0
Corporate
Trusted, compliant,                                                              Network
 healthy machine
      ...
INET1                     DC1




NAT1


                   Internet                 Corpnet
                131.107.0.0/2...
Internet                Compliant              Compliant
                              NAP / NPS          Client          ...
Internet                            Intranet



DirectAccess
    client
                                  DirectAccess
   ...
Microsoft Windows 7 clients
Microsoft Windows 7 DirectAccess Server
Application servers
  Windows Server 2008 (for native ...
DirectAccess Overview
Supporting infrastructure and technologies

Using DirectAccess with Windows 7
Client
  Receives configuration while directly connected
  to corpnet (provisioning) via Group Policy
  NAP used to check ...
Configure DirectAccess Server
   Requires Windows Server 2008 R2
   Use DirectAccess server MMC


Author DirectAccess poli...
Facing Internet
    Forwarding Gateway for native IPv6
    IPv6 over IPv4 services
       6to4 relay
       Teredo Relay (...
Be ready to monitor IPv6 traffic
Choose an Access Model:
  Full Intranet Access vs.
  Selected Server Access?
Assess deplo...
DirectAccess Overview
Supporting infrastructure and technologies
Configuring DirectAccess
What Happens At Client




    Client tries to access          Looks in provisioned list for DNS    Connects with DNS thru...
Evolution, not revolution
   Upgrade your network to an IPv6 end state
   Requires Windows 7 on the client
   Transition t...
http://technet.microsoft.com
DirectAccess Design Guide:
 http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1...
http://johndelizo.spaces.live.com
http://technetphilippines.net/blogs/johndelizo
johndelizo@live.com
http://msforums.ph

http://msforums.ph/blogs/phiwug

http://phiwug.org

http://technetphilippines.net
Microsoft Confidential
Microsoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John Delizo
Upcoming SlideShare
Loading in...5
×

Microsoft Direct Access (Part II)_John Delizo

2,620

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,620
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
186
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Microsoft Direct Access (Part II)_John Delizo"

  1. 1. Corporate Trusted, compliant, Network healthy machine DC & DNS (Win 2008) Applications & Data Windows 7 client NAP Forefront Windows BitLocker IAG SP2 (includes Client Firewall + Trusted Server & Security Platform Domain Module Isolation (TPM) [SDI]) Microsoft Confidential
  2. 2. INET1 DC1 NAT1 Internet Corpnet 131.107.0.0/24 DA1 10.0.0.0/24 APP1 Homenet 192.168.137.0/24 CLIENT1
  3. 3. Internet Compliant Compliant NAP / NPS Client Client Servers Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess Server Assume the underlying Intranet network is always insecure User Data Center and Business Redefine CORPNET edge to Critical Resources insulate the datacenter and Intranet User business critical resources Enterprise Security policies based on Network identity, not location Microsoft Confidential
  4. 4. Internet Intranet DirectAccess client DirectAccess server Corporate resources Internal traffic Internet traffic Internet servers
  5. 5. Microsoft Windows 7 clients Microsoft Windows 7 DirectAccess Server Application servers Windows Server 2008 (for native IPv6 support) Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2 DC/DNS servers Windows Server 2008 Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory NAT-PT server if IPv4 access is desired Microsoft Confidential
  6. 6. DirectAccess Overview Supporting infrastructure and technologies Using DirectAccess with Windows 7
  7. 7. Client Receives configuration while directly connected to corpnet (provisioning) via Group Policy NAP used to check configuration and health when remotely connected Server DirectAccess wizard to set up DirectAccess Server(s) Policies controlled via Group Policy Microsoft Confidential
  8. 8. Configure DirectAccess Server Requires Windows Server 2008 R2 Use DirectAccess server MMC Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway Windows 7 Enterprise & Ultimate SKU Client Machines Done using DirectAccess configuration wizard Customize policies as needed Microsoft Confidential
  9. 9. Facing Internet Forwarding Gateway for native IPv6 IPv6 over IPv4 services 6to4 relay Teredo Relay (optionally also Teredo Server) Firewall/Proxy Travel IP-TLS relay Internal IPsec Dos Protection Facing Corpnet Gateway for native IPv6 IPv6 over IPv4 Service for Enterprise SATAP Relay IPsec Gateway (Tunnel Mode Endpoint) Microsoft Confidential
  10. 10. Be ready to monitor IPv6 traffic Choose an Access Model: Full Intranet Access vs. Selected Server Access? Assess deployment scale Microsoft Confidential
  11. 11. DirectAccess Overview Supporting infrastructure and technologies Configuring DirectAccess
  12. 12. What Happens At Client Client tries to access Looks in provisioned list for DNS Connects with DNS thru DAS. IPv6 route again server (using Client tries to connect to target .corp.phiwug.com server(s) associated with .phiwug.com IPsec. IPv6required. IPsec is is thru DAS What happens at DAS/DNS After negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address DAS lets thru AuthIP packets from client to DNS Microsoft Confidential information to client. DNS registers clients current address information
  13. 13. Evolution, not revolution Upgrade your network to an IPv6 end state Requires Windows 7 on the client Transition to Windows Server 2008 simplifies the solution Little or no change to applications – upgrade the server platform 30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6 Additional 40 planned to upgrade in next two months Allows you to take concrete steps toward satisfying any IPv6 mandate Seamless integration with your current access and security solutions Seamless transition to DirectAccess over time Integrates with Forefront solutions Microsoft Confidential
  14. 14. http://technet.microsoft.com DirectAccess Design Guide: http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E- 4CDB-BA34-F057FBC7198F&displaylang=en Step by Step Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217- 4D84-B698-F39360D82FAC&displaylang=en Next Generation Remote Access with DirectAccess and VPNs: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182- 744ceaf8c04a#tm Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2: http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86- ab77014495f4&DisplayLang=en Microsoft Server and Tools solution site for Direct Access: http://www.microsoft.com/servers/directaccess.mspx
  15. 15. http://johndelizo.spaces.live.com http://technetphilippines.net/blogs/johndelizo johndelizo@live.com
  16. 16. http://msforums.ph http://msforums.ph/blogs/phiwug http://phiwug.org http://technetphilippines.net
  17. 17. Microsoft Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×