290 likes | 458 Vues
WMS02: Direct Access Always Connected: Death of the VPN. Dan Stolts “ITProGuru” Microsoft ITProGuru@microsoft.com http://Blogs.technet.com/danstolts or http://ITProGuru.com Twitter.com/ITProGuru. WMS02: Direct Access Always Connected: Death of the VPN.
E N D
WMS02: Direct Access Always Connected: Death of the VPN Dan Stolts “ITProGuru” Microsoft ITProGuru@microsoft.comhttp://Blogs.technet.com/danstoltsor http://ITProGuru.com Twitter.com/ITProGuru
WMS02: Direct Access Always Connected: Death of the VPN • Direct Access Always Connected: Death of the VPNTake a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to this session to see the ITProGuru (Dan Stolts) and learn how to integrate DirectAccess into your environment. Can you see the benefit of your users never having to connect to a VPN? Can you see the benefit in your IT personal to be able to access remote computers as long as they are connected to the Internet? Come to this session to Learn how to control access to corporate resources and manage Internet connected PCs through group policy.
Today’s Agenda 1. Core Infrastructure Optimization Model • 2. Introduction to DirectAccess • 3. Technical Introduction • 4. Technical Detail 5. Summary
Network Access Infrastructure Optimization ModelIs IT a Cost Center or a Strategic Asset? Cost Center More Efficient Cost Center Business Enabler Strategic Asset No password policies Strong password policy Strong password policy Strong authentication Network transactions are authenticated; may be encrypted Perimeter firewalls only Basic IPsec policies Host-based firewalls Antivirus not required or installed by default Policy-based network access with auto-remediation Security suite installed on clients Health policies enforced Remote user experience is similar to local Remote users are an extension of the network Remote access available No remote access policies IPv6 blockers removed, addressing plan complete IPv6 planning and testing in progress IPv6 is fully deployed IPv4-only network Basic Standardized Rationalized Dynamic
Network Access Vision Enterprise Network Internet Datacenter Servers Local Client Remote Client Identity: Strong authentication required for all users Authorization: Computer health is validated or remediated before allowing network access Protection: All network transactions are authenticated and encrypted • Policies are based on identity, not on location
Evolving IT Challenges Increasingly Porous Perimeter: Where is the Perimeter? Mobile Workforce Mobile Data Globalization
DirectAccess Extending network services and resources to remote users
DirectAccess: More than Remote Access Always On Manage Out Access Policies Protected Transactions Pre-logon health checks and remediation Supports authenticated transactions Improved productivity "Light up" remote clients Replaces modal "connect-time" health checks Supports encrypted transactions Not user initiated Decreases patch miss rates Authentication and encryption mitigate many attacks Simplified connectivity Applies GPOs to remote computers Full NAP integration VPNs connect the user to the network DirectAccess extends the network to the computer and user
The Evidence DirectAccess with Windows Server 2008 R2 and Windows 7 Operating System “Recently, a sales account executive and I had about an hour-long drive back to the office from a customer site. With DirectAccess, he was able to log on to our network, access the documents he needed, and write the proposal while I drove. By the time we got back to the office, he was already hitting the send button to deliver the proposal.” Rand Morimoto, President, Convergent Computing www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000004062
DirectAccess: Technical Foundation Name Resolution:DNS and NRPT Data Protection: IPsec • Connectivity: IPv6
Connectivity:IPv6… Can Do Without… But I Would Not! IPv6 Options DirectAccess works best if the corporate network has native IPv6 deployed Internet Intranet NAT-PT DirectAccess requires IPv6 If native IPv6 isn't available, remote clients use IPv6 transition technologies The corporate network can deploy native IPv6, transition technologies, or NAT-PT {protocol translation}
Forefront UAG & DirectAccess: Better Together UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN DirectAccessServer IPv4 Non Windows + + PDA IPv4 UAG is a hardened edge appliance available in HW and virtual options UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG improves adoption and extends access to existing infrastructure UAG uses wizards and tools to simplify deployments and ongoing management
Name Resolution: DNS and the NRPT (Name Resolution Policy Table) Internet Connection DirectAccess Connection Remote DirectAccess clients use smart routing for DNS queries by default The Name Resolution Policy Table (NRPT) {client side conditional forwarding} allows this to happen efficiently DirectAccess sends name queries to intranet DNS servers based on pre-configured namespace
Requirements for DirectAccess • Customer Knowledge • Should have a basic working knowledge of IPsec or TCP/IP • Should be interested in learning and deploying new technologies, such as IPv6 • DirectAccess Clients • Windows 7 Enterprise Edition or Windows 7 Ultimate Edition • Domain-joined computers • DirectAccess Server • Windows Server 2008 R2, Standard Edition or Higher • Domain-joined computers • Others • DNS Servers Supporting DirectAccess Clients - Windows Server 2008 SP2 or later • A public key infrastructure (PKI) to issue computer certificates, smart card certificates, and, for NAP, health certificates.
