![Page 1: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/1.jpg)
![Page 2: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/2.jpg)
DirectAccess Technical Drilldown Part 2Putting it all together
John CraddockInfrastructure & Security ArchitectXTSeminars LtdSession Code: SVR402
![Page 3: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/3.jpg)
Part1: Internet to Intranet 6to4Relay
6to4Host/Router
IPHTTPSHost
NAT Device
IPHTTPSserver
TeredoHost
Teredoserver & relay
NAT Device
Corporateintranet
Internet
![Page 4: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/4.jpg)
Part1: IPv6/IPv4 Intranet
IPv4
IPv6
IPv6
ISATAP Router
IPv6\IPv4
IPv6\IPv4
IPv4
NAT-PTor NAT64
Native IPv6
![Page 5: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/5.jpg)
What’s Left?
Corporate IntranetInternet
Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required
Client location detection: Internet or corporate intranet
![Page 6: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/6.jpg)
Don’t Give Up Now
Part 1IPv6 IntroTransition TechnologiesEnd-to-end connectivity
Part 2IPsecConfiguring Direct AccessNetwork location and name resolution policiesIt all works – just like that!
![Page 7: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/7.jpg)
Home
Demo Environment
Corporate intranetInternet
DC1
APP1
NAT1 DA1
DC, DNS,CA
IIS for CRLdistribution
EX1DNS
WIN7WIN7 WIN7
All servers Windows 2008 R2
![Page 8: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/8.jpg)
Securing the Tunnel
DirectAccess uses IPsec to secure network traffic
Traffic over the Internet is encrypted and authenticatedAccess via IPHTTPs is double encrypted
Encrypted IPv6 within HTTPS
Corporate IntranetInternet
![Page 9: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/9.jpg)
IPsec to the Rescue
IPsec is managed through Windows Firewall with Advanced Security
Best deployed through group policyConnection rules create:
IPsec tunnels (authenticated and encrypted)Authenticated connects (computer and user authentication
Inbound / outbound rules set requirements for encryption
![Page 10: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/10.jpg)
Traffic Profile
Rules are based on a traffic profileConnection Security Rule
Authenticate all TCP traffic between A & B on ports W & X
Inbound/Outbound RuleEncrypt authenticated TCP traffic between A & B on ports W & X
Traffic profile: <Protocol> <source IP> <destination IP> <source port> <destination port>
![Page 11: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/11.jpg)
IPsec Primer
AuthIP AuthIPCreate shared secret between hostsUses Diffie-Hellman
Main modesecurity associationKey life configurableDefault: 8 hours
Quick mode:IPsec SAKey life configurableDefault 1 hour/100 MBDrops after 3 Minsof inactivity
Exchange data
Integrityor
Integrity + encryption
IPsec SAIPsec SA Create Security Association for session
AuthIP AuthIPEstablish IPSec session Keys
AuthIP AuthIPAuthenticate over secure channelKerberos / certificates
Computer and/or user authentication AuthIP
![Page 12: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/12.jpg)
Main Mode Association
![Page 13: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/13.jpg)
Quick Mode Association
![Page 14: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/14.jpg)
Data Exchange
IP Header IP payloadAH
IP Header ESPIP payloadESP
Signed - ignoring ICV field andfields that change in transport
Protocol ID 51Authentication Header (AH) contains:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV) calculated with SHA1 or MD5
ICV
Protocol ID 50 Encrypted
signed
Encrypted Security ProtocolESP headers contain:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV)
When you just want integrity through NAT use ESP-Null
![Page 15: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/15.jpg)
Negotiated Security Options
Do not authenticateRequest inbound and outbound
A host responds to both IPsec and unauthenticated (non-IPsec) requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communications
Require inbound and request outboundA host responds to inbound traffic secured by IPsec, and ignores unauthenticated requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communications
Require inbound and require outboundA host requires IPsec-secured communications for both inbound and outgoing requests
Require inbound and clear outbound
![Page 16: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/16.jpg)
Integrity / encryption / authentication Intranet
IPsec Tunnel
End points can be single host or act as a gatewayThe gateway acts as the end-point for integrity encryption and authentication
Traffic on the Intranet is not protected by IPsec
IPsec Gateway includes IPsec DoS PreventionReduces DoS attacks from key management protocols IKE & AuthIP
![Page 17: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/17.jpg)
IPsec Access Options
Integrity / encryption / authentication Intranet
Tunnel 1: Machine Auth
Tunnel 2: Machine & User Auth
ESP NULL (transport mode) machine and user auth to intranet server
ESP (transport mode) encryption and authentication to intranet server
Selective authentication onto endpoint servers
![Page 18: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/18.jpg)
Internet
Client Location
To resolve names on the InternetDirectAccess host queries DNS 1
To resolve names on the IntranetDirectAccess host queries DNS 2
Corporate Intranet
corp.example.com zone
DNS 1 DNS 2IP configuredDNS address
![Page 19: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/19.jpg)
How Does It Do that?
