conditional access directaccess & automatic vpn desktop virtualization
Post on 22-Dec-2015
230 Views
Preview:
TRANSCRIPT
Introducing Web Application Proxy: Enable Work From AnywhereShai KarivPrincipal Group Program Manager
PCIT-B327
WAP OverviewWAP @ Windows Server: 2012 R2 and futureWAP @ Azure Active Directory: Preview and futureQ & A
AGENDA
Click icon to add picture
WAP Overview
Microsoft Remote Access Solutions
Conditional access
DirectAccess & automatic VPN
Desktop Virtualization
IT Pro: Risk Management
Access corpnet apps from anywhere, on any device, Windows and non-Windows
The IW device can be un-managed, non domain joined, and even not workplace-joined
SSO and “native” device/app experience
Introducing: Web Application Proxy
Selectively publish corpnet apps Control access per app, user, device,
location Better protection with pre-authentication
(optional) No change required in existing apps No change required on devices (clientless)
Information Worker: Productivity
Network Topology
Backend ServerBackend Server
AD FS
Backend Server
Config. Store
Web Application Proxy
DMZ
AD FS Proxy
Fire
wal
l
Load
Bal
ance
r
Load
Bal
ance
r
Fire
wal
l
Active Directory Domain
Controller
Client (browser,
Office client or modern
app)
Corporate NetworkInternet
HTTP/S
HTTP/S
AuthN
Config. API over HTTPS
AuthN Web UI
Claims, KCD, OAuth, MSOFBA, or pass-through
Obtain KCD ticket for IWA AuthN
WAP: Fundamental ServicesReverse Proxy Services
Network Isolation: even in pass-through, even post pre-auth, backend is never exposed directly
Basic DOS: throttling, queuing, session establishing, before routing to backend
URL Translation: HTTP header level translation enables publishing non-FQDN URLs, and HTTPSHTTP
Selective Publishing: per internal application endpoint
AD FS Proxy services: FS, MFA, DRS
Web Protocols Only: HTTP, HTTPS
Pre-authentication services
Rich Policy: user + device identity, application identity, network location
MFA Options: smartcards, phone factor, soft password lockout
Multiple Authentication Methods: KCD, claims, OAuth, MSO-FBA, …
SSO: Avoid requesting credentials again, after first pre-auth
Via a dedicated security token of AD FS
Click icon to add picture
WAP @ Windows Server
Web Application Proxy + AD FS Architecture
Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication
Conditional access with multi-factor pre-authentication is provided on a per-application basis, leveraging user identity, device registration & network location
Published applications
AD FS provides rich authentication and authorization capabilities including multi-factor and federation.
Publish any standard Web/HTTP server. Single Sign On using Kerberos, claims, Office or OAuth
New Windows Server 2012 R2 role service under RRAS server role, integrated into Windows Server Manager and RRAS admin experience (PSH + UI).
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
WAP
App Policies
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
Internet
WAP
App Policies
LOBhttps://sts.fabrikam.com
https:/lob.fabrikam.com
https://sts.fabrikam.com
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
? 302
https://sts.fabrikam.com
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
?
?
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.comEdge
Policies
ApplicationPolicies
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Proxy
SSO
Proxy
SSO
QueryString
QueryString
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Proxy
SSO
QueryString
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Proxy
SSO
Proxy
?QueryString
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Proxy
SSO
Proxy
QueryString
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
Proxy
SSO
QueryString
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
SSO
? 401
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
SSO
Kerberos
Constraine
d
Delegation
ProxyUPN
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
SSO
AP_REQ(tckt)
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
SSO
lob
lob
Proxy
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
Internet
WAP
App Policies
LOB
https:/lob.fabrikam.com
https://sts.fabrikam.com
SSO
lob
Proxy
Perimeter network Internal network
User
`
Web Application
Proxy
LOB app(Windows
authN)
AD
AD FS
http://lob
https://sts.fabrikam.com
https://sts.fabrikam.com
Internet
https://enterpriseenrollment.fab
rikam.comDRS
WAP
App Policies
https://enterpriseenrollment.fab
rikam.com
LOB
https:/lob.fabrikam.com
DEMO: WAP @ Windows Server 2012R2
WAP PerformanceGreat numbers1000s of requests per second even for entry level HW
CPU bound – mainly due to SSL processing
Latency added by the proxy is <5 milliseconds
What makes the differenceTransaction size
Preauthentication type
HTTPS or HTTP
SSL certificate size
WAP Performance Labs
Entry level serverHP Proliant DL 360 G5Intel Xeon E54101 CPU 4 cores 2.33 GHZ8 GB RAM256 KB L1 cache12 MB L2 cache2 1 giga bit network cards (1 for each side)
Medium level serverHP Proliant SE316M1Intel Xeon L52202 CPU 4 cores (8 total) 2.27 GHZ16 GB RAM512 KB L1 cache2 MB L2 cache16 MB L3 cache4 1 giga bit network cards (2 for each side using teaming)
Top level serverHP Proliant DL580 G7Intel Xeon E7-48504 CPU 10 cores (40 total) 2.00 GHZ128 GB RAM2.5 MB L1 cache10 MB L2 cache96 MB L3 cache
100B files
2KB files
4KBfiles
8KBfiles
16KBfiles
32KBfiles
1MBfiles
Pass-through preauthentication
Claims preauthentication
Claims preauthentication + KCD
Transaction size impactRequests/sec
Bandwidth100B
16K
2KB
13K
4KB
12K
8KB
10K
16KB
7K
32KB
4K
1MB180
* Medium level HW* CPU: 95%-98%* Keep alive: on* HTTPS external and backend* SSL certificate 2048 bit* No fine tunes – OOB windows
100B15M
2KB
43M
4KB
67M
8KB
94M
16KB
121M
32KB
145M
1MB
204M
Experience with Microsoft ApplicationsSharePoint is working with preauthentication in AD FS when the
SharePoint authentication is claims or Windows/Kerberos (via KCD).