External Connectivity Supports native IPv6 6to4 tunnels IPv6 inside IPv4 (protocol 41) (used by public IPv4 addresses) Teredo tunnels IPv6 inside IPv4 UDP (UDP 3544) (used by private IPv4 addresses) IP-HTTPS tunnels IPV6 inside IPv4 SSL (TCP 443) if client can’t connect using 6to4 or Teredo IP Address Assigned by ISP: IPv6 Address Used to connect: 6to4 Private IPv4 Teredo Native IPv6 Native IPv6 Public IPv4 DirectAccess Client Native IPv6 6to4 IP-HTTPS Teredo
Internal IPv6 • Native IPv6 • Works with any server OS that supports IPv6 • Requires IPv6 infrastructure • Delivers best choice over time IPv6 Options DirectAccess works best if the corporate network has native IPv6 deployed • ISATAP • Tunnels IPv6 inside IPv4 • Doesn’t require routing infrastructure upgrades • Requires Windows Server 2008 or R2 Internet Intranet • NAT-PT {Protocol Translation} • Translates IPv6 to IPv4 • Works with any server OS • Is available in Forefront UAG NAT-PT
External IPsec Internet DirectAccessClient IP-HTTPS Encrypted IPsec+ESP DirectAccessServer Encrypted IPsec+ESP IPsecGateway IPsec Hardware Offload Supported
Internal IPsec Options Enterprise Network Line-of-Business Applications DirectAccess Server No IPsec End-To-Edge IPsec Integrity Only (Authentication) IPsec Headers IPsec Integrity + Encryption IPsecGateway
IPsec Tunnel Detail - Split Tunneling DirectAccess Client Tunnel 1: Infrastructure Tunnel Authentication: Computer Certificate + NTLM Client Access: AD/DNS/Management Tunnel 2: Intranet Tunnel Authentication: Computer Certificate + User Kerb Client Access: Other available resources DirectAccess Server
Multi Factor Credentials for Intranet Access • Two Factor Authentication (TFA) is fully supported but not required • Edge-based enforcement is a smarter way to enforce TFA • Users are assigned a well-known SID when they log on with a smartcard (S-1-5-65-) • Users may log on to a laptop without TFA • When users access corporate resources, the IPsec authorization policy checks for the SID…
Name Resolution Policy Table (NRPT) • Pertains to the client side only • Uses a static table to define which DNS servers will be used by the client for the listed names • Is configurable via Group Policy Objects (GPO) at Computer Configuration/ Windows Settings/Name Resolution Policy • Can be viewed with netsh name show policy
Demo Client Experience…
Direct Access Deployment • Deployment Strategy • Prepare to monitor IPv6 traffic • Choose an access model (e.g., full intranet access vs. selected server access) • Determine deployment scale Deployment Process Prepare infrastructure Configure DirectAccess server Customize policies, as needed
DirectAccess Monitoring • Built-in to the DirectAccess feature installed on the DA server • Provides server monitoring information on DirectAccess components
DirectAccess: More than Remote Access Always On Manage Out Access Policies Protected Transactions Pre-logon health checks and remediation Supports authenticated transactions Improved productivity "Light up" remote clients Replaces modal "connect-time" health checks Supports encrypted transactions Not user initiated Decreases patch miss rates Authentication and encryption mitigate many attacks Simplified connectivity Applies GPOs to remote computers Full NAP integration VPNs connect the user to the network DirectAccess extends the network to the computer and user
INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDEDirectAccess What are IPD Guides? • Guidance & best practices for infrastructure planning of Microsoft technologies Direct Access Guide Benefits • Presents common scenarios, decisions, and practices in an easy-to-follow, step-by-step process for designing DirectAccess infrastructure • Provides a straightforward explanation of the infrastructure required to allow client connectivity from any network to resources on the corporate network • Assists the reader in deploying DirectAccess for situations where the organization hasn’t started IPv6 implementation “At the end of the day, IT operations is really about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” It’s a free download! Go to www.microsoft.com/ipd Check out the entire IPD series for streamlined IT _infrastructure planning Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services
DirectAccess Architecture Deeper Dive http://www.msteched.com/2010/NorthAmerica/WSV306 Shortcut.. http://bit.ly/DADeepDive
Dan Stolts “ITProGuru” Sessions • 10:00 am WMS03: 10 Hot Topics Every IT Admin Needs to Know about Windows Server 2008 R2 SP1 • 11:15 am WMS02: Direct Access Always Connected: Death of the VPN • 3:15 pm WMS04: Monitoring and Managing All Critical Infrastructure Blog: ITProGuru.com All Slides Available Now!
Your Feedback is Important Please fill out a session evaluation form drop it off at the conference registration desk. Thank you! WMS02: Direct Access Always Connected: Death of the VPN • Dan Stolts “ITProGuru” • Microsoft • Blog: ITProGuru.com • Twitter.com/ITProGuru