Install and Configure IIS for a Network Location Server Certificate

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

The network location server uses a Secure Sockets Layer (SSL) certificate to authenticate Secure Hypertext Transfer Protocol (HTTPS)-based requests from DirectAccess clients. The SSL certificate has a customized subject name.

To complete these procedures, you must be a member of the local Administrators group, or otherwise be delegated permissions to request an SSL certificate and to configure certificate settings for Internet Information Services (IIS). Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

In this procedure, you request and customize an SSL certificate.

To obtain an additional SSL certificate for network location

  1. On the network location server, click Start, type mmc, and then press ENTER.

  2. Click File, and then click Add/Remove Snap-in.

  3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

  4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  6. Click Next twice.

  7. On the Request Certificates page, click the Web Server certificate template, and then click More information is required to enroll for this certificate.

    If the Web Server certificate template does not appear, ensure that the network location server computer account has enroll permissions for the Web Server certificate template. For more information, see Configure Permissions on the Web Server Certificate Template.

  8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.

  9. In Value, type the fully qualified domain name (FQDN) of the network location server (for example,, and then click Add.

  10. Click OK, click Enroll, and then click Finish.

  11. In the details pane of the Certificates snap-in, verify that a new certificate with the FQDN was enrolled with Intended Purposes of Server Authentication.

In this procedure, you configure the HTTPS security binding on the network location server to use the new SSL certificate.

To configure the HTTPS security binding

  1. On the network location server, click Start, type inetmgr.exe, and then press ENTER.

  2. In the console tree of Internet Information Services (IIS) Manager, open the site that contains the network location Web page.

  3. In the Actions pane, click Bindings.

  4. In the Site Bindings dialog box, click Add.

  5. In the Add Site Binding dialog box, in Type, click https. In SSL Certificate, click the certificate with the FQDN.

  6. Click OK, and then click Close.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.