Presentation is loading. Please wait.

Presentation is loading. Please wait.

WMS02: Direct Access Always Connected: Death of the VPN

Similar presentations


Presentation on theme: "WMS02: Direct Access Always Connected: Death of the VPN"— Presentation transcript:

1 WMS02: Direct Access Always Connected: Death of the VPN
Visual Studio Connections WMS02: Direct Access Always Connected: Death of the VPN Dan Stolts “ITProGuru” Microsoft or Twitter.com/ITProGuru Windows connections starting presentation at 8:08 AM W MS 02: direct access always connected: death of the VPN hi my name is Dan Stolts I am known as the IT Pro guru I work for Microsoft I've been with Microsoft for about three years you can reach me at you can also reach me on my blog or I can also be reached on Twitter Updates will be available at

2 WMS02: Direct Access Always Connected: Death of the VPN
Direct Access Always Connected: Death of the VPN Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to this session to see the ITProGuru (Dan Stolts) and learn how to integrate DirectAccess into your environment. Can you see the benefit of your users never having to connect to a VPN? Can you see the benefit in your IT personal to be able to access remote computers as long as they are connected to the Internet? Come to this session to Learn how to control access to corporate resources and manage Internet connected PCs through group policy.

3 Today’s Agenda 1. Core Infrastructure Optimization Model
2.  Introduction to DirectAccess 3.  Technical Introduction 4.  Technical Detail 5.  Summary

4 Section l: Core Infrastructure Optimization Model
4/11/ :40 AM Section l: Core Infrastructure Optimization Model The section is designed to help business decision-makers: Think about the value that remote access brings to their network Understand that by providing additional services they can improve the value of remote access © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 4/11/ :40 AM Network Access Infrastructure Optimization Model Is IT a Cost Center or a Strategic Asset? Cost Center More Efficient Cost Center Business Enabler Strategic Asset No password policies Strong password policy Strong password policy Strong authentication Network transactions are authenticated; may be encrypted Perimeter firewalls only Host-based firewalls Basic IPsec policies Antivirus not required or installed by default Policy-based network access with auto-remediation Security suite installed on clients Health policies enforced An enterprise's IT infrastructure is a strategic asset, the critical foundation for delivering the software services and user applications that a business relies on to succeed. For many organizations, growth and rapid developments in new technologies have resulted in an IT infrastructure that is overly complex, inflexible, and difficult to manage. Such environments typically have built-in costs that are not only high but also somewhat fixed, regardless of changing business requirements. In fact, these infrastructures can make an organization less agile and hinder new initiatives. Microsoft’s core infrastructure optimization — Core IO— model has been designed to help enterprises understand where their core processes may be too rigid, why IT may be viewed as only a cost center, and how the infrastructure can become more flexible to turn IT into a strategic asset for the company. This Core IO model is specific to network access. The purpose of displaying the slide is for you to figure out where you are within your organization and work your way up to the next level ultimately with the destination objective of getting to be a strategic asset by being part of the dynamic optimization model Remote user experience is similar to local Remote users are an extension of the network No remote access policies Remote access available IPv6 blockers removed, addressing plan complete IPv4-only network IPv6 planning and testing in progress IPv6 is fully deployed Basic Standardized Rationalized Dynamic © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Policies are based on identity, not on location
Network Access Vision Policies are based on identity, not on location Enterprise Network Datacenter Servers Internet Remote Client Local Client Identity: Protection: Authorization: All network transactions are authenticated and encrypted Computer health is validated or remediated before allowing network access Strong authentication required for all users Providing a more secure networking experience to customers is essential. We believe that many enterprises will focus on making key changes in the next several years to achieve the level of trust they require for business-critical operations. Areas of change include: Identity: In an enterprise environment, many decisions are made based on the user's identity. Providing strong proof of a user's identity is one of the few ways to ensure that authorization is granted to appropriate entities. Authorization: Enterprises are beginning to see the value of setting authorization policies that ensure that client computers meet a predetermined set of requirements before allowing users to connect. Network access protection is an example of this. Enforcing the health state of client computers is going to increase in importance in the future to ensure that users’ computers have not been compromised. Protection. Enforcing end-to-end authentication provides enterprises with authenticated transactions that are fully logged by each server. Adding end-to-end encryption will also protect the confidentiality and integrity of data in motion, all the way to the end server. Policies are based on identity, not on location. Most current network security schemes provide separate sets of security policies for local and remote users. This increases the complexity and management costs of the network. Assuming the user can be strongly identified, creating policies that treat local and remote users equally (via strong identity, authorization, server authentication, and encryption) makes much more sense.

