Download - Reinventing Remote Access with DirectAccess
Reinventing Remote Access With DirectAccess
Scott RobertsLead Program ManagerMicrosoftSession Code: WSV320
Agenda
Secure Access LandscapeDemoDirectAccess Solution
BenefitsDeployment Models & Requirements
Name ResolutionSupporting TechnologiesDiagnosticsQuestions & Answers
Mobile Workforce
Mobile Data
Globalization
Increasingly Porous
Perimeter
"Re-Perimeterization"
How to manage, monitor, and support remote users/machines all the time?How to simplify remote workers’ access
“My network is where my buildings are”
“My network is where my users and assets are”
DirectAccess Server
Data Center and Business Critical
ResourcesLocal User
Enterprise Network
Remote User
Assume the underlying network is always unsecure
Redefine the corporate edge to protect the datacenter
Security policies based on identity, not location
Industry Trends
Internet
Windows Server 2008 R2 Addressing Enterprise Needs
Addressing User Needs
Supporting IT Professionals
Work Anywhere Infrastructure using Direct Access
DirectAccess
Providing seamless, secure access to enterprise resources from anywhere
DirectAccess in Actiondemo
Benefits Of Direct AccessBringing the corporate network to the user
Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off
Simplified remote management of mobile resources as if they were on the LANLower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networksIntegrated administration
of all connectivity mechanisms
More productive More secure More manageable and cost effective
Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6
Always OnAlways connectedNo user action requiredAdapts to changing networks
Secure
Encrypted by defaultWorks with SmartcardsGranular access controlCoexists with existing edge, health, and access policies
ManageableReach out to previously untouchable machinesAllows remote clients to process Group PoliciesNAP integration for health complianceConsolidate Edge Infrastructure
VPN vs. DirectAccess - Value
VPN DirectAccess
DirectAccess Server(Server 2008 R2)
DirectAccess Client(Windows 7)
Internet
Native IPv6
6to4
Teredo
IP-HTTPS
Tunnel over IPv4 UDP, HTTPS, etc.
Encrypted IPsec+ESP
IPsec Gateway
Encrypted IPsec+ESP
IPsec Hardware Offload Supported
Option 1 - ISATAPDirectAccess Server(Server 2008 R2)
Line of Business Applications
IPv6 IPv4 IPv6
Windows Server 2008/R2
Enabling IPv6 in the Enterprise
Option 2 – NAT-PTDirectAccess Server(Server 2008 R2)
Line of Business Applications
IPv6 IPv4
NAT-PTDNS-ALG
Windows Server 2003Non-Windows
Enabling IPv6 in the Enterprise
Enterprise Network
DirectAccess Server(Server 2008 R2)
Line of Business Applications
No IPsec
IPsec Gateway
IPsec Integrity Only (Auth)
IPsec Integrity + Encryption
Windows Server 2003Windows Server 2008Non-Windows Server
IPsec Hardware Offload Supported
Deployment Models
Deployment ScenarioEnd-to-edge encryption
No overhead of encryption on application serversEdge enforces machine/user authentication and data encryptionLeast change from customer’s existing edge deployments
Trusted, compliant,healthy machine
Windows 7 client
Corporate Network
Applications & Data(non-IPsec enabled)
DC & DNS(Server 2008 SP2/R2)
Internet
Direct Access Server
Server 2008 R2
IPsec ESP tunnel encryption using machine cert (DC/DNS access)
Clear Text traffic from client flows through encrypted tunnel to Corporate network resources
IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access
Deployment ScenarioEnd-to-Edge Encryption + End to End IPsec
No overhead of encryption on application servers (just authentication)DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation
Trusted, compliant,healthy machine
Windows 7 client
Corporate Network
Applications & DataIPsec-enabled
Internet
IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources
Direct Access Server
Server 2008 R2
IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access
IPsec ESP tunnel encryption using machine cert (DC/DNS access)
DC & DNS(Server 2008 SP2/R2)
Deployment ScenarioEnd-To-End IPsec Transport Encryption
Thin edge solution using IPsecDenial of Service Protection (DoSP) Service only allows Ipsec & ICMP trafficFull End to End IPsec EncryptionIP-HTTPS tunnel used for proxy scenarios only
Trusted, compliant,healthy machine
Windows 7 client
Corporate Network
Applications & DataIPsec-enabled
Internet
