Corporate
Trusted, compliant, Network
healthy machine
DC & DNS
(Win 2008)
Applications & Data
Windows 7 client
NAP Forefront Windows BitLocker IAG SP2
(includes Client Firewall + Trusted
Server & Security Platform
Domain Module
Isolation (TPM)
[SDI])
Microsoft Confidential

INET1 DC1
NAT1
Internet Corpnet
131.107.0.0/24 DA1 10.0.0.0/24 APP1
Homenet
192.168.137.0/24
CLIENT1

Internet Compliant Compliant
NAP / NPS Client Client
Servers
Tunnel over IPv4 UDP, HTTPS, etc.
DirectAccess Server
Assume the underlying
Intranet network is always insecure
User
Data Center and Business
Redefine CORPNET edge to
Critical Resources insulate the datacenter and
Intranet
User business critical resources
Enterprise
Security policies based on
Network identity, not location
Microsoft Confidential

Internet Intranet
DirectAccess
client
DirectAccess
server Corporate resources
Internal traffic
Internet traffic
Internet servers

Microsoft Windows 7 clients
Microsoft Windows 7 DirectAccess Server
Application servers
Windows Server 2008 (for native IPv6 support)
Exception: When Windows Firewall Authentication policy is used,
application servers must be Windows Server 2008 R2
DC/DNS servers
Windows Server 2008
Exception: When two-factor authentication
is required for end-to-end authentication
a Windows 7 DC-based Active Directory
NAT-PT server if IPv4 access is desired
Microsoft Confidential

DirectAccess Overview
Supporting infrastructure and technologies
Using DirectAccess with Windows 7

Client
Receives configuration while directly connected
to corpnet (provisioning) via Group Policy
NAP used to check configuration and health
when remotely connected
Server
DirectAccess wizard to set up
DirectAccess Server(s)
Policies controlled via
Group Policy
Microsoft Confidential

Configure DirectAccess Server
Requires Windows Server 2008 R2
Use DirectAccess server MMC
Author DirectAccess policies
for clients, application servers,
DC/DNS and IPsec gateway
Windows 7 Enterprise & Ultimate SKU Client
Machines
Done using DirectAccess configuration wizard
Customize policies as needed
Microsoft Confidential

Facing Internet
Forwarding Gateway for native IPv6
IPv6 over IPv4 services
6to4 relay
Teredo Relay (optionally also Teredo Server)
Firewall/Proxy Travel
IP-TLS relay
Internal
IPsec Dos Protection
Facing Corpnet
Gateway for native IPv6
IPv6 over IPv4 Service for Enterprise
SATAP Relay
IPsec Gateway (Tunnel Mode Endpoint)
Microsoft Confidential

Be ready to monitor IPv6 traffic
Choose an Access Model:
Full Intranet Access vs.
Selected Server Access?
Assess deployment scale
Microsoft Confidential

DirectAccess Overview
Supporting infrastructure and technologies
Configuring DirectAccess

What Happens At Client
Client tries to access Looks in provisioned list for DNS Connects with DNS thru DAS.
IPv6 route again server (using
Client tries to connect to target
.corp.phiwug.com server(s) associated with .phiwug.com IPsec. IPv6required.
IPsec is is thru DAS
What happens at DAS/DNS
After negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address
DAS lets thru AuthIP packets from client to DNS
Microsoft Confidential
information to client. DNS registers clients current address information

Evolution, not revolution
Upgrade your network to an IPv6 end state
Requires Windows 7 on the client
Transition to Windows Server 2008 simplifies the
solution
Little or no change to applications – upgrade the
server platform
30 Microsoft LOB applications today on Windows
Server 2008 running end-to-end IPsec/IPv6
Additional 40 planned to upgrade in next two
months
Allows you to take concrete steps toward
satisfying any IPv6 mandate
Seamless integration with your current access
and security solutions
Seamless transition to DirectAccess over time
Integrates with Forefront solutions
Microsoft Confidential

http://technet.microsoft.com
DirectAccess Design Guide:
http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E-
4CDB-BA34-F057FBC7198F&displaylang=en
Step by Step Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217-
4D84-B698-F39360D82FAC&displaylang=en
Next Generation Remote Access with DirectAccess and VPNs:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182-
744ceaf8c04a#tm
Technical Overview of DirectAccess in Windows 7 and
Windows Server 2008 R2:
http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86-
ab77014495f4&DisplayLang=en
Microsoft Server and Tools solution site for Direct Access:
http://www.microsoft.com/servers/directaccess.mspx

http://johndelizo.spaces.live.com
http://technetphilippines.net/blogs/johndelizo
johndelizo@live.com

http://msforums.ph
http://msforums.ph/blogs/phiwug
http://phiwug.org
http://technetphilippines.net

Microsoft Confidential