0
DirectAccess Technical Drilldown Part 2Putting it all together<br />John Craddock<br />Infrastructure & Security Architect...
Part1: Internet to Intranet <br />6to4Host/Router<br />6to4Relay<br />NAT Device<br />Teredoserver & relay<br />TeredoHost...
Part1: IPv6/IPv4 Intranet<br />IPv6<br />ISATAP Router<br />Native IPv6<br />IPv6<br />NAT-PTor NAT64<br />IPv4<br />IPv6I...
What’s Left?<br />Internet<br />Corporate  Intranet<br /><br />Tunnelling technologies for the Internet and Intranet to s...
Don’t Give Up Now<br />Part 1<br />IPv6 Intro<br />Transition Technologies<br />End-to-end connectivity<br />Part 2<br />I...
Demo Environment<br />EX1<br />DC1<br />DNS<br />DC, DNS,CA<br />NAT1<br />DA1<br />Home<br />Corporate intranet<br />Inte...
Securing the Tunnel<br />Internet<br />Corporate  Intranet<br />DirectAccess uses IPsec to secure network traffic<br />Tra...
IPsec to the Rescue<br />IPsec is managed through Windows Firewall with Advanced Security<br />Best deployed through group...
Traffic Profile<br />Traffic profile: <br /><Protocol><source IP> <destination IP><source port> <destination port><br />Ru...
IPsec Primer<br />Main modesecurity association<br />Key life configurable<br />Default: 8 hours<br />Create shared secret...
Main Mode Association<br />
Quick Mode Association<br />
Data Exchange<br />Protocol ID 51<br />Authentication Header (AH) contains:<br />Protocol ID of payload (TCP/UDP/ICMP…)<br...
Negotiated Security Options<br />Do not authenticate<br />Request inbound and outbound<br />A host responds to both IPsec ...
Intranet<br />Integrity  / encryption / authentication <br />IPsec Tunnel<br />End points can be single host or act as a g...
IPsec Access Options<br />Intranet<br />Integrity  / encryption / authentication <br />Tunnel 1: Machine Auth<br />Tunnel ...
Client Location<br />corp.example.com zone<br />DNS 2<br />DNS 1<br />IP configuredDNS address<br />Corporate  Intranet<br...
How Does It Do that?<br />Name Resolution Policy Table (NRPT) to the rescue<br />NRPT allows the definitions of which DNS ...
NRPT<br />corp.example.com zone<br />DNS 2<br />nls.corp.example.com<br />DNS 1<br />IP configuredDNS address<br />Interne...
Viewing the NRPT<br />
NRPT Inside/Outside<br />NRPT enabled by default<br />If the client can access an internal HTTPS website (https://nls.corp...
Putting it All Together<br />6to4Host/Router<br />6to4Relay<br />ISATAP Router<br />NAT Device<br />Teredoserver & relay<b...
DirectAccess Management Console <br />
Before Running Setup<br />DNS server requires isatap block to be removed<br />Computer certificates must be issued to comp...
Authentication to Servers <br />IPsec ESP NULL can be used for authentication to end-point servers <br />Provides another ...
DirectAccess Setup<br />Configures on DA server<br />6to4 relay<br />Teredo server and relay<br />IPHTTPS server<br />ISAT...
DirectAccess Setup (continued) <br />Creates group policy for client configuration<br />Enable and supply addresses for<br...
Windows DirectAccess<br />The DA server represents a single point of failure<br />Functionality can be split across multip...
All Done<br />Internet<br />Corporate  Intranet<br /><br />Tunnelling technologies for the Internet and Intranet to suppo...
Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can acc...
Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and L...
My Sessions at TechEd<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters...
Required Slide<br />Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product...
Upcoming SlideShare
Loading in...5
×

SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.

1,488

Published on

Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,488
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
56
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together."

