Reinventing Remote Access with DirectAccess

1,190 views
1,115 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,190
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Reinventing Remote Access with DirectAccess

  1. 1.
  2. 2. Reinventing Remote Access With DirectAccess<br />Scott Roberts<br />Lead Program Manager<br />Microsoft<br />Session Code: WSV320 <br />
  3. 3. Agenda<br />Secure Access Landscape<br />Demo<br />DirectAccess Solution<br />Benefits<br />Deployment Models & Requirements<br />Name Resolution<br />Supporting Technologies<br />Diagnostics<br />Questions & Answers<br />
  4. 4. Mobile Workforce<br />Increasingly Porous Perimeter<br />Mobile Data<br />Globalization<br />
  5. 5. "Re-Perimeterization"<br />“My network is where my buildings are”<br />How to manage, monitor, and support remote users/machines all the time?<br />How to simplify remote workers’ access<br />“My network is where my users and assets are”<br />
  6. 6. Assume the underlying network <br />is always unsecure<br />Redefine the corporate edge <br />to protect the datacenter<br />Enterprise Network<br />Security policies based on identity, not location<br />DirectAccess Server<br />Internet<br />Data Center and Business Critical Resources<br />Local User<br />Remote User<br />Industry Trends<br />
  7. 7. Windows Server 2008 R2 Addressing Enterprise Needs<br />Work Anywhere Infrastructure using Direct Access<br />
  8. 8. DirectAccess<br />Providing seamless, secure access to enterprise resources from anywhere<br />
  9. 9. DirectAccess in Action<br />demo <br />
  10. 10. Benefits Of Direct AccessBringing the corporate network to the user<br />More productive<br />More secure<br />More manageable and cost effective<br />Always-on access to corpnet while roaming<br />No explicit user action required – it just works<br />Same user experience on premise and off<br />Simplified remote management of mobile resources as if they were on the LAN<br />Lower total cost of ownership (TCO) with an “always managed” infrastructure <br />Unified secure access across all scenarios and networks<br />Integrated administration of all connectivity mechanisms<br />Healthy, trustable host regardless of network<br />Fine grain per app/server policy control<br />Richer policy control near assets<br />Ability to extend regulatory compliance to roaming assets<br />Incremental deployment path toward IPv6<br />
  11. 11. Always On<br />Always connected<br />No user action required<br />Adapts to changing networks<br />
  12. 12. Secure<br />Encrypted by default<br />Works with Smartcards<br />Granular access control<br />Coexists with existing edge, health, and access policies<br />
  13. 13. Manageable<br />Reach out to previously untouchable machines<br />Allows remote clients to process Group Policies<br />NAP integration for health compliance<br />Consolidate Edge Infrastructure<br />
  14. 14. VPN vs. DirectAccess - Value<br />
  15. 15. Internet<br />DirectAccess Server<br />(Server 2008 R2)<br />DirectAccess Client<br />(Windows 7)<br />Tunnel over IPv4 UDP, HTTPS, etc.<br />Encrypted IPsec+ESP<br />Native IPv6<br />Encrypted IPsec+ESP<br />IPsec Gateway<br />6to4<br />Teredo<br />IP-HTTPS<br />IPsec Hardware Offload Supported<br />
  16. 16. Option 1 - ISATAP<br />DirectAccess Server<br />(Server 2008 R2)<br />Line of Business Applications<br />IPv6<br />IPv6<br />IPv4<br />Windows Server 2008/R2<br />Enabling IPv6 in the Enterprise<br />
  17. 17. Option 2 – NAT-PT<br />DirectAccess Server<br />(Server 2008 R2)<br />Line of Business Applications<br />Windows Server 2003<br />Non-Windows<br />NAT-PT<br />DNS-ALG<br />IPv6<br />IPv4<br />Enabling IPv6 in the Enterprise<br />
  18. 18. Enterprise Network<br />DirectAccess Server<br />(Server 2008 R2)<br />Line of Business Applications<br />No IPsec<br />IPsec Integrity Only (Auth)<br />Windows Server 2003<br />Windows Server 2008<br />Non-Windows Server<br />IPsec Integrity + Encryption<br />IPsec Gateway<br />IPsec Hardware Offload Supported<br />
  19. 19. Deployment Models<br />
  20. 20. Deployment ScenarioEnd-to-edge encryption<br />Corporate Network<br />Trusted, compliant,<br />healthy machine<br />Direct Access ServerServer 2008 R2<br />DC & DNS(Server 2008 SP2/R2)<br />Windows 7 client<br />Applications & Data<br />(non-IPsec enabled)<br />IPsec ESP tunnel encryption using machine cert (DC/DNS access)<br />Internet<br />IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access<br />Clear Text traffic from client flows through encrypted tunnel to Corporate network resources<br />No overhead of encryption on application servers<br />Edge enforces machine/user authentication and data encryption<br />Least change from customer’s existing edge deployments<br />