IPsec ESP-encrypted transport to access Corporate network resources
Direct Access Server
Server 2008 R2 DC & DNS(Server 2008 SP2/R2)
Deployment Requirements
DirectAccess Clients• Requires Windows 7 Enterprise or Ultimate
SKU• Clients Domain Joined• Initial Provisioning while on Corpnet or
through VPN
DirectAccess Servers• Requires Windows
Server 2008 R2• Located at Edge
Application Servers• End-to-end V6 &
IPsec requires Windows Server 2008
or later•Other models can use Windows Server 2003
or later
Deployment Requirements
DC/DNS•Needs at least one
W2K8 SP2 or R2 DC/DNS server for client registration
of V6 records
Network Infrastructure
•Can be IPv4 because we deploy ISATAP with DirectAccess
NAT-PT• Can be used to provide access to
IPv4-only resources
Name Resolution
Name Resolution Policy Table (NRPT)New feature in Windows 7Used by DirectAccess Client to determine ‘which’ DNS Server to use based on namespaceNew name resolution order:
Local cacheHosts fileNRPTDNS
NRPT
For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPTThese are internal DNS servers – they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZIf the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface
Corp.contoso.com 2001:1:1::b3df
2001:1:1::b3de
Supporting Technologies
Direct Access Supporting Technologies
Trusted, compliant,healthy machine
Windows 7 client
Corporate Network
Applications & Data
NAP (includes Server & Domain Isolation
[SDI])
Forefront Client
Security
Windows Firewall
BitLocker + Trusted Platform Module (TPM)
IAG SP2 ForefrontUAG
DC & DNS(Server 2008 R2)
DA Server
Compliant Client
Compliant Client
Data Center and Business Critical Resources
NAP / NPS Servers
Internet
CORPNET UserCORPNET
Compliant Network
CORPNET User
IPsec/IPv6
IPsec/IPv6
Direct Access Supporting Technologies
Non- Compliant Client
Forefront Client Security
IAG SP2
Unmanaged Client
• Extend Windows Direct Access to legacy applications and resources running on existing infrastructure.
• Support down-level and non Windows clients using a variety of connectivity options.
Anywhere Access
• Minimize configuration errors and simplify deployment using built-in wizards and tools.
• Protect the Direct Access gateway with a hardened edge solution.Granular Security
• Enhance scale and ongoing administration through built-in array management and integrated load balancing
• Consolidate access gateways for centralized control and auditing.Unified Management
UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability.
+ 7 Direct Access
DirectAccess – Solution
IPv6
IPv6Always On
Windows7
IPv4
IPv4
IPv4
DirectAccessServer
Extend support to IPv4 servers
UAG improves adoption and extends access to existing infrastructure
UAG and DirectAccess better together: 1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution
MANAGED
VistaXP
UNMANAGED
Non Windows
PDA
DirectAccess
SSL VPN
UAG provides access for down level and non Windows clientsUAG enhances scale and management with integrated LB and array capabilities.UAG uses wizards and tools to simplify deployments and ongoing management.UAG is a hardened edge appliance available in HW and virtual options
+
Windows7
+
Diagnostics
Diagnostics
Internet Explorer Diagnose Problem ButtonIt has been enhanced to troubleshoot DirectAccess
Networking Icon (right click)Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point
Control Panel, TroubleshootingConnect to a Workplace place using DirectAccess
Command Prompt (Elevated)NETSH TRACE START SCENARIO=DIRECTACCESS
Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well.
Few Changes: Focus on quality and reliability improvements
Windows 7 Builds on Windows VistaDeployment, testing, and pilots today will continue to pay off
Deep Changes: New models for security, drivers, deployment, and networking
SummaryCall-to-action
Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructureLearn more about Direct AccessStart deploying Windows Server 2008 now to get readyhttp://www.microsoft.com/directaccess
www.microsoft.com/teched Sessions On-Demand & Community
http://microsoft.com/technet Resources for IT Professionals
http://microsoft.com/msdn Resources for Developers
www.microsoft.com/learning Microsoft Certification & Training Resources
Resources
www.microsoft.com/learningMicrosoft Certification and Training Resources
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.