Name Resolution Policy Table (NRPT) to the rescueNRPT allows the definitions of which DNS servers to query based on the namespace to be resolved
The NRPT can point DNS queries for corp.example.com to the intranet DNS serverAll other DNS queries are sent to the DNS server address configured in the client IP settings
![Page 20: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/20.jpg)
NRPT
There is a special entry in the table to direct DNS queries for an internalHTTPS website to the DNS servers configured in the client IP settingsFor example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet
Internet Corporate Intranet
corp.example.com zone
DNS 1 DNS 2IP configuredDNS address
nls.corp.example.com
NRPT:corp.example.com: query DNS 2All other name spaces query DNS server configured in client IP settings
No NRPT
![Page 21: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/21.jpg)
Viewing the NRPT
![Page 22: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/22.jpg)
NRPT Inside/Outside
NRPT enabled by defaultIf the client can access an internal HTTPS website (https://nls.corp.example.com)
Considered to be on the intranet NRPT disabled
No access to secure website Considered to be on the Internet NRPT remains enabled
![Page 23: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/23.jpg)
Corporateintranet
Internet
Putting it All Together6to4Relay
6to4Host/Router
IPHTTPSHost
NAT Device
HTTPSserver
TeredoHost
Teredoserver & relay
NAT Device
ISATAP Router
DirectAccess Server
![Page 24: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/24.jpg)
DirectAccess Management Console
![Page 25: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/25.jpg)
Before Running Setup
DNS server requires isatap block to be removedComputer certificates must be issued to computersServer certificates must be issued to
DA server with external DNS name in certificateNLS web server with nls url address in certificate
CRL distribution should be configured in certificate
CRL distribution location must be available on both the Internet and intranet
![Page 26: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/26.jpg)
Authentication to Servers
IPsec ESP NULL can be used for authentication to end-point servers
Provides another layer of protectionCan control which servers are available from DA hostRequires 2008 end-point servers
IPSEC does not work over IPv6 for Windows 2003
Two factor authentication can be enabled for end-to-end authentication
Requires 2008 domain functional level
![Page 27: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/27.jpg)
DirectAccess Setup
Configures on DA server6to4 relayTeredo server and relayIPHTTPS serverISATAP
Creates group policy for IPSec rules forDA server IPsec TunnelDA client IPsec TunnelDA clients and servers requiring end point authentication
![Page 28: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/28.jpg)
DirectAccess Setup (continued)
Creates group policy for client configurationEnable and supply addresses for
6to4 relayTeredo server and relay IPHTTPS server
Enable and configure NRPTEnable inside/outside probe
DA server and DA clients must be members of the domain
![Page 29: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/29.jpg)
Windows DirectAccess
The DA server represents a single point of failure
Functionality can be split across multiple servers for performance
For HA, run DA server as VM in a Hyper-v clusterDoes not guarantee DA service availabilityLive Migration available in Windows 2008 R2
Load balancing option available with UAG
![Page 30: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/30.jpg)
All Done
Corporate IntranetInternet
Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required
Client location detection: Internet or corporate intranet
![Page 31: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/31.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 32: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/32.jpg)
Related Content
Breakout Sessions:SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and BeyondSVR315 IPv6 for the Reluctant: What to Know Before You Turn It Off
Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
![Page 33: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/33.jpg)
My Sessions at TechEd
Breakout Sessions:SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition TechnologiesSVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together
Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
![Page 34: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/34.jpg)
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
![Page 35: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/35.jpg)
![Page 36: SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together](https://reader036.vdocuments.us/reader036/viewer/2022070301/54662da1af79597e338b4fa6/html5/thumbnails/36.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.