Always On Patch management, health check and GPOs Corporate Netw. Lvl. computer/user authentication and encryption Network Automaticallyconnects throughNAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user
Client Client and Server applications must be IPv6 compatible Server app appIPV6 IPV6 Internet Corporate intranet
Internet Corporate intranetTunnelling technologies for the Internet and intranet to support IPv6 over IPv4Internet tunnelling selection based on client location – Internet, NAT, firewaEncryption/authentication of Internet traffic (end-to-edge/end-to-end) Client location detection: Internet or corporate intranet
Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnelNAT IPv6 in HTTPS UDP port 3544 blocked
corp.example.com zoneIP configured DNS 1 DNS 2DNS address Corporate intranet Internet
For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsecgateway server (which by default is the same computer as the DirectAccess server). TheIPsec gateway server then forwards unprotected traffic, shown in red, to applicationservers on the intranet. This architecture works with any IPv6-capable application serverbut does not require that server to run IPsec, simplifying the configuration and setup
For end-to-edge with End to End IPSec protection, DirectAccess clientsestablish an IPsec session to an IPsec gateway server, and that IPSec trafficcontinues all the way to the Intranet server for end to end IPSec protection.This architecture provides better security than just the End to Edge model.
With end-to-end IPSec protection, DirectAccess clients establish an IPsecsession through the DirectAccess server to each application server to whichthey connect. This provides the highest level of security because you canconfigure access control on the DirectAccess server and extend IPSec all theway to the internal server. This architecture requires that application serversrun Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6and IPsec.
DirectAccess Server Line of Business (Server 2008 R2) Using ISATAP Applications IPv6 IPv4 IPv6On all internal DCs: Dnscmd /config /globalqueryblocklist wpad
MANAGED 1. Extends access to line of business servers with IPv4 support 2. Access for down level and non Windows clients IPv6 3. Enhances scalability and managementWindows7 4. Simplifies deployment and administration 5. Hardened Edge Solution IPv6 DirectAccess Always OnWindows7 UNMANAGED Vista Extend support IPv4 XP SSL VPN to IPv4 serversNon DA Server IPv4Windows + PDA IPv4