With a little bit of IPv6 magic: Windows 7 DirectAccess

Similar documents
DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Security Considerations for DirectAccess Deployments. Whitepaper

Network Configuration Settings

6421B: How to Install and Configure DirectAccess

MS 6421 Configuring and Troubleshooting a Windows Server 2008 Infrastructure

Module 6. Designing and Deploying External Access. MVA Jump Start

Designing a Windows Server 2008 Network Infrastructure

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Endpoint Security VPN for Mac

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

Using Entrust certificates with VPN

This section provides a summary of using network location profiles to identify network connection types. Details include:

Designing and Implementing a Server Infrastructure

Joe Davies Principal Writer Windows Server Documentation

Designing and Implementing a Server Infrastructure MOC 20413

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Microsoft Windows Server 2008: MS-6435 Designing Network and Applications Infrastructure MCITP 6435

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (6421B)

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Implementing a Microsoft Windows 2000 Network Infrastructure

If you have questions or find errors in the guide, please, contact us under the following address:

VMware vcloud Air Networking Guide

HOTPin Integration Guide: DirectAccess

Windows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2

Planning and Implementing Windows Server 2008

Citrix Access on SonicWALL SSL VPN

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Dell SonicWALL SRA 7.5 Citrix Access

Remote Access Clients for Windows

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Configuring Windows Server 2008 Network Infrastructure

Course Outline. Course 6421B : Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Cisco Which VPN Solution is Right for You?

SSL SSL VPN

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

6421B - Windows Server 2008 R2 Network Infrastructure

DIGIPASS Authentication for Check Point Security Gateways

Configuring & Troubleshooting Windows 2008 Server 2008 Network Infrastructure

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

SSL VPN Technology White Paper

Seamless Roaming in a Remote Access VPN Environment

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

2X SecureRemoteDesktop. Version 1.1

TS Gateway Step-By-Step Guide

Using a VPN with Niagara Systems. v0.3 6, July 2013

Defender EAP Agent Installation and Configuration Guide

Microsoft Configure and Troubleshoot Windows Server 2008 Network Infrastructure

Administering the Web Server (IIS) Role of Windows Server

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Load Balancing for Microsoft Office Communication Server 2007 Release 2

SSL VPN Technical Primer

Internal Server Names and IP Address Requirements for SSL:

Configure IPSec VPN Tunnels With the Wizard

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Scenario: IPsec Remote-Access VPN Configuration

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

How To Industrial Networking

Endpoint Security VPN for Mac

Introduction to DirectAccess in Windows Server 2012

Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment Mike Pfeiffer

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Cisco QuickVPN Installation Tips for Windows Operating Systems

Course Syllabus. 6416: Updating your Network Infrastructure and Active Directory Technology Skills to Windows Server Key Data.

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

VNLINFOTECH JOIN US & MAKE YOUR FUTURE BRIGHT. mcsa (70-413) Microsoft certified system administrator. (designing & implementing server infrasturcure)

Preliminary Course Syllabus

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

10972B: Administering the Web Server (IIS) Role of Windows Server

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Security Engineering Part III Network Security. Security Protocols (II): IPsec

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab

Fireware Essentials Exam Study Guide

COURSE OUTLINE MOC 20413: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Access Your Cisco Smart Storage Remotely Via WebDAV

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Watchguard Firebox X Edge e-series

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Transcription:

With a little bit of IPv6 magic: Windows 7 DirectAccess Click to edit Master subtitle style Thomas Treml Technologieberater Microsoft Deutschland GmbH Thomas.Treml@microsoft.com

Networking and Access Landscape Technology Trends Data is walking out the front door and walking in the back door Security and access are becoming increasingly complex for IT to manage Improving ability to trust end hosts Mobile Workforce Flexible definition of the office including always remote employees Corpnet access from customer sites 24x7 work environment demands connectivity from anywhere Globalization & Outsourcing Others may manage your network and data centers Software plus Services augmenting traditional IT data and applications hosted remotely Increasingly complex granular partner access controls Users connect from anywhere Re-perimeterization of the network is gaining traction Traditional Perimeter security is not sufficient alone Data center becomes only trusted network Shift to protection to host and data level Integration of health, access, identity, compliance, and data security solutions Emergence of new technology enablers such as IPv6, mobile broadband, and IPsec

DirectAccess Providing seamless, secure access to enterprise resources from anywhere

What is Direct Access? Simultaneous corpnet and Internet Access If user s machine is connected to internet, it is connected to corporate network Remote Management User s machine is maintainable whenever connected to corporate network over internet Secure remote connectivity Communication between user s machine and corporate resources is secure

DirectAccess Client Internet DirectAccess Server Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Encrypted IPsec+ESP IPsec Gateway Teredo 5 IP-HTTPS

DirectAccess Server Enterprise Network Line of Business Applications No IPsec IPsec Gateway IPsec Integrity Only (Auth) IPsec Integrity + Encryption 6

How DirectAccess Works Connecting to DA Server Internet DirectAccess Client DirectAccess Server DNS Server CONTOSO AuthIP IPv6 Teredo, 6to4 or IP-HTTPS IPv4 Server1 Corporate Server 1. Direct Access Client send IPv6 Router Solicitation request to DA Server, using IP-HTTPS, Teredo or 6to4 to communicate over the IPv4 Internet 2. DA Server sends IPv6 Router Advertisement message to DA Client providing it an IPv6 address 3. DA Server authenticates DA Client using AuthIP and establishes IPsec Tunnel between them