7 Evolving IT Challenges
Increasingly Porous Perimeter: Where is the Perimeter? Mobile Workforce Mobile Data Mobile Workforce Trends • Always-remote employees • Flexible definition of office • Corporate network access from customer sites Mobile Technology Trends • Increasingly diverse form factors for computers • Laptops, USB drives, cellular network cards, smartphones, PDAs • Mobile phones’ constant Wi-FI connectivity Globalization and Outsourcing • Outside management of the corporate network and data centers • The advent of software-as-a-service (SaaS) and cloud computing • Increasingly complex and granular partner access controls Implications • Traditional network perimeters are becoming more porous, and more clients are computing over un-trusted networks; traditional perimeter security is no longer sufficient. • It is increasingly challenging to manage remote computers and ensure they meet security requirements Globalization

8 Extending network services and resources to remote users
DirectAccess Extending network services and resources to remote users DirectAccess equals constant connectivity. As long as the computer is on the Internet, the computer is on the intranet. There is no need to dial a VPN connection. With DirectAccess, users need to turn on their laptops and connect to the Internet as they normally would, and they have access to corporate resources. It is a very seamless experience. Wherever you, the user, may be, you get to work as if you were in your office. In contrast, VPN technology requires users to "connect in" when they need to access the enterprise network. With DirectAccess, as soon as the computer is turned on — even before the user logs on — the computer has already connected back to the enterprise network and can report its health state, auto-remediate, and run group policy objects, even during log-on. Furthermore, the user has access to any service or application available on the intranet.

9 DirectAccess: More than Remote Access
4/11/ :40 AM DirectAccess: More than Remote Access Always On Manage Out Access Policies Protected Transactions Improved productivity "Light up" remote clients Pre-logon health checks and remediation Supports authenticated transactions Not user initiated Decreases patch miss rates Replaces modal "connect-time" health checks Supports encrypted transactions Simplified connectivity Applies GPOs to remote computers Authentication and encryption mitigate many attacks Full NAP integration So you can see that DirectAccess is much more than simply remote access. Anyone can provide a VPN, but it introduces challenges to the user: Where is the icon to click on? How long will it take to connect? Did it work? Why isn't it connecting? Always On. DirectAccess is always on. Remote users don’t have to do anything to initiate the connection. At work the user clicks on a link and it opens. With DirectAccess, the remote user clicks on a link and it opens. This removes the complexity and increases users’ productivity. Manage Out. Since DirectAccess enables computers to connect automatically, IT can manage the computer’s assets even when these computers are assigned to employees who work remotely 100 percent of the time. This improves patch push rates and allows IT to apply group policy objects to remote computers, even during user log-on. Additionally, tools like Systems Center Configuration Manager can be used to inventory computers while they are remote. ACCESS POLICIES. Full NAP integration allows administrators to define health policies for enforcement on local and remote computers. Additionally, since these health checks run at system start, rather that at user log-on, the user log-on experience isn't interrupted by health checks or patch installations. PROTECTED TRANSACTIONS. Full IPsec integration enables administrators to create policies that require end-to-end authentication. This in turn provides enterprises with authenticated transactions that are fully logged by each server. End-to-end encryption also protects the confidentiality and integrity of data in motion, all the way to the end server. With a traditional VPN, the remote computer is an appendage, connecting on when necessary, not always useful. With DirectAccess, enabled computers are full members of the domain, with every service of the network extended to them wherever users travel. VPNs connect the user to the network DirectAccess extends the network to the computer and user 9 ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 The Evidence DirectAccess with Windows Server 2008 R2 and Windows 7 Operating System “Recently, a sales account executive and I had about an hour-long drive back to the office from a customer site. With DirectAccess, he was able to log on to our network, access the documents he needed, and write the proposal while I drove. By the time we got back to the office, he was already hitting the send button to deliver the proposal.” Rand Morimoto, President, Convergent Computing Presenter: The full case study for Convergent Computer can be found at: Other quote options include: From David Feng, IT Director, Sporton International “The BranchCache and DirectAccess features have improved employees’ access to data, thus improving their productivity.” From the case study of Microsoft IT The use of DirectAccess at Microsoft Internet-connected offices “will save the company an estimated $300,000 per facility that would otherwise be required to upgrade to a dedicated connection.”

