Reinventing Remote Access with DirectAccess
Upcoming SlideShare
Loading in...5
×
 

Reinventing Remote Access with DirectAccess

on

  • 1,358 views

 

Statistics

Views

Total Views
1,358
Views on SlideShare
1,354
Embed Views
4

Actions

Likes
0
Downloads
42
Comments
0

1 Embed 4

http://www.slideshare.net 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Reinventing Remote Access with DirectAccess Reinventing Remote Access with DirectAccess Presentation Transcript

  • Reinventing Remote Access With DirectAccess
    Scott Roberts
    Lead Program Manager
    Microsoft
    Session Code: WSV320
  • Agenda
    Secure Access Landscape
    Demo
    DirectAccess Solution
    Benefits
    Deployment Models & Requirements
    Name Resolution
    Supporting Technologies
    Diagnostics
    Questions & Answers
  • Mobile Workforce
    Increasingly Porous Perimeter
    Mobile Data
    Globalization
  • "Re-Perimeterization"
    “My network is where my buildings are”
    How to manage, monitor, and support remote users/machines all the time?
    How to simplify remote workers’ access
    “My network is where my users and assets are”
  • Assume the underlying network
    is always unsecure
    Redefine the corporate edge
    to protect the datacenter
    Enterprise Network
    Security policies based on identity, not location
    DirectAccess Server
    Internet
    Data Center and Business Critical Resources
    Local User
    Remote User
    Industry Trends
  • Windows Server 2008 R2 Addressing Enterprise Needs
    Work Anywhere Infrastructure using Direct Access
  • DirectAccess
    Providing seamless, secure access to enterprise resources from anywhere
  • DirectAccess in Action
    demo
  • Benefits Of Direct AccessBringing the corporate network to the user
    More productive
    More secure
    More manageable and cost effective
    Always-on access to corpnet while roaming
    No explicit user action required – it just works
    Same user experience on premise and off
    Simplified remote management of mobile resources as if they were on the LAN
    Lower total cost of ownership (TCO) with an “always managed” infrastructure
    Unified secure access across all scenarios and networks
    Integrated administration of all connectivity mechanisms
    Healthy, trustable host regardless of network
    Fine grain per app/server policy control
    Richer policy control near assets
    Ability to extend regulatory compliance to roaming assets
    Incremental deployment path toward IPv6
  • Always On
    Always connected
    No user action required
    Adapts to changing networks
  • Secure
    Encrypted by default
    Works with Smartcards
    Granular access control
    Coexists with existing edge, health, and access policies
  • Manageable
    Reach out to previously untouchable machines
    Allows remote clients to process Group Policies
    NAP integration for health compliance
    Consolidate Edge Infrastructure
  • VPN vs. DirectAccess - Value
  • Internet
    DirectAccess Server
    (Server 2008 R2)
    DirectAccess Client
    (Windows 7)
    Tunnel over IPv4 UDP, HTTPS, etc.
    Encrypted IPsec+ESP
    Native IPv6
    Encrypted IPsec+ESP
    IPsec Gateway
    6to4
    Teredo
    IP-HTTPS
    IPsec Hardware Offload Supported
  • Option 1 - ISATAP
    DirectAccess Server
    (Server 2008 R2)
    Line of Business Applications
    IPv6
    IPv6
    IPv4
    Windows Server 2008/R2
    Enabling IPv6 in the Enterprise
  • Option 2 – NAT-PT
    DirectAccess Server
    (Server 2008 R2)
    Line of Business Applications
    Windows Server 2003
    Non-Windows
    NAT-PT
    DNS-ALG
    IPv6
    IPv4
    Enabling IPv6 in the Enterprise
  • Enterprise Network
    DirectAccess Server
    (Server 2008 R2)
    Line of Business Applications
    No IPsec
    IPsec Integrity Only (Auth)
    Windows Server 2003
    Windows Server 2008
    Non-Windows Server
    IPsec Integrity + Encryption
    IPsec Gateway
    IPsec Hardware Offload Supported
  • Deployment Models
  • Deployment ScenarioEnd-to-edge encryption
    Corporate Network
    Trusted, compliant,
    healthy machine
    Direct Access ServerServer 2008 R2
    DC & DNS(Server 2008 SP2/R2)
    Windows 7 client
    Applications & Data
    (non-IPsec enabled)
    IPsec ESP tunnel encryption using machine cert (DC/DNS access)
    Internet
    IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access
    Clear Text traffic from client flows through encrypted tunnel to Corporate network resources
    No overhead of encryption on application servers
    Edge enforces machine/user authentication and data encryption
    Least change from customer’s existing edge deployments
  • Deployment ScenarioEnd-to-Edge Encryption + End to End IPsec
    Corporate Network
    Direct Access ServerServer 2008 R2
