gavin carius architect microsoft services svr311
TRANSCRIPT
Reinventing Remote Access with DirectAccess
Gavin CariusArchitectMicrosoft ServicesSVR311
Session Objectives And TakeawaysSession Objective(s)
Present DirectAccessExplain core DirectAccess technologiesReview connectivity options
Key TakeawaysVPNs connect the user to the network, DirectAccess extends the network to the userThree core technologies: IPv6, IPsec, and NRPTSmartcards are supported but not required
Cost Center More Efficient Cost Center
Business Enabler
Strategic Asset
Network Access Infrastructure Optimization ModelIs IT a Cost Center or a Strategic Asset?
No password policies
Perimeter Firewalls only
Antivirus not required or installed by default
No Remote Access policies
IPv4-only network
Strong password policy
Host-based firewalls
Security suite installed on clients
Remote Access available
IPv6 planning and testing in progress
Strong password policy
Basic IPsec policies
Health policies enforced
Remote user experience is similar
to local
IPv6 blockers removed, addressing
plan complete
Strong Authentication
Network transactions are authenticated; may be encrypted
Policy-based network access with auto-
remediation
Remote users are an extension of the
network
IPv6 is fully deployed
Datacenter Servers
Internet
Enterprise Network
Identity: Strong authentication required for all users
Authorization: Machine health is validated or remediated before allowing
network access
Trustworthy Networking Vision
Protection: All network transactions are authenticated and encrypted
Remote Client
Local Client
Policies are based on identity, not on location
Evolving IT Needs
Mobile Data
Globalisation
Increasingly
Porous Perimete
r
Mobile Workforce
DirectAccessSecurely extending network services and
resources to remote users
Always On
Improved productivity
Not user initiated
Simplified connectivity
Manage Out
"Light up" remote clients
Decreases patch miss rates
Applies GPOs to remote machines
Access Policies
Pre-logon health checks and remediation
Replaces modal "connect-time" health checks
Full NAP integration
DirectAccess is more than Remote Access
VPNs connect the user to the networkDirectAccess extends the network to the user
Protected Transaction
sSupports authenticated transactions
Supports encrypted
transactions
Authentication and encryption mitigate many
attacks
Connectivity: IPv6
Data Protection: IPsec
Name Resolution:DNS and NRPT
DirectAccess: Technical Foundations
Connectivity: IPv6DirectAccess requires IPv6If native IPv6 isn't available, remote clients use IPv6 Transition TechnologiesThe corporate network can deploy native IPv6, transition technologies, or NAT-PT
IPv6 Options
DirectAccess works best if the Corporate Network has native IPv6 deployed
IntranetInternet
NAT-PT
Native IPv6
IPv6 Translation Technologies
IPv4
Data Protection: IPsecIPsec tightly integrates with IPv6, allowing rules engine to determine when and how traffic should be protected
End to edge End to end
End to edge End to end
Name Resolution: DNS and the NRPT
Remote DirectAccess clients utilise smart routing by defaultThe Name Resolution Policy Table allows this to happen efficiently and securelySends name queries to internal DNS servers based on pre-configured DNS namespace
DirectAccess Connection
Internet Connection
Technical Detail
External ConnectivityNative IPv6 supportPublic IPv4 addresses will use 6to4 to tunnel IPv6 inside IP Protocol 41Private IPv4 addresses will use Teredo to tunnel IPv6 inside IPv4 UDP (UDP 3544)
If client cannot connect to DirectAccess Server, IP-HTTPS will connect over port 443
IP Address Assigned by ISP:
Public IPv4
DirectAccess Client
IPv6 Address Used to connect:
6to4Private IPv4
Native IPv6
TeredoNative IPv6
Native IPv66to4
Teredo
IP-HTTPS
Internal IPv6Native- Servers can run any OS that
fully supports IPv6- Requires IPv6 infrastructure- Best choice over timeISATAP- IPv6 inside IPv4- Servers must be Windows
Server 2008 or R2- No router upgradesNAT-PT- Translates IPv6 to IPv4- Works with any OS- UAG has this built in
IPv6 Options
DirectAccess works best if the Corporate Network has native IPv6 deployed
IntranetInternet
NAT-PT
Native IPv6
IPv6 Translation Technologies
IPv4
DirectAccess ServerDirectAccess Client Internet
IP-HTTPS
IPsec Gateway
Encrypted IPsec+ESP
Encrypted IPsec+ESP
External IPsec
