificate request
End users can submit a request for a certificate, as follows.
To submit a request to make a computer a Certified Endpoint
The end user accesses the portal, and then clicks the Certified Endpoint button or link. The Certified Endpoint - User Information window is displayed.
The end user enters the required user information. Note that required fields may vary according to the settings defined during configuration of the certified endpoint feature.
At the bottom right corner of the screen, the end user clicks Submit. A message is displayed, prompting the end user to confirm the request for a certificate.
Click Yes to request a certificate. Depending on your organization’s certification policy, a message is displayed to the end user.
If the certificate is issued immediately, the end user is notified that the certificate was issued, and is prompted to install the certificate. The end user can then access the portal as a certified client endpoint.
If the certificate is not issued immediately, the end user is notified that the request is in progress. Note that the client endpoint is not yet certified, and the end user will continue to use existing portal options. Within the period of time specified on the Certified Endpoint window, the end user should use the same browser to check the status of the request.
Checking the request status
End users can check request status, as follows.
To check whether the request for Certified Endpoint status was approved
The end user accesses the portal, and then clicks the Certified Endpoint button or link.
A message is displayed in the Certified Endpoint window. If the message states Certified Issued, the end user can install the certificate and log in as a certified endpoint user. If the message Certified Endpoint Request in Progress is displayed, the end user must continue to check within the period of time specified on the Certified Endpoint window, using the same browser. The message Certified Endpoint Request Denied indicates that the request is denied.
Installing and logging in as a certified user
After certified endpoint status has been approved and a certificate issued, end users must install the certificate on the client endpoint to complete the certified endpoint process, as follows.
To install the certificate and log in as a Certified Endpoint user
The end user accesses the portal, and then clicks the Certified Endpoint button or link. The Certified Endpoint - Certificate Issued window is displayed.
The end user clicks Install this certificate to add the certificate to the client endpoint. If the browser is Windows Internet Explorer, the certificate is installed on your computer. If a different browser is used, a certificate download dialog box is displayed.
When the end user clicks OK, the certificate is installed on the client endpoint. After the certificate is installed, the Certified Endpoint window indicates that the endpoint is certified.
The end user clicks Close to close the Certified Endpoint window. The client endpoint is not granted certified endpoint privileges.
The end user closes all open browser windows, and then reaccesses the portal and logs in. The Client Authentication dialog box is displayed.
The end user selects a certificate from the list, and then clicks OK. This completes the logon process. The Certified Endpoint button or link is no longer available.
Tip
If your portal homepage includes the toolbar, the end user can click the System Information button to access the System Information window, to verify your certified endpoint status.