  21. 21. Deployment ScenarioEnd-to-Edge Encryption + End to End IPsec<br />Corporate Network<br />Direct Access ServerServer 2008 R2<br />Trusted, compliant,<br />healthy machine<br />DC & DNS(Server 2008 SP2/R2)<br />Windows 7 client<br />IPsec ESP tunnel encryption using machine cert (DC/DNS access)<br />Applications & Data<br />IPsec-enabled<br />Internet<br />IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access<br />IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources<br />No overhead of encryption on application servers (just authentication)<br />DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation<br />
  22. 22. Deployment ScenarioEnd-To-End IPsec Transport Encryption<br />Corporate Network<br />Direct Access ServerServer 2008 R2<br />Trusted, compliant,<br />healthy machine<br />DC & DNS(Server 2008 SP2/R2)<br />Internet<br />Windows 7 client<br />Applications & Data<br />IPsec-enabled<br />IPsec ESP-encrypted transport to access Corporate network resources<br />Thin edge solution using IPsec<br />Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic<br />Full End to End IPsec Encryption<br />IP-HTTPS tunnel used for proxy scenarios only<br />
  23. 23. Deployment Requirements<br />
  24. 24. Deployment Requirements<br />
  25. 25. Name Resolution<br />
  26. 26. Name Resolution Policy Table (NRPT)<br />New feature in Windows 7<br />Used by DirectAccess Client to determine ‘which’ DNS Server to use based on namespace<br />New name resolution order:<br />Local cache<br />Hosts file<br />NRPT<br />DNS<br />
  27. 27. NRPT<br />For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPT<br />These are internal DNS servers – they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZ<br />If the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface <br />
  28. 28. Supporting Technologies<br />
  29. 29. Direct Access Supporting Technologies<br />Corporate Network<br />Trusted, compliant,<br />healthy machine<br />DC & DNS(Server 2008 R2)<br />Applications & Data<br />Windows 7 client<br />Forefront<br />UAG<br />IAG SP2<br />NAP (includes Server & Domain Isolation [SDI])<br />Forefront Client Security<br />Windows Firewall<br />BitLocker + Trusted Platform Module (TPM)<br />
  30. 30. Direct Access Supporting Technologies<br />Internet<br />Forefront Client Security<br />Non- Compliant Client<br />Compliant Client<br />Compliant Client<br />NAP / NPS Servers<br />IPsec/IPv6<br />Unmanaged Client<br />IPsec/IPv6<br />DA Server<br />CORPNET User<br />Data Center and Business Critical Resources<br />IAG SP2<br />CORPNET User<br />CORPNETCompliant Network<br />
  31. 31. 7 Direct Access<br />+<br />UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability.<br />
  32. 32. DirectAccess – Solution<br />UAG and DirectAccess better together: <br />Extends access to line of business servers with IPv4 support<br />Access for down level and non Windows clients<br />Enhances scalability and management<br />Simplifies deployment and administration<br />Hardened Edge Solution<br />MANAGED<br />IPv6<br />Windows7<br />IPv6<br />Always On<br />DirectAccess<br />Windows7<br />UNMANAGED<br />IPv4<br />VistaXP<br />Extend support to IPv4 servers<br />SSL VPN<br />DirectAccessServer<br />IPv4<br />Non Windows<br />+<br />+<br />PDA<br />IPv4<br />UAG provides access for down level and non Windows clients<br />UAG enhances scale and management with integrated LB and array capabilities.<br />UAG improves adoption and extends access to existing infrastructure<br />UAG is a hardened edge appliance available in HW and virtual options<br />UAG uses wizards and tools to simplify deployments and ongoing management.<br />
  33. 33. Diagnostics<br />
  34. 34. Diagnostics<br />Internet Explorer Diagnose Problem Button<br />It has been enhanced to troubleshoot DirectAccess<br />Networking Icon (right click)<br />Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point<br />Control Panel, Troubleshooting<br />Connect to a Workplace place using DirectAccess<br />Command Prompt (Elevated)<br />NETSH TRACE START SCENARIO=DIRECTACCESS<br />
  35. 35. Windows 7 Builds on Windows VistaDeployment, testing, and pilots today will continue to pay off<br />Similar Compatibility: <br />Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). <br />Hardware that runs Windows Vista well will run Windows 7 well.<br />Few Changes: Focus on quality and reliability improvements<br />Deep Changes: New models for security, drivers, deployment, and networking<br />
  36. 36. SummaryCall-to-action<br />Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructure<br />Learn more about Direct Access<br />Start deploying Windows Server 2008 now to get ready<br />http://www.microsoft.com/directaccess<br />
  37. 37. www.microsoft.com/teched<br />Sessions On-Demand & Community<br />www.microsoft.com/learning<br />Microsoft Certification & Training Resources<br />http://microsoft.com/technet<br />Resources for IT Professionals<br />http://microsoft.com/msdn<br />Resources for Developers<br />Resources<br />www.microsoft.com/learning<br />Microsoft Certification and Training Resources<br />
  38. 38. Complete an evaluation on CommNet and enter to win!<br />
  39. 39. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

×