Direct access for dummies

7,027 views

Published on

Slidedeck used for the Microsoft Windows Bootcamp in Oslo, 2012.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,027
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
221
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Direct access for dummies

  1. 1. Direct Access is the ultimate VPNsolution that is one of the enablers for the New Way of Work
  2. 2. Direct Access Benefits
  3. 3. Always On Patch management, health check and GPOs Corporate Netw. Lvl. computer/user authentication and encryption Network Automaticallyconnects throughNAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user
  4. 4. Client Client and Server applications must be IPv6 compatible Server app appIPV6 IPV6 Internet Corporate intranet 
  5. 5. Internet Corporate intranetTunnelling technologies for the Internet and intranet to support IPv6 over IPv4Internet tunnelling selection based on client location – Internet, NAT, firewaEncryption/authentication of Internet traffic (end-to-edge/end-to-end) Client location detection: Internet or corporate intranet
  6. 6. Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnelNAT IPv6 in HTTPS UDP port 3544 blocked
  7. 7. transition mechanism IPv4 IPv6Internet tunnels
  8. 8. transition technology IPv6 IPv4 Internetnetwork address translation
  9. 9. IPv6 packets dual-stackIPv4 Neighbor Discovery
  10. 10. Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnelNAT IPv6 in HTTPS UDP port 3544 blocked
  11. 11. Direct Access
  12. 12. corp.example.com zoneIP configured DNS 1 DNS 2DNS address Corporate intranet Internet
  13. 13. For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsecgateway server (which by default is the same computer as the DirectAccess server). TheIPsec gateway server then forwards unprotected traffic, shown in red, to applicationservers on the intranet. This architecture works with any IPv6-capable application serverbut does not require that server to run IPsec, simplifying the configuration and setup
  14. 14. For end-to-edge with End to End IPSec protection, DirectAccess clientsestablish an IPsec session to an IPsec gateway server, and that IPSec trafficcontinues all the way to the Intranet server for end to end IPSec protection.This architecture provides better security than just the End to Edge model.
  15. 15. With end-to-end IPSec protection, DirectAccess clients establish an IPsecsession through the DirectAccess server to each application server to whichthey connect. This provides the highest level of security because you canconfigure access control on the DirectAccess server and extend IPSec all theway to the internal server. This architecture requires that application serversrun Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6and IPsec.
  16. 16. DirectAccess Server Line of Business (Server 2008 R2) Using ISATAP Applications IPv6 IPv4 IPv6On all internal DCs: Dnscmd /config /globalqueryblocklist wpad
  17. 17. MANAGED 1. Extends access to line of business servers with IPv4 support 2. Access for down level and non Windows clients IPv6 3. Enhances scalability and managementWindows7 4. Simplifies deployment and administration 5. Hardened Edge Solution IPv6 DirectAccess Always OnWindows7 UNMANAGED Vista Extend support IPv4 XP SSL VPN to IPv4 serversNon DA Server IPv4Windows + PDA IPv4

×