microsoft direct access (part 1)_john delizo
TRANSCRIPT
DirectAccess Solution
John D. Delizo, MCTS MCPD
Philippine Windows Users Group
What will we cover?DirectAccess SolutionDirectAccess DeploymentWindows 7 and Direct Access
Helpful ExperienceIPv4IPv6NATFirewallIIS, HTTP & HTTPSIPSECADDSADCS
AgendaDirectAccess OverviewSupporting infrastructure and technologiesConfiguring DirectAccessUsing DirectAccess with Windows 7
AgendaDirectAccess OverviewSupporting infrastructure and technologiesConfiguring DirectAccessUsing DirectAccess with Windows 7
Microsoft Confidential
MOBILE & DISTRIBUTED WORKFORCE
Information Worker’s World Has Been Changing…
CENTRAL OFFICE
BRANCH OFFICES
REMOTE WORK
Microsoft Confidential
Building A Trusted Stack
“I+4A”
Trusted Hardware
SecureFoundation
Core Security Components
Identity ClaimsAuthentication
AuthorizationAccess Control Mechanisms
Audit
Trusted PeopleTrustedStack
Trusted Data
Trusted Software
Integrated Protection
SDL and SD3
Defensein Depth
ThreatMitigatio
n
Microsoft Confidential
What Is DirectAccess?Comprehensive anywhere access solution available in Windows 7 and Windows Server 2008 R2
Provides seamless, always-on, secure connectivity to on-premise and remote users alikeEliminates the need to connect explicitly to corpnet while remoteFacilitates secure, end-to-end communication and collaborationLeverages a policy-based network access approach Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network
Microsoft Confidential
RODC
Secure Boundary
Dedicated Resources
Compliant Client
Healthy Resources
NPS/NAP Servers
VPN Gateway
The DirectAccess Vision
Always-on connectivity across different networks
X
Lab, Client
ISA FW, TSG 802.1x
Non-compliant Client Device
Non-compliant Client Device
Internet
Corporate Network
A focus on driving access decisions based on “policy and a trusted identity,” rather than the limitations of network topology.
Always onAlways healthyAlways secure
Compliant Windows 7
Client
Business Partner
Downlevel or Mobile
Client
Cust FW
Customer Site
Compliant Windows 7
Client
Compliant Windows 7
Client
Requires users to connect
(lost productivity)Client must be made healthy prior to network access(Lost productivity plus IT time and expense)
Non-compliant
Client Device
Microsoft Confidential
Benefits Of DirectAccessBringing Corpnet to the User
Microsoft Confidential
Benefits Of DirectAccessBringing Corpnet to the User
Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off
More productivity
Microsoft Confidential
Benefits Of DirectAccessBringing Corpnet to the User
More secure
Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off
More productivity
Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6
Microsoft Confidential
Benefits Of DirectAccessBringing Corpnet to the User
Simplified remote management of mobile resources as if they were on the LANLower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networksIntegrated administration of all connectivity mechanisms
More secure More manageable and cost effective
Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off
More productivity
Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6
AgendaDirectAccess OverviewSupporting infrastructure and technologiesConfiguring DirectAccessUsing DirectAccess with Windows 7
DirectAccess Components
DirectAccess clientDirectAccess serverNetwork location server. Certificate revocation list (CRL) distribution pointsNAP / Health ValidationADDS
DirectAccess Components
Native IPv6 (Globally Routable)6to4TeredoIP-HTTPS
DirectAccess ServerDirectAccess
Client
Native IPv6
6to4
Teredo
IP-HTTPS
Tunnel over IPv4 UDP, HTTPS, etc.
DirectAccess & Enabling IPv6
Internet
Enterprise NetworkDirectAccess
ServerLine of Business
Applications
No IPsec
IPsec Integrity Only (Auth)
IPsec Integrity + Encryption
DirectAccess & IPsec
Microsoft Confidential
DirectAccess Supporting TechnologiesTrusted, compliant,healthy machine
Windows 7 client
Corporate Network
Applications & Data
DC & DNS(Win 2008)
NAP (includes Server
& Domain Isolation [SDI])
Forefront
Client Security
Windows
Firewall
BitLocker +
Trusted Platform Module (TPM)
IAG SP2