11 DirectAccess: Technical Foundation
Connectivity: IPv6 Data Protection: IPsec Name Resolution: DNS and NRPT DirectAccess is built on three key foundational technologies: • IPv6 for connectivity • IPsec for data protection, • DNS and NRPT for name resolution. There are many other technologies that make DirectAccess work, but these three form the technical foundation. Understanding these technologies is vital to understanding DirectAccess. In the next few slides, we will review these three technologies at a high level.

12 Connectivity: IPv6… Can Do Without… But I Would Not!
IPv6 Options DirectAccess requires IPv6 If native IPv6 isn't available, remote clients use IPv6 transition technologies The corporate network can deploy native IPv6, transition technologies, or NAT-PT {protocol translation} DirectAccess works best if the corporate network has native IPv6 deployed Internet Intranet The first core technology is IPv6. DirectAccess is an end-to-end IPv6 solution. DirectAccess is built on top of IPv6 and requires IPv6 to properly function. From a corporate standpoint, though, you can't guarantee the user will have IPv6 available wherever they travel, so Windows 7 has some built-in transition technologies that are designed to provide IPv6 service to a DirectAccess client even when it has been assigned an IPv4 address. In order to take full advantage of all of the benefits of DirectAccess, IPv6 must be deployed and routed inside the corporate network. IPv6's characteristics provide unique benefits that DirectAccess requires and leverages. There are ways to temporarily work around this requirement, but lack of IPv6 in the corporate network reduces DirectAccess's benefits and impact. If a customer has no plans to deploy IPv6, or is 100% against IPv6, DirectAccess may not be the right solution for them. NAT-PT Native IPv6 IPv6 Transition Technologies IPv4

13 + DirectAccess Hidden slide Anywhere Access Integrated Security
UAG extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability and simplifying deployments and ongoing management Anywhere Access Extend Windows DirectAccess to legacy applications and resources running on existing infrastructure Support down-level and non Windows clients through integrated SSL VPN capabilities and other connectivity options Integrated Security Protect the DirectAccess gateway with a hardened edge solution Limit exposure associated with connecting unmanaged, down-level and non-Windows clients through granular application access controls and policies (Hidden slide) This is the positioning and messaging slide for DirectAccess and Forefront Unified Access Gateway (UAG). Use it only when you need to provide the UAG story as it pertains to DirectAccess. The slide does not discuss UAG’s benefits for other solutions, such as SharePoint, Exchange, etc. Simplified Management Minimize configuration errors and simplify deployment using built-in wizards and tools Enhance scale and ongoing administration through built-in array management and integrated load balancing Consolidate access gateways for centralized control and auditing

14 Forefront UAG & DirectAccess: Better Together
UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Windows7 DirectAccess Always On UNMANAGED Vista XP IPv4 Extend support to IPv4 servers SSL VPN DirectAccess Server Here we see how Forefront Unified Access Gateway (UAG) helps improve DirectAccess deployments: ANYWHERE ACCESS: • Extends Windows DirectAccess to legacy applications and resources running on existing infrastructure • Supports down-level and non-Windows clients through integrated SSL VPN capabilities and other connectivity options INTEGRATED SECURITY: • Protects the DirectAccess gateway with a hardened edge solution • Limits exposure associated with connecting unmanaged, down-level and non-Windows clients through granular application access controls and policies SIMPLIFIED MANAGEMENT: • Minimizes configuration errors and simplifies deployment using built-in wizards and tools • Enhances scale and ongoing administration through built-in array management and integrated load balancing • Consolidates access gateways for centralized control and auditing So, in summary, UAG takes DirectAccess deployments to a new level: • Extends access to line-of-business servers with IPv4 support, such as Windows 2003 and non-Windows servers • Provides SSL VPN access for down level (Vista/XP) and non-Windows clients, as well as for PDAs • Enhances scale and management through array management capabilities and integrated load balancing • Simplifies deployments and ongoing administration using wizards and automated tools • Delivers a hardened, edge-ready solution that can swiftly deployed Non Windows IPv4 + + PDA IPv4 UAG is a hardened edge appliance available in HW and virtual options UAG enhances scale and management with integrated LB and array capabilities. UAG uses wizards and tools to simplify deployments and ongoing management UAG improves adoption and extends access to existing infrastructure UAG provides access for down level and non Windows clients