Known limitation: Web Application Proxy does not support wildcard domain publishing (e.g. https://*.apps.contoso.com) so when publishing SharePoint Apps, their domains shall be published explicitly.
OWA can be published with preauthentication and KCD or with claim based preauthentication (requires 2013 SP1).ActiveSync and Outlook Anywhere could be published with pass-through preauthenticationKnown limitations: Some old ActiveSync clients do not support SNI.
Lync mobility could be published using pass-through authentication. Known limitations: no support for HTTP interfaces, some Lync clients do not support SNI.
Lync SIP traffic is handled by Lync Edge.
Note: Web Application Proxy does not certify a specific application or its versions
Customers were asking for the following features:
AD FS Token signing certificate rollover is an issue.
Pre-authentication for Exchange Active-Sync / Outlook Anywhere.
HTTP publishing over port 80.
Automatic HTTP to HTTPS redirection, for select applications.
Wildcard FQDN publishing.
Built-in load balancing for back-end applications.
URL translation in HTTP body.
Extensibility by 1st or 3rd party code.
API Management, RDS: integrated stack.
Enhanced protocol support: WebSockets, HTTP 2.0
We’re busy building the future…
Click icon to add picture
WAP @ Azure Active Directory
Remote Access as a ServiceEasy to deploy and operate: minimal on-prem footprintSecure remote access to business applications with zero DMZ on-prem infrastructure deployment and no network infrastructure change.
More secure to the business: pre-DMZ protectionAll security verifications are outside of the organization premises done in cloud scale. DDoS attacks will not influence your business.
Deep integration with Azure Active DirectoryRichness of AAD capabilities and experiences: IW access panel discovery and SSO, manage apps across SaaS and on-prem, machine learning traffic analysis, multifactor authentication, device registration, cloud ADFS proxy deployment, … Built for the cloud design point, available for AAD Premium customers
Azure Active Directory
The new cloud connector patternBetter security: no incoming requestsSimple, light on-prem deploymentMinimal operation: IT or departmentOne or multiple redundant connectorsStateless architecture
Resource ResourceResource
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
Architecture – ConnectivityOnce started, the connectors
open HTTP requests to the WAP service. The requests remain waiting until user request arrives or timeout
AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – ConnectivityUser sends a request to the public
address of the service that is unique per tenant and per
application. E.g. https://app1-contoso.cwap.net/
AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – ConnectivityThe WAP service selects one
of the pending connector requests and send the user
request as payload.
AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – ConnectivityThe connector sends the
user request to the backend application and once there is a response, it sends it to the server as a new request
AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – Connectivity
The cloud service returns the response to
the client request
AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – PreauthenticationUser sends a new unauthenticated
request to applications that is configured to
require preauthentication. AAD-AP
Connector
AAD-APConnector
AAD-APCloud Service
Architecture – PreauthenticationWAP redirects the user to the Azure AD STS address with
information on the application that needs preauthentication.
Nothing is sent to the backend.AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – PreauthenticationUser is authenticating to
Azure AD STS. This process may involve other systems
depending on tenant configuration. E.g. 2FA and
federation. Once done, user is redirected back to
the WAP service with a token
AAD-APConnector
AAD-APConnector
AAD-APCloud Service
Architecture – PreauthenticationThe user request arrives again
but now with a valid authentication token. Once the token is validated, the request
is sent to the backend application AAD-AP
Connector
AAD-APConnector
AAD-APCloud Service
DEMO: WAP @ Azure AD
Click icon to add picture
Q & A
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related