    Trusted, compliant,
    healthy machine
    DC & DNS(Server 2008 SP2/R2)
    Windows 7 client
    IPsec ESP tunnel encryption using machine cert (DC/DNS access)
    Applications & Data
    IPsec-enabled
    Internet
    IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access
    IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources
    No overhead of encryption on application servers (just authentication)
    DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation
  • Deployment ScenarioEnd-To-End IPsec Transport Encryption
    Corporate Network
    Direct Access ServerServer 2008 R2
    Trusted, compliant,
    healthy machine
    DC & DNS(Server 2008 SP2/R2)
    Internet
    Windows 7 client
    Applications & Data
    IPsec-enabled
    IPsec ESP-encrypted transport to access Corporate network resources
    Thin edge solution using IPsec
    Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic
    Full End to End IPsec Encryption
    IP-HTTPS tunnel used for proxy scenarios only
  • Deployment Requirements
  • Deployment Requirements
  • Name Resolution
  • Name Resolution Policy Table (NRPT)
    New feature in Windows 7
    Used by DirectAccess Client to determine ‘which’ DNS Server to use based on namespace
    New name resolution order:
    Local cache
    Hosts file
    NRPT
    DNS
  • NRPT
    For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPT
    These are internal DNS servers – they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZ
    If the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface
  • Supporting Technologies
  • Direct Access Supporting Technologies
    Corporate Network
    Trusted, compliant,
    healthy machine
    DC & DNS(Server 2008 R2)
    Applications & Data
    Windows 7 client
    Forefront
    UAG
    IAG SP2
    NAP (includes Server & Domain Isolation [SDI])
    Forefront Client Security
    Windows Firewall
    BitLocker + Trusted Platform Module (TPM)
  • Direct Access Supporting Technologies
    Internet
    Forefront Client Security
    Non- Compliant Client
    Compliant Client
    Compliant Client
    NAP / NPS Servers
    IPsec/IPv6
    Unmanaged Client
    IPsec/IPv6
    DA Server
    CORPNET User
    Data Center and Business Critical Resources
    IAG SP2
    CORPNET User
    CORPNETCompliant Network
  • 7 Direct Access
    +
    UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability.
  • DirectAccess – Solution
    UAG and DirectAccess better together:
    Extends access to line of business servers with IPv4 support
    Access for down level and non Windows clients
    Enhances scalability and management
    Simplifies deployment and administration
    Hardened Edge Solution
    MANAGED
    IPv6
    Windows7
    IPv6
    Always On
    DirectAccess
    Windows7
    UNMANAGED
    IPv4
    VistaXP
    Extend support to IPv4 servers
    SSL VPN
    DirectAccessServer
    IPv4
    Non Windows
    +
    +
    PDA
    IPv4
    UAG provides access for down level and non Windows clients
    UAG enhances scale and management with integrated LB and array capabilities.
    UAG improves adoption and extends access to existing infrastructure
    UAG is a hardened edge appliance available in HW and virtual options
    UAG uses wizards and tools to simplify deployments and ongoing management.
  • Diagnostics
  • Diagnostics
    Internet Explorer Diagnose Problem Button
    It has been enhanced to troubleshoot DirectAccess
    Networking Icon (right click)
    Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point
    Control Panel, Troubleshooting
    Connect to a Workplace place using DirectAccess
    Command Prompt (Elevated)
    NETSH TRACE START SCENARIO=DIRECTACCESS
  • Windows 7 Builds on Windows VistaDeployment, testing, and pilots today will continue to pay off
    Similar Compatibility:
    Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc).
    Hardware that runs Windows Vista well will run Windows 7 well.
    Few Changes: Focus on quality and reliability improvements
    Deep Changes: New models for security, drivers, deployment, and networking
  • SummaryCall-to-action
    Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructure
    Learn more about Direct Access
    Start deploying Windows Server 2008 now to get ready
    http://www.microsoft.com/directaccess
  • www.microsoft.com/teched
    Sessions On-Demand & Community
    www.microsoft.com/learning
    Microsoft Certification & Training Resources
    http://microsoft.com/technet
    Resources for IT Professionals
    http://microsoft.com/msdn
    Resources for Developers
    Resources
    www.microsoft.com/learning
    Microsoft Certification and Training Resources
  • Complete an evaluation on CommNet and enter to win!
  • © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.