15 Forefront UAG and DirectAccess: Better Together
Extends access to line-of-business servers with IPv4 support Provides access for down-level and non- Windows clients Enhances scalability and management Simplifies deployment and administration Delivers a hardened, edge-ready solution SSL-VPN DirectAccess Server + Managed Windows 7 Always On Windows Server 2008 R2 Windows Server 2008 IPv6 Windows Server 2003 Legacy Application Server Non Windows Server IPv4 PDA Windows Vista/ Windows XP Non-Windows Unmanaged or In the previous slide, we talked about NAT-PT devices to enable IPv6 connectivity inside the corporate network. Microsoft's Forefront Unified Access Gateway (UAG) has an integrated NAT-PT available (specifically, NAT64, which is similar). Additionally, Cisco and other layer-3 providers sell NAT-PT devices. Here we see how Forefront Unified Access Gateway (UAG) helps improve DirectAccess deployments: ANYWHERE ACCESS: • Extends Windows DirectAccess to legacy applications and resources running on existing infrastructure • Supports down-level and non-Windows clients through integrated SSL VPN capabilities and other connectivity options INTEGRATED SECURITY: • Protects the DirectAccess gateway with a hardened edge solution • Limits exposure associated with connecting unmanaged, down-level and non-Windows clients through granular application access controls and policies SIMPLIFIED MANAGEMENT: • Minimizes configuration errors and simplifies deployment using built-in wizards and tools • Enhances scale and ongoing administration through built-in array management and integrated load balancing • Consolidates access gateways for centralized control and auditing So, in summary, UAG takes DirectAccess deployments to a new level: • Extends access to line-of-business servers with IPv4 support, such as Windows 2003 and non- Windows servers • Provides SSL VPN access for down level (Vista/XP) and non-Windows clients, as well as for PDAs • Enhances scale and management through array management capabilities and integrated load balancing • Simplifies deployments and ongoing administration using wizards and automated tools • Delivers a hardened, edge-ready solution that can swiftly deployed Forefront Unified Access Gateway (UAG)… helps improve DirectAccess

16 Name Resolution: DNS and the NRPT (Name Resolution Policy Table)
DirectAccess Connection Internet Connection Remote DirectAccess clients use smart routing for DNS queries by default The Name Resolution Policy Table (NRPT) {client side conditional forwarding} allows this to happen efficiently DirectAccess sends name queries to intranet DNS servers based on pre-configured namespace Now, let’s look at how the Name Resolution Policy Table (NRPT), the third core technology, works with DirectAccess: Scenario: A DirectAccess-enabled client has an Internet connection via a public wireless network at a coffee shop. • If the user types in “www.microsoft.com,” by default that request goes out to the ISP for name resolution and connection. • If the user types in “\\server1.contoso.com,” that request goes across the DirectAccess connection to the intranet DNS servers of Contoso. In other words, the user can simultaneously download a large service pack from an internal network while browsing the web, with each set of data going across a different connection. The Name Resolution Policy Table (NRPT) allows this to happen securely; it is designed to prevent leaks from the intranet DNS namespace into the external namespace. The NRPT is very similar to the conditional forwarding capability available on DNS servers, but NRPT is a client-side technology. Some people have referred to it as "client side conditional forwarding," although that is not an official nomenclature.

