Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scott Roberts Lead Program Manager Microsoft Session Code: WSV320.

Similar presentations


Presentation on theme: "Scott Roberts Lead Program Manager Microsoft Session Code: WSV320."— Presentation transcript:

1

2 Scott Roberts Lead Program Manager Microsoft Session Code: WSV320

3 Agenda Secure Access Landscape Demo DirectAccess Solution Benefits Deployment Models & Requirements Name Resolution Supporting Technologies Diagnostics Questions & Answers

4 Mobile Workforce Mobile Data Globalization Increasingly Porous Perimeter

5 "Re-Perimeterization" How to manage, monitor, and support remote users/machines all the time? How to simplify remote workers’ access “My network is where my buildings are” “My network is where my users and assets are”

6 DirectAccess Server Data Center and Business Critical Resources Local User Enterprise Network Remote User Assume the underlying network is always unsecure Assume the underlying network is always unsecure Redefine the corporate edge to protect the datacenter Redefine the corporate edge to protect the datacenter Security policies based on identity, not location Industry Trends Internet

7 Windows Server 2008 R2 Addressing Enterprise Needs Addressing User Needs Supporting IT Professionals Work Anywhere Infrastructure using Direct Access

8 DirectAccess Providing seamless, secure access to enterprise resources from anywhere

9 DirectAccess in Action

10 Benefits Of Direct Access Bringing the corporate network to the user Always-on access to corpnet while roaming No explicit user action required – it just works Same user experience on premise and off Simplified remote management of mobile resources as if they were on the LAN Lower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networks Integrated administration of all connectivity mechanisms Healthy, trustable host regardless of network Fine grain per app/server policy control Richer policy control near assets Ability to extend regulatory compliance to roaming assets Incremental deployment path toward IPv6

11 Always On Always connected No user action required Adapts to changing networks

12 Secure Encrypted by default Works with Smartcards Granular access control Coexists with existing edge, health, and access policies

13 Manageable Reach out to previously untouchable machines Allows remote clients to process Group Policies NAP integration for health compliance Consolidate Edge Infrastructure

14 VPN vs. DirectAccess - Value VPNDirectAccess Manageability Granular Security Ease of use Ubiquitous Easy to install

15 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to46to4 TeredoTeredo IP-HTTPSIP-HTTPS Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP IPsec Gateway Encrypted IPsec+ESP IPsec Hardware Offload Supported

16 Option 1 - ISATAP DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv4 IPv6 Enabling IPv6 in the Enterprise

17 Option 2 – NAT-PT DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv4 NAT-PTDNS-ALG Windows Server 2003 Non-Windows Enabling IPv6 in the Enterprise

18 Enterprise Network DirectAccess Server (Server 2008 R2) Line of Business Applications No IPsec IPsec Gateway IPsec Integrity Only (Auth) IPsec Integrity + Encryption Windows Server 2003 Windows Server 2008 Non-Windows Server IPsec Hardware Offload Supported

19 Deployment Models

20 Deployment Scenario End-to-edge encryption No overhead of encryption on application servers Edge enforces machine/user authentication and data encryption Least change from customer’s existing edge deployments Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data (non-IPsec enabled) DC & DNS (Server 2008 SP2/R2) Internet Direct Access Server Server 2008 R2 IPsec ESP tunnel encryption using machine cert (DC/DNS access) Clear Text traffic from client flows through encrypted tunnel to Corporate network resources IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access

21 Deployment Scenario End-to-Edge Encryption + End to End IPsec No overhead of encryption on application servers (just authentication) DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data IPsec-enabled Internet IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources Direct Access Server Server 2008 R2 IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access IPsec ESP tunnel encryption using machine cert (DC/DNS access) DC & DNS (Server 2008 SP2/R2)

22 Deployment Scenario End-To-End IPsec Transport Encryption Thin edge solution using IPsec Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic Full End to End IPsec Encryption IP-HTTPS tunnel used for proxy scenarios only Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data IPsec-enabled Internet IPsec ESP-encrypted transport to access Corporate network resources Direct Access Server Server 2008 R2 DC & DNS (Server 2008 SP2/R2)

