DirectAccess Solution

John D. Delizo, MCTS MCPD

Philippine Windows Users Group

What will we cover?DirectAccess SolutionDirectAccess DeploymentWindows 7 and Direct Access

Helpful ExperienceIPv4IPv6NATFirewallIIS, HTTP & HTTPSIPSECADDSADCS

AgendaDirectAccess OverviewSupporting infrastructure and technologiesConfiguring DirectAccessUsing DirectAccess with Windows 7

AgendaDirectAccess OverviewSupporting infrastructure and technologiesConfiguring DirectAccessUsing DirectAccess with Windows 7

Microsoft Confidential

MOBILE & DISTRIBUTED WORKFORCE

Information Worker’s World Has Been Changing…

CENTRAL OFFICE

BRANCH OFFICES

REMOTE WORK

Microsoft Confidential

Building A Trusted Stack

“I+4A”

Trusted Hardware

SecureFoundation

Core Security Components

Identity ClaimsAuthentication

AuthorizationAccess Control Mechanisms

Audit

Trusted PeopleTrustedStack

Trusted Data

Trusted Software

Integrated Protection

SDL and SD3

Defensein Depth

ThreatMitigatio

n

Microsoft Confidential

What Is DirectAccess?Comprehensive anywhere access solution available in Windows 7 and Windows Server 2008 R2

Provides seamless, always-on, secure connectivity to on-premise and remote users alikeEliminates the need to connect explicitly to corpnet while remoteFacilitates secure, end-to-end communication and collaborationLeverages a policy-based network access approach Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network

Microsoft Confidential

RODC

Secure Boundary

Dedicated Resources

Compliant Client

Healthy Resources

NPS/NAP Servers

VPN Gateway

The DirectAccess Vision

Always-on connectivity across different networks

X

Lab, Client

ISA FW, TSG 802.1x

Non-compliant Client Device

Non-compliant Client Device

Internet

Corporate Network

A focus on driving access decisions based on “policy and a trusted identity,” rather than the limitations of network topology.

Always onAlways healthyAlways secure

Compliant Windows 7

Client

Business Partner

Downlevel or Mobile

Client

Cust FW

Customer Site

Compliant Windows 7

Client

Compliant Windows 7

Client

Requires users to connect

(lost productivity)Client must be made healthy prior to network access(Lost productivity plus IT time and expense)

Non-compliant

Client Device

Microsoft Confidential

Benefits Of DirectAccessBringing Corpnet to the User

Microsoft Confidential

Benefits Of DirectAccessBringing Corpnet to the User

Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off

More productivity

Microsoft Confidential

Benefits Of DirectAccessBringing Corpnet to the User

More secure

Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off

More productivity

Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6

Microsoft Confidential

Benefits Of DirectAccessBringing Corpnet to the User

Simplified remote management of mobile resources as if they were on the LANLower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networksIntegrated administration of all connectivity mechanisms

More secure More manageable and cost effective

Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off

More productivity

Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6

AgendaDirectAccess OverviewSupporting infrastructure and technologiesConfiguring DirectAccessUsing DirectAccess with Windows 7

DirectAccess Components

DirectAccess clientDirectAccess serverNetwork location server. Certificate revocation list (CRL) distribution pointsNAP / Health ValidationADDS

DirectAccess Components

Native IPv6 (Globally Routable)6to4TeredoIP-HTTPS

DirectAccess ServerDirectAccess

Client

Native IPv6

6to4

Teredo

IP-HTTPS

Tunnel over IPv4 UDP, HTTPS, etc.

DirectAccess & Enabling IPv6

Internet

Enterprise NetworkDirectAccess

ServerLine of Business

Applications

No IPsec

IPsec Integrity Only (Auth)

IPsec Integrity + Encryption

DirectAccess & IPsec

Microsoft Confidential

DirectAccess Supporting TechnologiesTrusted, compliant,healthy machine

Windows 7 client

Corporate Network

Applications & Data

DC & DNS(Win 2008)

NAP (includes Server

& Domain Isolation [SDI])

Forefront

Client Security

Windows

Firewall

BitLocker +

Trusted Platform Module (TPM)

IAG SP2