17 DirectAccess and NRPT Clever hack Works on DNS namespaces, eg:
inside.example.comor //inside will be resolved by a corpnet DNS server

18 Requirements for DirectAccess
Customer Knowledge Should have a basic working knowledge of IPsec or TCP/IP Should be interested in learning and deploying new technologies, such as IPv6 DirectAccess Clients Windows 7 Enterprise Edition or Windows 7 Ultimate Edition Domain-joined computers DirectAccess Server Windows Server 2008 R2, Standard Edition or Higher Domain-joined computers DirectAccess is a very exciting version 1 technology that benefits from multiple technologies to provide an overall solution. Customers willing to deploy DirectAccess should have a basic understanding of IPsec and IPv6 technologies. DirectAccess clients should use Windows 7 Enterprise or Windows 7 Ultimate. Windows Server 2008 R2 computers can also be used as a DirectAccess client. The DirectAccess Server sits on the corporate DMZ (demilitarized zone) and requires Windows Server 2008 R2 Standard Edition or higher. The DNS Servers supporting DirectAccess clients should use Windows Server 2008 SP2 Edition or higher. Others DNS Servers Supporting DirectAccess Clients - Windows Server 2008 SP2 or later A public key infrastructure (PKI) to issue computer certificates, smart card certificates, and, for NAP, health certificates.

19 External Connectivity
Supports native IPv6 6to4 tunnels IPv6 inside IPv4 (protocol 41) (used by public IPv4 addresses) Teredo tunnels IPv6 inside IPv4 UDP (UDP 3544) (used by private IPv4 addresses) IP-HTTPS tunnels IPV6 inside IPv4 SSL (TCP 443) if client can’t connect using 6to4 or Teredo IP Address Assigned by ISP: IPv6 Address Used to connect: Public IPv4 Native IPv6 Private IPv4 Native IPv6 6to4 Teredo If the DirectAccess client is assigned a Native IPv6 address, that address will be routed across the Internet and used to connect to the DirectAccess server, as long as the DirectAccess server also has Native IPv6 connectivity. There is a common misconception that IPv6 can’t be routed across the Internet today, but it can. (Note: Organizations are not required to configure external IPv6 connectivity on their DirectAccess server. If they don’t, it simply means that remote users who obtain a native IPv6 address will not be able to connect using native IPv6. Instead, they would fail-over to IP-HTTPS.) Next, if the client is assigned a publicly routable IPv4 address, the computer will obtain a 6to4 address (encapsulating IPv6 inside IPv4) and connect to the DirectAccess server using the 6to4 address. Finally, if the client is behind a NAT (Network Access Translation) device and receives a private (RFC 1918) address (usually in the /8 or /16 space), the client will use the Teredo protocol to encapsulate IPv6 inside IPv4 UDP packets and connect to the DirectAccess server. (Note: These are general guidelines, not rules, and there are exceptions, such as a DirectAccess client behind an Apple AirPort wireless access point. Even though Apple AirPort is a NAT device and provides private IPv4 addresses, it also contains a built-in 6to4 gateway. This means that DirectAccess clients obtaining a private IPv4 address from an Apple AirPort device will also obtain a 6to4 address and use that address to connect to the DirectAccess server.) When a DirectAccess-enabled client is turned on, the TCP/IP stack automatically detects which type of IP addresses has been assigned and uses one of the three protocols discussed above (native IPv6, 6to4, and Teredo) to connect to the DirectAccess server. By using one of these protocols, clients will have about an percent success rate connecting. The remaining 10 percent of attempts are generally blocked by networking devices that sit on the wire between the client and the DirectAccess server. Most commonly, these are either tightly restricted port-blocking firewalls or proxy servers. For a traditional VPN, this is generally when a Help Desk call is initiated; "I tried to connect and it failed. What's wrong?“ Windows 7 has a new protocol that has been designed to alleviate this situation and improve connection rates to very near 100 percent. The protocol is called IP-HTTPS, and its job is very simple: Once the client attempts to connect to the server using protocol selected by the TCP/IP stack (either native IPv6, 6to4, or Teredo), if the connection is unsuccessful after a certain period of time, the stack assumes that something must be blocking connectivity. At that point, it spins up IP-HTTPS and attempts to connect to the server using that protocol, which generally works. The reason IP-HTTPS can connect when other protocols often fail is simplicity: All it does is open a connection from the client to the server on port 443 (the same port that is used for HTTPS/SSL connections) and then pass all further traffic on that connection. Virtually all networking devices allow port 443 outbound, because it must be open to allow Web clients to browse secure Web sites. IP-HTTPS also assigns IPv6 addresses to the DirectAccess client using IPv6 router advertisements. All the standard connection protocols are Internet standards. IP-HTTPS is a Microsoft proprietary protocol, but it is fully documented on our Web site for the purposes of interoperability. See: DirectAccess Client Native IPv6 6to4 IP-HTTPS Teredo

