Download - Da for dummies techdays 2012
![Page 1: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/1.jpg)
![Page 2: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/2.jpg)
Direct Access for Dummies
Alex de JongMicrosoft Freelance
![Page 3: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/3.jpg)
Agenda• Direct Access Overview• Direct Access Basics• So how does it work• Cool, I want that… How do I build it?• Where do I start from here?
![Page 4: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/4.jpg)
Direct Access is the ultimate VPN solution that is one of
the enablers for the New Way of Work
![Page 5: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/5.jpg)
Direct Access benefits• Improved Productivity
– Helps improve the productivity of remote staff by providing the same, always-on connectivity experience no matter if users are inside or outside the corporate network.
• Secure Connectivity– Leverages IPsec for authentication and encryption.– Provides the ability to apply granular policy control over access to
resources, applications, and servers.– Integrates with Microsoft Server and Domain Isolation, Network
Access Protection (NAP), and BitLocker solutions, resulting in security, access, and health requirement policies that seamlessly interoperate between intranets and remote computers.
![Page 6: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/6.jpg)
Direct Access Benefits (cont’d)
• Greater Manageability– Helps ensure that machines both on the network and off are
always healthy, managed, and up-to-date.– Provides administrators with the ability to update Group Policy
settings and distribute software updates any time a remote computer has Internet connectivity, even if the user is not logged on.
– Helps ensure that organizations can meet regulatory and privacy mandates for security and data protection for assets that must roam beyond the corporate network.
![Page 7: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/7.jpg)
DEMODirect Access Benefits
![Page 8: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/8.jpg)
Direct Access complex?
![Page 9: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/9.jpg)
Direct Access Basics• Authentication
– DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.
• Encryption – DirectAccess uses IPsec to provide encryption for communications
across the Internet.• Access Control
– IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.
![Page 10: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/10.jpg)
Direct Access Basics (cont’d)• IT Simplification and Cost Reduction
– DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server
![Page 11: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/11.jpg)
DirectAccess a VPN on Steroids
Corporate Network
Always On
Automaticallyconnects throughNAT and firewalls
Patch management, health check and GPOsPre log on
Network level computer/user authentication and encryption
DirectAccess extends the network to the remote computer and user
VPNs connect the user to the network
![Page 12: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/12.jpg)
End-to-End IPv6
Are all you applications IPv6 compatible?
Corporate intranetInternet
IPV6 IPV6
Client app
Server app
Client and Server applications must be IPv6 compatible
![Page 13: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/13.jpg)
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)
Client location detection: Internet or corporate intranet
Corporate intranetInternet
May Be NotSimple?
![Page 14: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/14.jpg)
Connectivity Summary
6to4 tunnel
Teredo tunnelNAT
IPHTTPS tunnel
IPv4 Internet
UDP port 3544 blocked
IPv6 in UDP port 3544
IPv6 in IPv4 protocol 41
IPv6 in HTTPS
Native IPv6
ISATAP
IPv6 in IPv4 protocol 41
IPv4NAT64
DNS64 Corporate Network
Forefront Unified Access Gateway (UAG)
NAT
![Page 15: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/15.jpg)
What is 6to4• 6to4 is an Internet transition mechanism for migrating from IPv4 to
IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
![Page 16: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/16.jpg)
What is Teredo• Teredo is a transition technology that gives full IPv6 connectivity for
IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers.
![Page 17: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/17.jpg)
What is IPHTTPS• The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to
be established using a secure HTTP connection.
![Page 18: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/18.jpg)
What is ISATAP• ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6
transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.
• ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4
![Page 19: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/19.jpg)
Connectivity Summary
6to4 tunnel
Teredo tunnelNAT
IPHTTPS tunnel
IPv4 Internet
UDP port 3544 blocked
IPv6 in UDP port 3544
IPv6 in IPv4 protocol 41
IPv6 in HTTPS
Native IPv6
ISATAP
IPv6 in IPv4 protocol 41
IPv4NAT64
DNS64 Corporate Network
Forefront Unified Access Gateway (UAG)
NAT
![Page 20: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/20.jpg)
DEMODirect Access
![Page 21: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/21.jpg)
Internet
Client Location
• To resolve names on the Internet– DirectAccess host queries DNS 1
• To resolve names on the intranet– DirectAccess host queries DNS 2
Corporate intranet
corp.example.com zoneDNS 1 DNS 2IP configured
DNS address
![Page 22: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/22.jpg)
For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
End-to-Edge Access Model
![Page 23: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/23.jpg)
For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
End-to-Edge End-to-End IPSec Model
![Page 24: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/24.jpg)
With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
End-to-End IPSec Access Model
![Page 25: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/25.jpg)
Steps• Enable IPv6 internally (ISATAP)• Network Location Server• Client Groups• Firewall Settings on clients• Certificate Auto Enrollment• Direct Access Server• Finalize• Test
![Page 26: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/26.jpg)
DirectAccess Server(Server 2008 R2)
Line of Business Applications
IPv6 IPv4 IPv6
Windows Server 2008/R2
1: Enabling IPv6 in the Enterprise
On all internal DCs: Dnscmd /config /globalqueryblocklist wpad
Using ISATAP
![Page 27: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/27.jpg)
2: Configuring NLS• Any INTERNAL server running Web services• Create a DNS name (like nls.yourdomain.com)• Associate this new NLS DNS name to an IP Address of an Internal Web
serverNLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***
![Page 28: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/28.jpg)
3: Create Group(s) for the DA Clients
• Create a security group (Global or Universal)• Add Win7 client systems into this groupRemember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
![Page 29: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/29.jpg)
4: Windows Firewall for DA• Allow inbound and outbound ICMPv6 Echo Request messages• Create a Group Policy or configure each system individually
![Page 30: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/30.jpg)
5: Configuring the NLS• Enroll the server with a certificate and configure for SSL access
![Page 31: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/31.jpg)
6: Certificate Auto-Enrollment• Make sure all systems in the Direct Access group of client systems
have a valid client authentication certificate
![Page 32: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/32.jpg)
7: Install & Config Direct Access
• Add a certificate to the DirectAccess server• Add the DirectAccess feature on the server• Run the DirectAccess setup
![Page 33: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/33.jpg)
8: Finalizing Configurations• Run Gpupdate / force on all systems to make sure new policies have
been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies)
• Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard
• Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
![Page 34: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/34.jpg)
9: Testing DA: Internal• With the client system
internal, run IPConfig and check to make sure you have a local address
![Page 35: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/35.jpg)
10: Testing DirectAccess (External)• With the client
system external, run IPConfig and check to make sure you have an external IP address
• Access a file on a fileserver or SharePoint using an internal http(s) connection
![Page 36: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/36.jpg)
11: Testing DA: IPHTTPS
• Step 10 tested external access using the automatically generated Teredo 2001: address
• Now to verify that external access is working using IP-HTTPS, disable Teredo:– Netsh interface teredo set state disable– Netsh interface httpstunnel show interfaces
• Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
![Page 37: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/37.jpg)
IPv6
IPv6Always On
Windows7
IPv4
IPv4
IPv4
DA Server
Extend support to IPv4 servers
1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution
MANAGED
VistaXP
UNMANAGED
Non Windows
PDA
DirectAccess
SSL VPN
+
Windows7
![Page 38: Da for dummies techdays 2012](https://reader033.vdocuments.mx/reader033/viewer/2022061203/547e3574b4af9fc7388b479d/html5/thumbnails/38.jpg)