  1. 1.
  2. 2. DirectAccess Technical Drilldown Part 2Putting it all together<br />John Craddock<br />Infrastructure & Security Architect<br />XTSeminars Ltd<br />Session Code: SVR402<br />
  3. 3. Part1: Internet to Intranet <br />6to4Host/Router<br />6to4Relay<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />Internet<br />Corporateintranet<br />IPHTTPSserver<br />IPHTTPSHost<br />NAT Device<br />
  4. 4. Part1: IPv6/IPv4 Intranet<br />IPv6<br />ISATAP Router<br />Native IPv6<br />IPv6<br />NAT-PTor NAT64<br />IPv4<br />IPv6IPv4<br />IPv4<br />IPv6IPv4<br />
  5. 5. What’s Left?<br />Internet<br />Corporate Intranet<br /><br />Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4<br /><br />Internet tunnelling selection based on client location – Internet, NAT, firewall<br />Encryption/authentication of Internet traffic (end-to-edge/end-to-end)<br />PKI required <br />Client location detection: Internet or corporate intranet <br />
  6. 6. Don’t Give Up Now<br />Part 1<br />IPv6 Intro<br />Transition Technologies<br />End-to-end connectivity<br />Part 2<br />IPsec<br />Configuring Direct Access<br />Network location and name resolution policies<br />It all works – just like that!<br />
  7. 7. Demo Environment<br />EX1<br />DC1<br />DNS<br />DC, DNS,CA<br />NAT1<br />DA1<br />Home<br />Corporate intranet<br />Internet<br />IIS for CRLdistribution<br />APP1<br />WIN7<br />WIN7<br />WIN7<br />All servers Windows 2008 R2<br />
  8. 8. Securing the Tunnel<br />Internet<br />Corporate Intranet<br />DirectAccess uses IPsec to secure network traffic<br />Traffic over the Internet is encrypted and authenticated<br />Access via IPHTTPs is double encrypted<br />Encrypted IPv6 within HTTPS<br />
  9. 9. IPsec to the Rescue<br />IPsec is managed through Windows Firewall with Advanced Security<br />Best deployed through group policy<br />Connection rules create:<br />IPsec tunnels (authenticated and encrypted)<br />Authenticated connects (computer and user authentication<br />Inbound / outbound rules set requirements for encryption<br />
  10. 10. Traffic Profile<br />Traffic profile: <br /><Protocol><source IP> <destination IP><source port> <destination port><br />Rules are based on a traffic profile<br />Connection Security Rule<br />Authenticate all TCP traffic between A & B on ports W & X<br />Inbound/Outbound Rule<br />Encrypt authenticated TCP traffic between A & B on ports W & X<br />
  11. 11. IPsec Primer<br />Main modesecurity association<br />Key life configurable<br />Default: 8 hours<br />Create shared secret between hosts<br />AuthIP<br />AuthIP<br />Uses Diffie-Hellman<br />Authenticate over secure channel<br />AuthIP<br />AuthIP<br />Kerberos / certificatesComputer and/or user authentication AuthIP<br />Establish IPSec session Keys<br />Quick mode:<br />IPsec SAKey life configurable<br />Default 1 hour/100 MB<br />Drops after 3 Mins<br />of inactivity<br />AuthIP<br />AuthIP<br />Create Security Association for session<br />IPsec SA<br />IPsec SA<br />Integrity<br />or<br />Integrity + encryption<br />Exchange data<br />
  12. 12. Main Mode Association<br />
  13. 13. Quick Mode Association<br />
  14. 14. Data Exchange<br />Protocol ID 51<br />Authentication Header (AH) contains:<br />Protocol ID of payload (TCP/UDP/ICMP…)<br />Sequence number – prevents replay<br />Security Parameters Index – Identifies IPsec SA<br />Integrity Check value (ICV) calculated with SHA1 or MD5<br />Signed - ignoring ICV field andfields that change in transport<br />Protocol ID 50<br />Encrypted<br />signed<br />IP Header<br />IP payload<br />AH<br />Encrypted Security Protocol<br />ESP headers contain:<br />Protocol ID of payload (TCP/UDP/ICMP…)<br />Sequence number – prevents replay<br />Security Parameters Index – Identifies IPsec SA<br />Integrity Check value (ICV)<br />IP Header<br />ESP<br />IP payload<br />ESP<br />ICV<br />When you just want integrity through NAT use ESP-Null <br />
  15. 15. Negotiated Security Options<br />Do not authenticate<br />Request inbound and outbound<br />A host responds to both IPsec and unauthenticated (non-IPsec) requests<br />It initiates communications with IPsec, and if that fails, falls back to unauthenticated communications<br />Require inbound and request outbound<br />A host responds to inbound traffic secured by IPsec, and ignores unauthenticated requests<br />It initiates communications with IPsec, and if that fails, falls back to unauthenticated communications<br />Require inbound and require outbound<br />A host requires IPsec-secured communications for both inbound and outgoing requests<br />Require inbound and clear outbound<br />
  16. 16. Intranet<br />Integrity / encryption / authentication <br />IPsec Tunnel<br />End points can be single host or act as a gateway<br />The gateway acts as the end-point for integrity encryption and authentication<br />Traffic on the Intranet is not protected by IPsec <br />IPsec Gateway includes IPsec DoS Prevention<br />Reduces DoS attacks from key management protocols IKE & AuthIP<br />
  17. 17. IPsec Access Options<br />Intranet<br />Integrity / encryption / authentication <br />Tunnel 1: Machine Auth<br />Tunnel 2: Machine & User Auth<br />ESP NULL (transport mode) machine and user auth to intranet server<br />Selective authentication onto endpoint servers<br />ESP (transport mode) encryption and authentication to intranet server<br />