20 Internal IPv6 IPv6 Options Native IPv6
Works with any server OS that supports IPv6 Requires IPv6 infrastructure Delivers best choice over time IPv6 Options DirectAccess works best if the corporate network has native IPv6 deployed ISATAP Tunnels IPv6 inside IPv4 Doesn’t require routing infrastructure upgrades Requires Windows Server 2008 or R2 Internet Intranet DirectAccess is an end-to-end IPv6 solution that is built on top of IPv6 and requires IPv6 to function properly. To take full advantage of its benefits, IPv6 must be deployed and routed inside the corporate network. The characteristics of IPv6 provide unique benefits that DirectAccess requires and leverages. There are ways to temporarily work around this requirement, but lack of IPv6 in the corporate network will reduce the benefits and impact of DirectAccess. If a customer has no plans to deploy IPv6, or is against doing so, DirectAccess may not be the right solution for that company. Native IPv6 Deployment: Although most customers are not ready for IPv6 yet, it is the best choice to take full advantage of DirectAccess in the long run. It requires routing IPv6 in the internal network and considerable planning, but provides the greatest rewards overall and is the easiest to trouble-shoot. Additionally, any server OS that supports IPv6 (which is almost 100%) can be accessed by remote DirectAccess clients with this configuration. ISATAP: This is a transition technology that can be deployed inside the corporate network. It also tunnels IPv6 inside IPv4 so that the routing infrastructure does not have to be upgraded. ISATAP is very easy to deploy, but for the purposes of DirectAccess, it only works with Windows Server 2008 and Windows Server 2008 R2. ISATAP does not help provide connectivity to previous versions of Windows Server or non-Windows operating systems. NAT-PT: While ISATAP is a protocol, NAT-PT is a device. This device receives incoming queries for IPv6 resources, translates them into IPv4 queries, and sends the responses back using IPv6. NAT-PT works with any operating system and doesn't require infrastructure upgrades. However, IPsec cannot pass through a NAT-PT device, so if NAT-PT is in use, there is no way to deploy full end-to-end encryption or authentication. Microsoft’s Forefront Unified Access Gateway (UAG) has an integrated NAT-PT available (specifically, NAT64, but it is similar). Additionally, Cisco and other layer 3 providers sell NAT-PT devices. NAT-PT {Protocol Translation} Translates IPv6 to IPv4 Works with any server OS Is available in Forefront UAG NAT-PT Native IPv6 IPv6 Transition Technologies IPv4

21 External IPsec Internet IP-HTTPS Encrypted IPsec+ESP
DirectAccess Server Internet DirectAccess Client IP-HTTPS Encrypted IPsec+ESP Encrypted IPsec+ESP IPsec Hardware Offload Supported IPsec Gateway DirectAccess clients transmit data across the Internet, so keeping in-motion data secure is of paramount importance. DirectAccess needs to provide a level of security equal to or better than a VPN. This has been achieved through IPsec, the protection protocol used by DirectAccess. As a result, when a DirectAccess client connects to a DirectAccess server, by default it encrypts the data using IPsec+ESP. This protocol will protect any data sent using native IPv6, 6to4, or Teredo protocols. In the event that the IP-HTTPS protocol is used (which we talked about earlier), we run into an interesting scenario. The HTTPS connection must be set up first; then the IPsec+ESP connection is set up inside the IP-HTTPS tunnel. Because HTTPS includes encryption, this scenario results in a double-encrypted connection. So far, we have been discussing the DirectAccess server as if it were a single monolithic device. In reality, it comprises a collection of services, some of which can be carved off and placed onto their own servers to enhance reliability, performance, or scaling. In this slide, we see that one of those services is called the IPsec Gateway, which has been moved to a separate server. This could be a separate compute; it could have an IPsec Task Offload card for improved performance; or it could even be a partner-device, such as an appliance-based, highly scalable IPsec pass-through/termination device.

