Da for dummies techdays 2012


Published on

These are used at the Dutch Techdays Event by Microsoft in 2012

  • Be the first to comment

  • Be the first to like this

Da for dummies techdays 2012

  1. 1. Direct Access for Dummies Alex de Jong Microsoft Freelance
  2. 2. Agenda• Direct Access Overview• Direct Access Basics• So how does it work• Cool, I want that… How do I build it?• Where do I start from here?
  3. 3. Direct Access is the ultimate VPNsolution that is one of the enablers for the New Way of Work
  4. 4. Direct Access benefits• Improved Productivity – Helps improve the productivity of remote staff by providing the same, always-on connectivity experience no matter if users are inside or outside the corporate network.• Secure Connectivity – Leverages IPsec for authentication and encryption. – Provides the ability to apply granular policy control over access to resources, applications, and servers. – Integrates with Microsoft Server and Domain Isolation, Network Access Protection (NAP), and BitLocker solutions, resulting in security, access, and health requirement policies that seamlessly interoperate between intranets and remote computers.
  5. 5. Direct Access Benefits (cont’d)• Greater Manageability – Helps ensure that machines both on the network and off are always healthy, managed, and up-to-date. – Provides administrators with the ability to update Group Policy settings and distribute software updates any time a remote computer has Internet connectivity, even if the user is not logged on. – Helps ensure that organizations can meet regulatory and privacy mandates for security and data protection for assets that must roam beyond the corporate network.
  6. 6. DEMODirect Access Benefits
  7. 7. Direct Access complex?
  8. 8. Direct Access Basics• Authentication – DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.• Encryption – DirectAccess uses IPsec to provide encryption for communications across the Internet.• Access Control – IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.
  9. 9. Direct Access Basics (cont’d)• IT Simplification and Cost Reduction – DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server
  10. 10. DirectAccess a VPN on Steroids Always On Patch management, health check and GPOs Corporate Network level computer/user authentication and encryption Network Automaticallyconnects throughNAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user
  11. 11. End-to-End IPv6Client Client and Server applications must be IPv6 compatible Server app appIPV6 IPV6 Internet Corporate intranet  Are all you applications IPv6 compatible?
  12. 12. Simple? Internet Corporate intranetTunnelling technologies for the Internet and intranet to support IPv6 over IPv4Internet tunnelling selection based on client location – Internet, NAT, firewallEncryption/authentication of Internet traffic (end-to-edge/end-to-end) Client location detection: Internet or corporate intranet
  13. 13. Connectivity Summary Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnelNAT IPv6 in HTTPS UDP port 3544 blocked
  14. 14. What is 6to4• 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
  15. 15. What is Teredo• Teredo is a transition technology that gives full IPv6 connectivity for IPv6- capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers.
  16. 16. What is IPHTTPS• The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to be established using a secure HTTP connection.
  17. 17. What is ISATAP• ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.• ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4
  18. 18. Connectivity Summary Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnelNAT IPv6 in HTTPS UDP port 3544 blocked
  19. 19. DEMODirect Access
  20. 20. Client Location corp.example.com zone IP configured DNS 1 DNS 2 DNS address Corporate intranet Internet• To resolve names on the Internet – DirectAccess host queries DNS 1• To resolve names on the intranet – DirectAccess host queries DNS 2
  21. 21. End-to-Edge Access ModelFor end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gatewayserver (which by default is the same computer as the DirectAccess server). The IPsec gatewayserver then forwards unprotected traffic, shown in red, to application servers on the intranet.This architecture works with any IPv6-capable application server but does not require thatserver to run IPsec, simplifying the configuration and setup
  22. 22. End-to-Edge End-to-End IPSec ModelFor end-to-edge with End to End IPSec protection, DirectAccess clients establish anIPsec session to an IPsec gateway server, and that IPSec traffic continues all the wayto the Intranet server for end to end IPSec protection. This architecture providesbetter security than just the End to Edge model.
  23. 23. End-to-End IPSec Access ModelWith end-to-end IPSec protection, DirectAccess clients establish an IPsec sessionthrough the DirectAccess server to each application server to which they connect.This provides the highest level of security because you can configure access controlon the DirectAccess server and extend IPSec all the way to the internal server. Thisarchitecture requires that application servers run Windows Server 2008 SP2 orWindows Server 2008 R2 and use both IPv6 and IPsec.
  24. 24. Steps• Enable IPv6 internally (ISATAP)• Network Location Server• Client Groups• Firewall Settings on clients• Certificate Auto Enrollment• Direct Access Server• Finalize• Test
  25. 25. 1: Enabling IPv6 in the Enterprise DirectAccess Server Line of Business Applications (Server 2008 R2) Using ISATAP IPv6 IPv4 IPv6On all internal DCs: Dnscmd/config/globalqueryblocklistwpad
  26. 26. 2: Configuring NLS• Any INTERNAL server running Web services• Create a DNS name (like nls.yourdomain.com)• Associate this new NLS DNS name to an IP Address of an Internal Web serverNLS tells the DirectAccess clients whether they are “inside” or “outside” of thenetwork. *** Make sure this system is HIGHLY available!!! ***
  27. 27. 3: Create Group(s) for the DA Clients• Create a security group (Global or Universal)• Add Win7 client systems into this groupRemember, systems are no longer really part of a “site” as they are now universallyroaming systems. So you define the group of systems by policy of what you wantthe systems to have access to, not where they arbitrarily are.
  28. 28. 4: Windows Firewall for DA• Allow inbound and outbound ICMPv6 Echo Request messages• Create a Group Policy or configure each system individually
  29. 29. 5: Configuring the NLS• Enroll the server with a certificate and configure for SSL access
  30. 30. 6: Certificate Auto-Enrollment• Make sure all systems in the Direct Access group of client systems have a valid client authentication certificate
  31. 31. 7: Install & Config Direct Access• Add a certificate to the DirectAccess server• Add the DirectAccess feature on the server• Run the DirectAccess setup
  32. 32. 8: Finalizing Configurations• Run Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto- enrollment policies)• Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard• Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
  33. 33. 9: Testing DA: Internal• With the client system internal, run IPConfig and check to make sure you have a local address
  34. 34. 10: Testing DirectAccess (External)• With the client system external, run IPConfig and check to make sure you have an external IP address• Access a file on a fileserver or SharePoint using an internal http(s) connection
  35. 35. 11: Testing DA: IPHTTPS• Step 10 tested external access using the automatically generated Teredo 2001: address• Now to verify that external access is working using IP-HTTPS, disable Teredo: – Netsh interface teredo set state disable – Netsh interface httpstunnel show interfaces• Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
  36. 36. MANAGED 1. Extends access to line of business servers with IPv4 support 2. Access for down level and non Windows clients IPv6 3. Enhances scalability and managementWindows7 4. Simplifies deployment and administration 5. Hardened Edge Solution IPv6 DirectAccess Always OnWindows7 UNMANAGED Vista Extend support IPv4 XP SSL VPN to IPv4 serversNon DA Server IPv4Windows + PDA IPv4