Connect Remotely Using Windows® 7 Direct Access

CLI-307
Welcome

Do Not Delete This Slide
We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body.
Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback.
Send feedback

Connect Remotely Using Windows® 7 DirectAccess
Level 300

What Will We Cover?
The Value and Benefits of DirectAccess
Configuring DirectAccess
Using Network Access Protection (NAP) and DirectAccess

Agenda
DirectAccess Capabilities
Configuring DirectAccess on Windows Server 2008 R2
Configuring and Connecting Clients to DirectAccess Server
Configuring NAP on Windows Server 2008 R2
Connecting Windows 7 Clients to NAP Servers through DirectAccess

DirectAccess: Benefits
More manageable and cost effective
More productivity
More secure
Always-on access to corporate network while roaming
No explicit user action required – it just works
Same user experience on premises and off
Simplified remote management of mobile resources as if they were on the LAN
Lower total cost of ownership (TCO) with an “always managed” infrastructure
Unified secure access across all scenarios and networks
Integrated administration of all connectivity mechanisms
Healthy, trustable host regardless of network
Fine grain per app/server policy control
Richer policy control near assets
Ability to extend regulatory compliance to roaming assets
Incremental deployment path toward IPv6

DirectAccess: Advantages
DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network.
DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPSec) and Internet Protocol version 6 (IPv6).

Agenda

Deploying DirectAccess
Client
Receives configuration while directly connectedto corporate network (provisioning) via Group Policy
NAP used to check configuration and healthwhen remotely connected (not required)
Server

DirectAccess wizard to set up DirectAccess server(s)
Policies controlled via Group Policy

DirectAccess on Windows Server 2008 R2
Authentication
Encryption
Access Control
Integration with NAP
Split-Tunnel Routing

DirectAccess Deployment Requirements
Client/Server
Windows 7 clients
Windows Server 2008 R2
Application Servers
Windows Server 2008 (for native IPv6 support)
Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2
DC/DNS Servers
Windows Server 2008 SP2 or Windows Server 2008 R2
NAT-PT Server if IPv4 Access Is Desired

Deployment Scenario : End-to-Edge Authentication
Corporate Network
Trusted, compliant,
healthy machine
DirectAccess server
Optional NATPT
DC & DNS(Win 2008)
Domain clients
Internet
Windows 7 client
Application Servers
IPSec ESP tunnel using machine cert (DC/DNS access)
IPSec ESP tunnel using machine cert and user credentials (App server access)

Deployment Scenario: End-to-End Authentication
Corporate Network
Trusted, compliant,
healthy machine
DirectAccess server
Optional NATPT
DC & DNS(Win 2008)
Domain clients
Internet
Windows 7 client
Application Servers
IPSec ESP tunnel using machine cert and user credentials (App server access)

Demonstration Environment

Configure DirectAccess Server
Connect a Windows 7 Client Using DirectAccess
Manage a Windows 7 Remote Client Using DirectAccess
Demonstration: Introducing DirectAccess

Agenda

DirectAccess in Windows 7
Network connection
The client detects the network connection
Is client on intranet?
If client is on intranet, DirectAccess connection stops
If not on intranet, use DirectAccess
The client attempts to use various methods to connect to DirectAccess server

Configuring Windows 7 for DirectAccess
Verify certificate
Add Client to DirectAccess Security Group
Set client as an ISATAP Host
Verify name resolution and IPv6 access to the domain controller

Agenda

Configuring NAP
Factors in configuring NAP
Staging strategy
Server placement
System health and compliance

Reporting mode
Deferred enforcement
Full enforcement

A NAP server infrastructure includes NAP health policy servers and NAP enforcement points
You must define which client configuration will be considered compliant and which will be considered noncompliant with health requirements

Configuring NAP - Notes
Factors in configuring NAP
Staging strategy
Server placement
System health and compliance

Reporting mode
Deferred enforcement
Full enforcement

A NAP server infrastructure includes NAP health policy servers and NAP enforcement points
You must define which client configuration will be considered compliant and which will be considered noncompliant with health requirements

Create Connection Request Policy
Configure the Windows Security Health Validators
Create Health Policies
Demonstration: Configuring Network Policy and Access Services

Agenda

Windows 7, DirectAccess, and NAP
NAP on the Client
Windows
Client
DirectAccess server
NAP Policy Servers
Corporate Network

Configure DirectAccess IPSec Rules
Configure DirectAccess Client for NAP
Enforce NAP Protection through DirectAccess
Demonstration: Integrating NAP with DirectAccess

Session Summary
Configuring Windows 7 to Use DirectAccess
Adding a NAP Server to Your DirectAccess Topology

Where to Find More Information?
Visit TechNet at technet.microsoft.com
Also check out TechNet Edge
edge.technet.com
Or just visit http://go.microsoft.com/?linkid=9662639
for additional information on this session.

Become a Microsoft Certified Professional
What Are MCP Certifications?
Validation in performing critical IT functions.
Why Certify?
Worldwide recognition of skills gained via experience.
More effective deployments with reduced costs
What Certifications Are There for IT Pros?
MCTS, MCITP.
www.microsoft.com/certification

Microsoft TechNet Plus
TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.
Evaluate & Learn
Plan & Deploy
Support & Maintain
2 complimentaryProfessional Support incidents for use 24/7 (20% discount on additional incidents)
Access over 100 managed newsgroups and get next business day response--guaranteed
Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities
Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training
Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager
Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.
Try out all the latest betas before public release
Keep your skills current with quarterly training resources including select Microsoft E-Learning courses
Get all these resources and more with a TechNet Plus subscription.
For more information visit: technet.microsoft.com/subscriptions

Your potential. Our Passion

Do Not Delete This Slide
We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body.
Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback.
Send feedback

Session Credits
Author:
Editor: Resources Online
MS Producer: Alan Le Marquand
Technical Specialists
[Reviewer 1]
[Reviewer 2]
Microsoft Reviewers