22 Internal IPsec Options
DirectAccess Server Enterprise Network Line-of-Business Applications No IPsec End-To-Edge IPsec Integrity Only (Authentication) IPsec Headers On an internal network, several options exist for terminating IPsec. 1. If IPsec is terminated at the DirectAccess server (or IPsec Gateway), there will be no IPsec packets inside the internal network. This is called the client-to-gateway or end-to-edge model. You can still deploy network access protection (NAP) on the end-to-edge model and benefit from checking the health of the computers before they’re connected to the corporate network. 2. If IPsec is configured to terminate encryption at the DirectAccess server, but still authenticates all the way to the end server, the packets inside the Internet network will have IPsec headers on them, but they will not be encrypted. 3. If IPsec is configured to terminate encryption at each resource server, the packets inside the network will be fully encrypted. This is called client-to-server or end-to-end encryption. IPsec Gateway IPsec Integrity + Encryption

23 IPsec Tunnel Detail - Split Tunneling
DirectAccess Server Tunnel 1: Infrastructure Tunnel Authentication: Computer Certificate + NTLM Client Access: AD/DNS/Management Tunnel 2: Intranet Tunnel Authentication: Computer Certificate + User Kerb Client Access: Other available resources DirectAccess Client By default, DirectAccess clients separate intranet from Internet traffic. This reduces unnecessary traffic on the intranet by sending only intranet-destined traffic across the DirectAccess connection. For VPN connections, this default configuration is known as split tunneling. Users who want to access corporate intranet services will connect using tunnel 1 for any service running on an IP address listed in the tunnel 1 endpoints. If, however, the service runs on an IP address within the corporate address range but not listed in tunnel 1, the client will connect using tunnel 2. For DirectAccess, there is also an option called “force tunneling” that forces all Internet requests through the DirectAccess connection. Force tunneling allows IT administrators to scan and filter all Internet traffic, but due to performance considerations and infrastructure requirements, it is not recommended.

24 Multi Factor Credentials for Intranet Access
Two Factor Authentication (TFA) is fully supported but not required Edge-based enforcement is a smarter way to enforce TFA Users are assigned a well-known SID when they log on with a smartcard (S ) Users may log on to a laptop without TFA When users access corporate resources, the IPsec authorization policy checks for the SID…

25 Name Resolution Policy Table (NRPT)
Pertains to the client side only Uses a static table to define which DNS servers will be used by the client for the listed names Is configurable via Group Policy Objects (GPO) at Computer Configuration/ Windows Settings/Name Resolution Policy Can be viewed with netsh name show policy NRPT .ad.contoso.com 2001:db8:b90a:c7d8::178 2001:db8:b90a:c7d8::183 .lab.contoso.com 2001:db8:b90a:c7a8::202 .nls.contoso.com 2001:db8:b90a:c7e4::801

26 Demo Client Experience…

27 Direct Access Deployment
4/11/2017 Direct Access Deployment Deployment Strategy Prepare to monitor IPv6 traffic Choose an access model (e.g., full intranet access vs. selected server access) Determine deployment scale Deployment Process Prepare infrastructure Configure DirectAccess server Customize policies, as needed Prior to deploying DirectAccess, companies should define their strategy and prepare to monitor IPv6 traffic. What intranet resources will you make available to DirectAccess clients — full intranet access (end-to-edge), selected server access, or end-to-end? What is the appropriate scale for the deployment — single server or multiple servers? And so on. For details on planning a DirectAccess deployment strategy, see: During deployment: • You’ll use the Microsoft management console (MMC) to configure the DirectAccess server (which requires Windows Server 2008 R2). • You’ll use the DirectAccess configuration wizard to author DirectAccess policies for clients, application servers, DC/DNS, and IPsec gateway (for both Windows 7 enterprise and ultimate SKU client computers) and customize the policies, as needed. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 DirectAccess Monitoring
Built-in to the DirectAccess feature installed on the DA server Provides server monitoring information on DirectAccess components

29 Implementation

30 Section 5: Summary 4/11/2017 11:40 AM
This section summarizes the profile of a secure and well-managed infrastructure. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Building Trust Identity + Authentication Access Controls
(Optional) Two factor authentication Domain Controller-authenticated log- on Cached credentials used only if computer is offline Identity + Authentication Identity-aware firewall (auth-firewall) IPsec (at the network layer) File share permissions NTFS permissions Access Controls Access, encryption, or authentication policies defined on a per-server or application basis Rich policy constructs that go far beyond traditional VPN Authorization Policies End-to-end authentication — allows remote client connections to be logged by each server Audit Let’s summarize what we’ve talked about today. First, there are essentially five major security components required to facilitate trust: identity, authentication, access controls, authorization policies, and auditing. This is true whether the “thing” being trusted is a person, device, operating system, software application, or piece of data.

