For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv4 IPv6 Using ISATAP
DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv4 NAT64DNS-ALG Windows Server 2003 Non-Windows
Firewalled IPv4 network IPv4 FW A Local “native” IPv6 network IPv6 FW ISATAP B IPv6 Internet C D IPv4 Internet ISATAP is a tunneling protocol, so it in itself doesn’t create a client/server relationship ISATAP merely allows IPv6 communications to tunnel thru an IPv4 network ISATAP is great for site to site communications, or client to server initiated communications
Tunnel IPv6 in HTTPS IPv6 Intranet IPHTTPS Host IPv4 Internet IPv6 Host NAT Device IPHTTPS server Certificate X X X Web server with CRL
IPv6 IPv6 Always On Windows7 IPv4 IPv4 IPv4 DirectAccess Server Extend support to IPv4 servers UAG improves adoption and extends access to existing infrastructure UAG and DirectAccess better together: 1.Extends access to line of business servers with IPv4 support 2.Access for down level and non Windows clients 3.Enhances scalability and management 4.Simplifies deployment and administration 5.Hardened Edge Solution MANAGED Vista XP UNMANAGED Non Windows PDA DirectAccess SSL VPN UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG uses wizards and tools to simplify deployments and ongoing management. UAG is a hardened edge appliance available in HW and virtual options +Windows7 +