![Page 1: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/1.jpg)
Implementing DirectAccess in Windows Server 2012
Richard Hicks – Microsoft MVPFishNet Security
![Page 2: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/2.jpg)
The Remote Access Challenge…
![Page 3: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/3.jpg)
Agenda
• What is DirectAccess?• What are the Benefits of DirectAccess?• What’s New in Windows Server 2012 DirectAccess• DirectAccess Components• Limitations of DirectAccess• How DirectAccess Works• Planning and Implementation• Demonstration• Security Considerations
![Page 4: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/4.jpg)
What Is DirectAccess?
![Page 5: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/5.jpg)
What Is DirectAccess?
Next Generation Remote Access
Always On
Seamless and Transparent
Bi-Directional Connectivity
NOT a VPN!
![Page 6: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/6.jpg)
DirectAccess vs. Legacy VPN
• VPN• Intrusive• User Initiated
• DirectAccess• Seamless and Transparent• No User Action Required
Remote User Connects to Corporate Network
Extend Corporate Network to the User
![Page 7: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/7.jpg)
DirectAccess Benefits
• Streamlined User Experience• Familiar Access• Increased Productivity
End User
• Always Managed• Improved Compliance• Reduced Administration Costs
Administrator
![Page 8: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/8.jpg)
Evolution of DirectAccess
Windows Server 2008 R2
Forefront Unified Access Gateway
(UAG) 2010
Windows Server 2012
![Page 9: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/9.jpg)
What’s New in Windows Server 2012?
![Page 10: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/10.jpg)
What’s New in Windows Server 2012DirectAccess
and RRAS Coexistence
Simplified Deployment No PKI
Perimeter/DMZ
Deployment
Integrated Network Load
Balancing
Multi-Domain Support
NAP Integration
OTP/Virtual Smartcard
Automated Force
Tunneling
IP-HTTPS Improvement
s
Manage Out Multi-Site Server Core PowerShellMonitoring
and Reporting
![Page 11: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/11.jpg)
New Feature Highlights
• Easier to Deploy• Simplified Deployment• Flexible Network Placement• Performs Better• IP-HTTPS Improvements
• Scalable Solution• Load Balancing• Multi-Site
• More Manageable• Monitoring, Accounting, Reporting, Diagnostics• PowerShell
![Page 12: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/12.jpg)
DirectAccess Components
![Page 13: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/13.jpg)
DirectAccess Components
Windows Server 2012
Windows 8 Enterprise*Windows 7 Ultimate/EnterpriseIPv6 and IPsec
Active Directory and Group Policy
![Page 14: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/14.jpg)
DirectAccess Components
• Certificates• PKI is Optional (Strongly Recommended!)• PKI Required for Windows 7 Clients
• Network Location Server (NLS)• DNS64/NAT64• Name Resolution Policy Table (NRPT)• Windows Firewall w/Advanced Security
![Page 15: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/15.jpg)
DirectAccess Requires IPv6 End to End
![Page 16: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/16.jpg)
IPv6 Transition Protocols
6to4
• Public Client IP Address
• IP Protocol 41
Teredo
• Private Client IP Address
• UDP Port 3544
IP-HTTPS
• 6to4/Teredo Not Available
• SSL/TLS
ISATAP
• Intranet Manage Out
• ISATAP Router
• DNS
![Page 17: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/17.jpg)
A Word About ISATAP
• ISATAP Not Recommended• Global In Scope• Lower Layer Protocols Depend
On Upper Layer Protocols• Lack of Monitoring and Management
• Deploy IPv6• Restrict ISATAP to Specific Hosts• Group Policy• HOSTS File
![Page 18: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/18.jpg)
DirectAccess Limitations
![Page 19: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/19.jpg)
DirectAccess Limitations
Supported Clients
• Windows 8 Enterprise• Windows 7 Enterprise• Windows 7 Ultimate• Domain-Joined
Non-Supported Clients
• Windows 8 Professional• Windows Vista• Windows XP• Non domain-joined
![Page 20: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/20.jpg)
DirectAccess Limitations
Client Compatibility Issues
• Protocols with Embedded IPv4 Addresses• Applications with Hard Coded IPv4 Addresses
![Page 21: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/21.jpg)
How DirectAccess Works
![Page 22: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/22.jpg)
How DirectAccess Works
• Client Assumes it is Not Connected to the Intranet• Establishes HTTPS Connection to NLS• Domain WFAS Profile Activated• NRPT Disabled• No DirectAccess IPsec Tunnels
Client on the Intranet
![Page 23: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/23.jpg)
How DirectAccess Works
• Client Assumes it is Not Connected to the Intranet• Fails to Establish HTTPS Connection to NLS• Public or Private WFAS Profile Activated• NRPT Enabled• DirectAccess IPsec Tunnels Enabled
Client on the Internet
![Page 24: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/24.jpg)
Planning for DirectAccess
![Page 25: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/25.jpg)
Planning for DirectAccess
• Prerequisites• Windows Server 2012• Windows 8 Enterprise• Windows 7 Enterprise/Ultimate• Domain-joined
• Network Placement• Edge• Perimeter/DMZ
• High Availability and Redundancy
![Page 26: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/26.jpg)
Implementing DirectAccess
• Install RemoteAccess Feature• GUI• PowerShell
• Configure RemoteAccess• Simplified Deployment• Complex Deployment
![Page 27: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/27.jpg)
Demonstration
![Page 28: Configuring and Implementing DirectAccess with Windows Server 2012](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b7ca284a79595a6a8b4591/html5/thumbnails/28.jpg)
Security Considerations
Authentication
• Password Policy• SmartCards• Dynamic
Passwords (OTP)
Endpoint
• Whole Disk Encryption
• Boot PIN• Anti-Virus
Infrastructure
• NAP Integration• Remote
Content Filtering
• Disable Computer Accountfor Lost/Stolen Machines