32 DirectAccess: More than Remote Access
4/11/ :40 AM DirectAccess: More than Remote Access Always On Manage Out Access Policies Protected Transactions Improved productivity "Light up" remote clients Pre-logon health checks and remediation Supports authenticated transactions Not user initiated Decreases patch miss rates Replaces modal "connect-time" health checks Supports encrypted transactions Simplified connectivity Applies GPOs to remote computers Authentication and encryption mitigate many attacks Full NAP integration So you can see that DirectAccess is much more than simply remote access. Anyone can provide a VPN, but it introduces challenges to the user: Where is the icon to click on? How long will it take to connect? Did it work? Why isn't it connecting? Always On. DirectAccess is always on. Remote users don’t have to do anything to initiate the connection. At work the user clicks on a link and it opens. With DirectAccess, the remote user clicks on a link and it opens. This removes the complexity and increases users’ productivity. Manage Out. Since DirectAccess enables computers to connect automatically, IT can manage the computer’s assets even when these computers are assigned to employees who work remotely 100 percent of the time. This improves patch push rates and allows IT to apply group policy objects to remote computers, even during user log-on. Additionally, tools like Systems Center Configuration Manager can be used to inventory computers while they are remote. ACCESS POLICIES. Full NAP integration allows administrators to define health policies for enforcement on local and remote computers. Additionally, since these health checks run at system start, rather that at user log-on, the user log-on experience isn't interrupted by health checks or patch installations. PROTECTED TRANSACTIONS. Full IPsec integration enables administrators to create policies that require end-to-end authentication. This in turn provides enterprises with authenticated transactions that are fully logged by each server. End-to-end encryption also protects the confidentiality and integrity of data in motion, all the way to the end server. With a traditional VPN, the remote computer is an appendage, connecting on when necessary, not always useful. With DirectAccess, enabled computers are full members of the domain, with every service of the network extended to them wherever users travel. VPNs connect the user to the network DirectAccess extends the network to the computer and user 32 ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 Tunnel over IPv4 UDP, HTTPS, etc.
DirectAccess – Background Internet DirectAccess Client (Windows 7) DirectAccess Server (Server 2008 R2) Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 IPv6 gives you security: IPSec6 Encapsulating Security Payload (EPS) for Suite-B level of confidentiality Server-client two-way authentication IPv6 just-gets-there Bypasses NATs Full mobility support with no loss of connection Full autoconfiguration Crosses over IPv4 using: 6to4, 6over4, ISATAP, Teredo, NAT-PT, and now: IP-HTTPS if all else fails 6to4 Teredo IP-HTTPS

34 INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDE DirectAccess
What are IPD Guides? Guidance & best practices for infrastructure planning of Microsoft technologies Direct Access Guide Benefits Presents common scenarios, decisions, and practices in an easy-to-follow, step-by-step process for designing DirectAccess infrastructure Provides a straightforward explanation of the infrastructure required to allow client connectivity from any network to resources on the corporate network Assists the reader in deploying DirectAccess for situations where the organization hasn’t started IPv6 implementation “At the end of the day, IT operations is really about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” It’s a free download! Go to Check out the entire IPD series for streamlined IT _infrastructure planning Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services

35 DirectAccess Architecture Deeper Dive
Shortcut..

36 Dan Stolts “ITProGuru” Sessions
10:00 am WMS03: 10 Hot Topics Every IT Admin Needs to Know about Windows Server 2008 R2 SP1 11:15 am WMS02: Direct Access Always Connected: Death of the VPN 3:15 pm WMS04: Monitoring and Managing All Critical Infrastructure Blog: ITProGuru.com All Slides Available Now!

37 Your Feedback is Important
Visual Studio Connections Your Feedback is Important Please fill out a session evaluation form drop it off at the conference registration desk. Thank you! WMS02: Direct Access Always Connected: Death of the VPN Dan Stolts “ITProGuru” Microsoft Blog: ITProGuru.com Twitter.com/ITProGuru Updates will be available at


Download ppt "WMS02: Direct Access Always Connected: Death of the VPN"

Similar presentations


Ads by Google