23 Deployment Requirements DirectAccess Clients Requires Windows 7 Enterprise or Ultimate SKURequires Windows 7 Enterprise or Ultimate SKU Clients Domain JoinedClients Domain Joined Initial Provisioning while on Corpnet or through VPNInitial Provisioning while on Corpnet or through VPN DirectAccess Servers Requires Windows Server 2008 R2Requires Windows Server 2008 R2 Located at EdgeLocated at Edge Application Servers End-to-end V6 & IPsec requires Windows Server 2008 or laterEnd-to-end V6 & IPsec requires Windows Server 2008 or later Other models can use Windows Server 2003 or laterOther models can use Windows Server 2003 or later

24 Deployment RequirementsDC/DNS Needs at least one W2K8 SP2 or R2 DC/DNS server for client registration of V6 recordsNeeds at least one W2K8 SP2 or R2 DC/DNS server for client registration of V6 records Network Infrastructure Can be IPv4 because we deploy ISATAP with DirectAccessCan be IPv4 because we deploy ISATAP with DirectAccessNAT-PT Can be used to provide access to IPv4-only resourcesCan be used to provide access to IPv4-only resources

25 Name Resolution

26 Name Resolution Policy Table (NRPT) New feature in Windows 7 Used by DirectAccess Client to determine ‘which’ DNS Server to use based on namespace New name resolution order: Local cache Hosts file NRPT DNS

27 NRPT For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPT These are internal DNS servers – they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZ If the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface Corp.contoso.com2001:1:1::b3df 2001:1:1::b3de

28 Supporting Technologies

29 Direct Access Supporting Technologies Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data NAP (includes Server & Domain Isolation [SDI]) Forefront Client Security Windows Firewall BitLocker + Trusted Platform Module (TPM) IAG SP2 ForefrontUAG DC & DNS (Server 2008 R2)

30 DA Server Compliant Client Data Center and Business Critical Resources NAP / NPS Servers Internet CORPNET User CORPNET Compliant Network CORPNET User IPsec/IPv6 Direct Access Supporting Technologies Non- Compliant Client Forefront Client Security IAG SP2 Unmanaged Client

31 Extend Windows Direct Access to legacy applications and resources running on existing infrastructure. Support down-level and non Windows clients using a variety of connectivity options. Anywhere Access Minimize configuration errors and simplify deployment using built-in wizards and tools. Protect the Direct Access gateway with a hardened edge solution. Granular Security Enhance scale and ongoing administration through built-in array management and integrated load balancing Consolidate access gateways for centralized control and auditing. Unified Management UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability. + 7 Direct Access

32 DirectAccess – Solution IPv6 IPv6 Always On Windows7 IPv4 IPv4 IPv4 DirectAccess Server Extend support to IPv4 servers UAG improves adoption and extends access to existing infrastructure UAG and DirectAccess better together: 1.Extends access to line of business servers with IPv4 support 2.Access for down level and non Windows clients 3.Enhances scalability and management 4.Simplifies deployment and administration 5.Hardened Edge Solution MANAGED Vista XP UNMANAGED Non Windows PDA DirectAccess SSL VPN UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG uses wizards and tools to simplify deployments and ongoing management. UAG is a hardened edge appliance available in HW and virtual options +Windows7 +

33 Diagnostics

34 Internet Explorer Diagnose Problem Button It has been enhanced to troubleshoot DirectAccess Networking Icon (right click) Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point Control Panel, Troubleshooting Connect to a Workplace place using DirectAccess Command Prompt (Elevated) NETSH TRACE START SCENARIO=DIRECTACCESS

35 Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well.Hardware that runs Windows Vista well will run Windows 7 well. Few Changes: Focus on quality and reliability improvements Windows 7 Builds on Windows Vista Deployment, testing, and pilots today will continue to pay off Deep Changes: New models for security, drivers, deployment, and networking

36 Summary Call-to-action Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructure Learn more about Direct Access Start deploying Windows Server 2008 now to get ready

37 Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Microsoft Certification and Training Resources

38 Complete an evaluation on CommNet and enter to win!

39 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Scott Roberts Lead Program Manager Microsoft Session Code: WSV320."

Similar presentations


Ads by Google