How DirectAccess Works Querying DNS Internet DirectAccess Client DirectAccess Server DNS Server CONTOSO DNS IPsec Tunnel Mode IPv6 Teredo, 6to4 or IP-HTTPS IPv4 Server1 Corporate Server 4. DA Client uses Name Resolution Policy Table (NRPT) to identify which DNS server to query for server1.corp.contoso.com 5. DA Client send query to DNS Server through the IPsec tunnel established with the DirectAccess Server 6. DA Server terminates IPsec tunnel and forwards packet to internal DNS Server

How DirectAccess Works Querying DNS Internet DirectAccess Client DirectAccess Server DNS Server CONTOSO DNSIPsec Tunnel Mode IPv6 Teredo, 6to4 or IP-HTTPS IPv4 Server1 Corporate Server 7. DNS Server replies back with IPv6 address for server1.corp.contoso.com 8. DA Server sends DNS reply to DA Client over IPsec tunnel

How DirectAccess Works Connecting to Internal Server Internet DirectAccess Client DirectAccess Server DNS Server CONTOSO AuthIP IPsec Tunnel Mode IPv6 Teredo, 6to4 or IP-HTTPS IPv4 Server1 Corporate Server 9. DirectAccess Client authenticates to Server1 server using AuthIP and establishes IPsec Transport Mode security association

How DirectAccess Works Connecting to Internal Server Internet DirectAccess Client DirectAccess Server DNS Server HTTP CONTOSO AuthIPsec Transport Mode IPsec Tunnel Mode IPv6 Teredo, 6to4 or IP-HTTPS IPv4 Server1 Corporate Server 10. DirectAccess Client user browses content on the Server1 server

DirectAccess Solution Components

Inside/Outside Determination DA client needs to determine whether they are inside or outside the corporate network Impacts Windows Firewall and IPsec policies, Network Connections UI Status determined by probing internal Web site Only needs to provide a connection; it does not need to be hosting any special software or configured in any particular way URL configured on the client registry

Name Resolution Policy Table (NRPT) Allows DirectAccess clients to use internal DNS servers Clients can query explicitly defined DNS servers for different DNS namespaces Optionally, DNS queries for specific namespaces can be secured using IPsec Namespace.int.company.com.corp.company.com DNS Servers 2001:2245:3f1a:15:314:d321:b020:112a; 2001:2245:3f1a:15:314:d321:b020:114b 2001:2245:3f1a:15:314:d321:b123:23ac New Windows 7 feature

IPsec Gateway IPsec connectivity endpoint for DA clients Terminates IPsec Tunnel Mode connection Authenticates DA client before it can reach the internal resources (optionally requiring smart card certificate) Hosted on DA server by default, can be moved to different server IPsec Gateway also provides IPsec DoS Prevention Prevents DoS attacks that can be inflicted via exploitations from key management protocols (IKE, AuthIP, etc.) Defines maximum rate for received requests

Direct Access Deployment Scenarios Full Intranet Access Model Selected Server Access Model End to End Access Model

Full Intranet Access Model (End to Edge) DC and DNS (Server 2008) Domain Clients DA Clients (Win7) Architecture similar to current VPN deployments Works with any IPv6 capable servers, including Windows Server 2003 Internet DA Server (Windows Server 2008 R2) Ipsec Tunnel Mode/IP-TLS Encryption and Auth Corporate Network No IPsec used Application Servers (Server 2003 and 2008)

Selected Server Access Model (End to Edge modified) DC and DNS (Server 2008) Domain Clients DA Clients (Win7) Internet IPsecTunnel Mode/IP-TLS Encryption and Auth Fine grained control over which resources are available Servers must be running Windows Server 2008 or later DA Server (Windows Server 2008 R2) IPsec Transport Mode Authentication Corporate Network IPsec Transport Mode Auth Application Servers (Server 2008)

End to End Access Model DC and DNS (Server 2008) Domain Clients DA Clients (Win7) Internet DA Server (Windows Server 2008 R2) IPsec Transport Mode Encryption and Authentication Corporate Network IPsec Transport Mode Encryption and Auth Application Servers (Server 2008) IPsec policies established end-to-end to the application servers DA Server/IPsec Gateway acting simply as a passthrough

DirectAccess Deployment Requirements Microsoft Windows 7 clients Microsoft Windows 2008 R2 DA server Application servers End-to-end encryption requires Windows Server 2008 or later; other models can use Windows Server 2003 or later Must have an IPv6 address DC/DNS servers Windows Server 2008 (with hotfix) Two-factor authentication for end-to-end auth requires AD in Windows Server 2008 R2 domain functional level NAT-PT server if IPv4 access is desired

Infrastructure Requirements Active Directory domain required One DC should be running Windows Server 2008 or later A security group needs to be created for the DA clients Public Key Infrastructure (PKI) required External trust is not required SSL certificates must have a CRL distribution point that is reachable via a publicly resolvable FQDN IPv6 connectivity required DirectAccess clients can only communicate with internal servers and resources that have IPv6 connectivity Native connectivity is not required IPv6 transition technologies may be used

Why Windows 7 only? Significant component changes for DirectAccess: Name Resolution Policy Table IP-HTTPS Group Policy changes And others

Vision Assume the underlying network is always insecure CORPNET User Enterprise Network Data Center and Business Critical Resources DirectAccess Server CORPNET User Redefine CORPNET edge to cocoon the datacenter and business critical resources Users are remote at all times

Questions / Answers

Your potential, our passion TM 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information