da for dummies techdays 2012
DESCRIPTION
These are used at the Dutch Techdays Event by Microsoft in 2012TRANSCRIPT
Direct Access for Dummies
Alex de JongMicrosoft Freelance
Agenda• Direct Access Overview• Direct Access Basics• So how does it work• Cool, I want that… How do I build it?• Where do I start from here?
Direct Access is the ultimate VPN solution that is one of
the enablers for the New Way of Work
Direct Access benefits• Improved Productivity
– Helps improve the productivity of remote staff by providing the same, always-on connectivity experience no matter if users are inside or outside the corporate network.
• Secure Connectivity– Leverages IPsec for authentication and encryption.– Provides the ability to apply granular policy control over access to
resources, applications, and servers.– Integrates with Microsoft Server and Domain Isolation, Network
Access Protection (NAP), and BitLocker solutions, resulting in security, access, and health requirement policies that seamlessly interoperate between intranets and remote computers.
Direct Access Benefits (cont’d)
• Greater Manageability– Helps ensure that machines both on the network and off are
always healthy, managed, and up-to-date.– Provides administrators with the ability to update Group Policy
settings and distribute software updates any time a remote computer has Internet connectivity, even if the user is not logged on.
– Helps ensure that organizations can meet regulatory and privacy mandates for security and data protection for assets that must roam beyond the corporate network.
DEMODirect Access Benefits
Direct Access complex?
Direct Access Basics• Authentication
– DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.
• Encryption – DirectAccess uses IPsec to provide encryption for communications
across the Internet.• Access Control
– IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.
Direct Access Basics (cont’d)• IT Simplification and Cost Reduction
– DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server
DirectAccess a VPN on Steroids
Corporate Network
Always On
Automaticallyconnects throughNAT and firewalls
Patch management, health check and GPOsPre log on
Network level computer/user authentication and encryption
DirectAccess extends the network to the remote computer and user
VPNs connect the user to the network
End-to-End IPv6
Are all you applications IPv6 compatible?
Corporate intranetInternet
IPV6 IPV6
Client app
Server app
Client and Server applications must be IPv6 compatible
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)
Client location detection: Internet or corporate intranet
Corporate intranetInternet
May Be NotSimple?
Connectivity Summary
6to4 tunnel
Teredo tunnelNAT
IPHTTPS tunnel
IPv4 Internet
UDP port 3544 blocked
IPv6 in UDP port 3544
IPv6 in IPv4 protocol 41
IPv6 in HTTPS
Native IPv6
ISATAP
IPv6 in IPv4 protocol 41
IPv4NAT64
DNS64 Corporate Network
Forefront Unified Access Gateway (UAG)
NAT
What is 6to4• 6to4 is an Internet transition mechanism for migrating from IPv4 to
IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
What is Teredo• Teredo is a transition technology that gives full IPv6 connectivity for
IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers.
What is IPHTTPS• The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to
be established using a secure HTTP connection.
What is ISATAP• ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6
transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.
• ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4
Connectivity Summary
6to4 tunnel
Teredo tunnelNAT
IPHTTPS tunnel
IPv4 Internet
UDP port 3544 blocked
IPv6 in UDP port 3544
IPv6 in IPv4 protocol 41
IPv6 in HTTPS
Native IPv6
ISATAP
IPv6 in IPv4 protocol 41
IPv4NAT64
DNS64 Corporate Network
Forefront Unified Access Gateway (UAG)
NAT
DEMODirect Access
Internet
Client Location
• To resolve names on the Internet– DirectAccess host queries DNS 1
• To resolve names on the intranet– DirectAccess host queries DNS 2
Corporate intranet
corp.example.com zoneDNS 1 DNS 2IP configured
DNS address
For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
End-to-Edge Access Model
For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
End-to-Edge End-to-End IPSec Model
With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
End-to-End IPSec Access Model
Steps• Enable IPv6 internally (ISATAP)• Network Location Server• Client Groups• Firewall Settings on clients• Certificate Auto Enrollment• Direct Access Server• Finalize• Test
DirectAccess Server(Server 2008 R2)
Line of Business Applications
IPv6 IPv4 IPv6
Windows Server 2008/R2
1: Enabling IPv6 in the Enterprise
On all internal DCs: Dnscmd /config /globalqueryblocklist wpad
Using ISATAP
2: Configuring NLS• Any INTERNAL server running Web services• Create a DNS name (like nls.yourdomain.com)• Associate this new NLS DNS name to an IP Address of an Internal Web
serverNLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***
3: Create Group(s) for the DA Clients
• Create a security group (Global or Universal)• Add Win7 client systems into this groupRemember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
4: Windows Firewall for DA• Allow inbound and outbound ICMPv6 Echo Request messages• Create a Group Policy or configure each system individually
5: Configuring the NLS• Enroll the server with a certificate and configure for SSL access
6: Certificate Auto-Enrollment• Make sure all systems in the Direct Access group of client systems
have a valid client authentication certificate
7: Install & Config Direct Access
• Add a certificate to the DirectAccess server• Add the DirectAccess feature on the server• Run the DirectAccess setup
8: Finalizing Configurations• Run Gpupdate / force on all systems to make sure new policies have
been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies)
• Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard
• Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
9: Testing DA: Internal• With the client system
internal, run IPConfig and check to make sure you have a local address
10: Testing DirectAccess (External)• With the client
system external, run IPConfig and check to make sure you have an external IP address
• Access a file on a fileserver or SharePoint using an internal http(s) connection
11: Testing DA: IPHTTPS
• Step 10 tested external access using the automatically generated Teredo 2001: address
• Now to verify that external access is working using IP-HTTPS, disable Teredo:– Netsh interface teredo set state disable– Netsh interface httpstunnel show interfaces
• Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
IPv6
IPv6Always On
Windows7
IPv4
IPv4
IPv4
DA Server
Extend support to IPv4 servers
1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution
MANAGED
VistaXP
UNMANAGED
Non Windows
PDA
DirectAccess
SSL VPN
+
Windows7