  18. 18. Client Location<br />corp.example.com zone<br />DNS 2<br />DNS 1<br />IP configuredDNS address<br />Corporate Intranet<br />Internet<br />To resolve names on the Internet<br />DirectAccess host queries DNS 1<br />To resolve names on the Intranet<br />DirectAccess host queries DNS 2<br />
  19. 19. How Does It Do that?<br />Name Resolution Policy Table (NRPT) to the rescue<br />NRPT allows the definitions of which DNS servers to query based on the namespace to be resolved<br />The NRPT can point DNS queries for corp.example.com to the intranet DNS server<br />All other DNS queries are sent to the DNS server address configured in the client IP settings<br />
  20. 20. NRPT<br />corp.example.com zone<br />DNS 2<br />nls.corp.example.com<br />DNS 1<br />IP configuredDNS address<br />Internet<br />Corporate Intranet<br />No NRPT<br />NRPT:<br />corp.example.com: query DNS 2<br />All other name spaces query DNS server configured in client IP settings <br /> There is a special entry in the table to direct DNS queries for an internal<br /> HTTPS website to the DNS servers configured in the client IP settings<br /> For example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet<br />
  21. 21. Viewing the NRPT<br />
  22. 22. NRPT Inside/Outside<br />NRPT enabled by default<br />If the client can access an internal HTTPS website (https://nls.corp.example.com)<br />Considered to be on the intranet <br />NRPT disabled<br />No access to secure website <br />Considered to be on the Internet <br />NRPT remains enabled <br />
  23. 23. Putting it All Together<br />6to4Host/Router<br />6to4Relay<br />ISATAP Router<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />Corporateintranet<br />Internet<br />HTTPSserver<br />IPHTTPSHost<br />NAT Device<br />DirectAccess Server<br />
  24. 24. DirectAccess Management Console <br />
  25. 25. Before Running Setup<br />DNS server requires isatap block to be removed<br />Computer certificates must be issued to computers<br />Server certificates must be issued to <br />DA server with external DNS name in certificate<br />NLS web server with nlsurl address in certificate<br />CRL distribution should be configured in certificate<br />CRL distribution location must be available on both the Internet and intranet <br />
  26. 26. Authentication to Servers <br />IPsec ESP NULL can be used for authentication to end-point servers <br />Provides another layer of protection<br />Can control which servers are available from DA host<br />Requires 2008 end-point servers<br />IPSEC does not work over IPv6 for Windows 2003<br />Two factor authentication can be enabled for end-to-end authentication<br />Requires 2008 domain functional level<br />
  27. 27. DirectAccess Setup<br />Configures on DA server<br />6to4 relay<br />Teredo server and relay<br />IPHTTPS server<br />ISATAP<br />Creates group policy for IPSec rules for<br />DA server IPsec Tunnel<br />DA client IPsec Tunnel<br />DA clients and servers requiring end point authentication<br />
  28. 28. DirectAccess Setup (continued) <br />Creates group policy for client configuration<br />Enable and supply addresses for<br />6to4 relay<br />Teredo server and relay <br />IPHTTPS server<br />Enable and configure NRPT<br />Enable inside/outside probe<br />DA server and DA clients must be members of the domain<br />
  29. 29. Windows DirectAccess<br />The DA server represents a single point of failure<br />Functionality can be split across multiple servers for performance<br />For HA, run DA server as VM in a Hyper-v cluster<br />Does not guarantee DA service availability<br />Live Migration available in Windows 2008 R2<br />Load balancing option available with UAG<br />
  30. 30. All Done<br />Internet<br />Corporate Intranet<br /><br />Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4<br /><br />Internet tunnelling selection based on client location – Internet, NAT, firewall<br /><br />Encryption/authentication of Internet traffic (end-to-edge/end-to-end)<br />PKI required <br /><br />Client location detection: Internet or corporate intranet <br />
  31. 31. Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can access session <br />recordings at TechEd Online. <br />www.microsoft.com/teched<br />Sessions On-Demand & Community<br />www.microsoft.com/learning<br />Microsoft Certification & Training Resources<br />http://microsoft.com/technet<br />Resources for IT Professionals<br />http://microsoft.com/msdn<br />Resources for Developers<br />Resources<br />
  32. 32. Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />Breakout Sessions:<br />SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and Beyond<br />SVR315 IPv6 for the Reluctant: What to Know Before You Turn It Off<br />Interactive Theater Sessions:<br />SVR08-IS End-to-End Remote Connectivity with DirectAccess<br />
  33. 33. My Sessions at TechEd<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />Breakout Sessions:<br />SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?<br />SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin<br />SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies<br />SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together<br />Interactive Theater Sessions:<br />SVR08-IS End-to-End Remote Connectivity with DirectAccess<br />
  34. 34. Required Slide<br />Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
  35. 35.
  36. 36. Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×