• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Microsoft Direct Access (Part II)_John Delizo

Microsoft Direct Access (Part II)_John Delizo






Total Views
Views on SlideShare
Embed Views



1 Embed 5

http://www.slideshare.net 5



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Microsoft Direct Access (Part II)_John Delizo Microsoft Direct Access (Part II)_John Delizo Presentation Transcript

    • Corporate Trusted, compliant, Network healthy machine DC & DNS (Win 2008) Applications & Data Windows 7 client NAP Forefront Windows BitLocker IAG SP2 (includes Client Firewall + Trusted Server & Security Platform Domain Module Isolation (TPM) [SDI]) Microsoft Confidential
    • INET1 DC1 NAT1 Internet Corpnet DA1 APP1 Homenet CLIENT1
    • Internet Compliant Compliant NAP / NPS Client Client Servers Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess Server Assume the underlying Intranet network is always insecure User Data Center and Business Redefine CORPNET edge to Critical Resources insulate the datacenter and Intranet User business critical resources Enterprise Security policies based on Network identity, not location Microsoft Confidential
    • Internet Intranet DirectAccess client DirectAccess server Corporate resources Internal traffic Internet traffic Internet servers
    • Microsoft Windows 7 clients Microsoft Windows 7 DirectAccess Server Application servers Windows Server 2008 (for native IPv6 support) Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2 DC/DNS servers Windows Server 2008 Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory NAT-PT server if IPv4 access is desired Microsoft Confidential
    • DirectAccess Overview Supporting infrastructure and technologies Using DirectAccess with Windows 7
    • Client Receives configuration while directly connected to corpnet (provisioning) via Group Policy NAP used to check configuration and health when remotely connected Server DirectAccess wizard to set up DirectAccess Server(s) Policies controlled via Group Policy Microsoft Confidential
    • Configure DirectAccess Server Requires Windows Server 2008 R2 Use DirectAccess server MMC Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway Windows 7 Enterprise & Ultimate SKU Client Machines Done using DirectAccess configuration wizard Customize policies as needed Microsoft Confidential
    • Facing Internet Forwarding Gateway for native IPv6 IPv6 over IPv4 services 6to4 relay Teredo Relay (optionally also Teredo Server) Firewall/Proxy Travel IP-TLS relay Internal IPsec Dos Protection Facing Corpnet Gateway for native IPv6 IPv6 over IPv4 Service for Enterprise SATAP Relay IPsec Gateway (Tunnel Mode Endpoint) Microsoft Confidential
    • Be ready to monitor IPv6 traffic Choose an Access Model: Full Intranet Access vs. Selected Server Access? Assess deployment scale Microsoft Confidential
    • DirectAccess Overview Supporting infrastructure and technologies Configuring DirectAccess
    • What Happens At Client Client tries to access Looks in provisioned list for DNS Connects with DNS thru DAS. IPv6 route again server (using Client tries to connect to target .corp.phiwug.com server(s) associated with .phiwug.com IPsec. IPv6required. IPsec is is thru DAS What happens at DAS/DNS After negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address DAS lets thru AuthIP packets from client to DNS Microsoft Confidential information to client. DNS registers clients current address information
    • Evolution, not revolution Upgrade your network to an IPv6 end state Requires Windows 7 on the client Transition to Windows Server 2008 simplifies the solution Little or no change to applications – upgrade the server platform 30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6 Additional 40 planned to upgrade in next two months Allows you to take concrete steps toward satisfying any IPv6 mandate Seamless integration with your current access and security solutions Seamless transition to DirectAccess over time Integrates with Forefront solutions Microsoft Confidential
    • http://technet.microsoft.com DirectAccess Design Guide: http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E- 4CDB-BA34-F057FBC7198F&displaylang=en Step by Step Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217- 4D84-B698-F39360D82FAC&displaylang=en Next Generation Remote Access with DirectAccess and VPNs: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182- 744ceaf8c04a#tm Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2: http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86- ab77014495f4&DisplayLang=en Microsoft Server and Tools solution site for Direct Access: http://www.microsoft.com/servers/directaccess.mspx
    • http://johndelizo.spaces.live.com http://technetphilippines.net/blogs/johndelizo johndelizo@live.com
    • http://msforums.ph http://msforums.ph/blogs/phiwug http://phiwug.org http://technetphilippines.net
    • Microsoft Confidential