IPsec Hardware Offload Supported
Enterprise Network
DirectAccess Server Line of Business Applications
No IPsec
IPsec Integrity Only (Auth)
IPsec Integrity + Encryption
Internal IPsec
DirectAccess Server
DirectAccess Client
Tunnel 1: Infrastructure TunnelAuth: Machine Certificate
End: AD/DNS/Management
Tunnel 2: Application TunnelAuth: Machine Certificate + (User Kerb or
Cert)End: Any
IPsec Tunnel Detail
NRPT
Client side onlyRequires a leading dotStatic table that defines which DNS servers the client will use for the listed namesConfigurable via GPO at Computer Configuration |Policies|Windows Settings|Name Resolution PolicyCan be viewed with NETSH name show policy
NRPT
.ad.contoso.com 2001:db8:b90a:c7d8::1782001:db8:b90a:c7d8::183
.lab.contoso.com 2001:db8:b90a:c7a8::202
sql01.acme.com.au
2001:db8:b90a:c7e4::801
Two Factor Authentication (TFA)
Not required; fully supportedEdge based enforcement: a smarter way to enforce TFAUser is assigned a well-known SID when they log on with a smartcard
S-1-5-65-1
User may logon to laptop without TFAWhen user accesses corporate resources, IPsec authorization policy checks for this SIDIf SID is not present…
Requirements for DirectAccess
KnowledgeShould have a basic working knowledge or IPsec and TCP/IPShould be interested in learning about and deploying new technologies, such as IPv6
DirectAccess ClientsWindows 7 Enterprise or Ultimate SKUDomain-joined machines
DirectAccess ServerWindows Server 2008 R2, domain-joined machinesLocated at edge
Requirements for DirectAccessDNS Servers supporting DirectAccess clients must be Windows Server 2008 SP2 or laterApplication Server
End to end IPv6 or Ipsec requires Windows Server 2008 or laterEarlier server versions require NAT-PT
PKI for certificatesNo dependency on Active Directory version/mode
• Extend Windows DirectAccess to legacy applications and resources running on existing infrastructure.
• Support down-level and non Windows clients through integrated SSL VPN capabilities and other connectivity options.
Anywhere Access
• Protect the DirectAccess gateway with a hardened edge solution.• Limit exposure associated with connecting unmanaged, down-level and
non-Windows clients through granular application access controls and policies.
Integrated Security
• Minimize configuration errors and simplify deployment using built-in wizards and tools.
• Enhance scale and ongoing administration through built-in array management and integrated load balancing
• Consolidate access gateways for centralized control and auditing.
Simplified Management
Forefront Unified Access Gateway (UAG) extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability and simplifying
deployments and ongoing management.
UAG and DirectAccess – Better Together
SSL-VPN
SSL-VPN
{
Windows Server 2008 R2DirectAccess Server
+
Man
ag
ed
Windows 7
Always On
Windows Server 2008
R2
Windows Server 2008
R2
Windows Server 2008
R2IPv6 IPv6
Windows Server 2003Legacy
Application Server
Non Windows Server{PDA
Windows Vista/
Windows XP
Non-Windows
Unm
anaged
UAG and DirectAccess better together:
Access for down level and non Windows clients
Enhances scalability and management
Simplifies deployment and administration
Hardened Edge Solution
UAG and DirectAccess – Better TogetherExtends access to line of business servers with IPv4 supportAccess for down level and non Windows clientsEnhances scalability and managementSimplifies deployment and administrationHardened Edge Solution
IPv6or
IPv4IPv4
Building “End to End Trust”
(Optional) Two factor AuthenticationDomain Controller authenticated logonCached credentials are only used if machine is offline
Identity + Authentication
Access ControlIdentity-aware firewall (Auth-firewall)IPsec (At the network layer)File Share permissionsNTFS Permissions
End-to-end authentication allows remote client connections to be logged by each server
Authorisation Policies
Audit
Define access, encryption, or authentication policies on a per server or application basisThese rich policy constructs are far beyond traditional VPN
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
COMPLETE YOUR EVALUATION FORMS IN COMMNET AND BE IN TO WIN ONE OF THE 150 DAILY PRIZES*
GIVE US YOUR FEEDBACK & WIN INSTANTLY!
*For full terms & conditions and more information, please visit the CommNet Portal.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.