SlideShare a Scribd company logo

Da for dummies techdays 2012

Download as PPTX, PDF
A
Alex de Jong

Direct Access provides always-on secure connectivity for remote users by extending the corporate network to their devices. It uses IPsec for authentication and encryption over the internet. The document discusses how Direct Access works, its benefits like improved productivity and security, and provides steps to set up a Direct Access server and client configuration. It highlights technologies used like ISATAP, Teredo and IPHTTPS for IPv6 connectivity and name resolution between the internal and external networks.

1 of 38
Direct Access for Dummies Alex de Jong Microsoft Freelance
Agenda • Direct Access Overview • Direct Access Basics • So how does it work • Cool, I want that… How do I build it? • Where do I start from here?
Direct Access is the ultimate VPN solution that is one of the enablers for the New Way of Work
Direct Access benefits • Improved Productivity – Helps improve the productivity of remote staff by providing the same, always-on connectivity experience no matter if users are inside or outside the corporate network. • Secure Connectivity – Leverages IPsec for authentication and encryption. – Provides the ability to apply granular policy control over access to resources, applications, and servers. – Integrates with Microsoft Server and Domain Isolation, Network Access Protection (NAP), and BitLocker solutions, resulting in security, access, and health requirement policies that seamlessly interoperate between intranets and remote computers.
Direct Access Benefits (cont’d) • Greater Manageability – Helps ensure that machines both on the network and off are always healthy, managed, and up-to-date. – Provides administrators with the ability to update Group Policy settings and distribute software updates any time a remote computer has Internet connectivity, even if the user is not logged on. – Helps ensure that organizations can meet regulatory and privacy mandates for security and data protection for assets that must roam beyond the corporate network.
DEMO Direct Access Benefits
Direct Access complex?
Direct Access Basics • Authentication – DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards. • Encryption – DirectAccess uses IPsec to provide encryption for communications across the Internet. • Access Control – IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.
Direct Access Basics (cont’d) • IT Simplification and Cost Reduction – DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server
DirectAccess a VPN on Steroids Always On Patch management, health check and GPOs Corporate Network level computer/user authentication and encryption Network Automatically connects through NAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user
End-to-End IPv6 Client Client and Server applications must be IPv6 compatible Server app app IPV6 IPV6 Internet Corporate intranet  Are all you applications IPv6 compatible?
Simple? Internet Corporate intranet Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4 Internet tunnelling selection based on client location – Internet, NAT, firewall Encryption/authentication of Internet traffic (end-to-edge/end-to-end) Client location detection: Internet or corporate intranet
Connectivity Summary Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64 NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnel NAT IPv6 in HTTPS UDP port 3544 blocked
What is 6to4 • 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
What is Teredo • Teredo is a transition technology that gives full IPv6 connectivity for IPv6- capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers.
What is IPHTTPS • The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to be established using a secure HTTP connection.
What is ISATAP • ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. • ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4
Connectivity Summary Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64 NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnel NAT IPv6 in HTTPS UDP port 3544 blocked
DEMO Direct Access
Client Location corp.example.com zone IP configured DNS 1 DNS 2 DNS address Corporate intranet Internet • To resolve names on the Internet – DirectAccess host queries DNS 1 • To resolve names on the intranet – DirectAccess host queries DNS 2
End-to-Edge Access Model For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
End-to-Edge End-to-End IPSec Model For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
End-to-End IPSec Access Model With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
Steps • Enable IPv6 internally (ISATAP) • Network Location Server • Client Groups • Firewall Settings on clients • Certificate Auto Enrollment • Direct Access Server • Finalize • Test
1: Enabling IPv6 in the Enterprise DirectAccess Server Line of Business Applications (Server 2008 R2) Using ISATAP IPv6 IPv4 IPv6 On all internal DCs: Dnscmd/config/globalqueryblocklistwpad
2: Configuring NLS • Any INTERNAL server running Web services • Create a DNS name (like nls.yourdomain.com) • Associate this new NLS DNS name to an IP Address of an Internal Web server NLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***
3: Create Group(s) for the DA Clients • Create a security group (Global or Universal) • Add Win7 client systems into this group Remember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
4: Windows Firewall for DA • Allow inbound and outbound ICMPv6 Echo Request messages • Create a Group Policy or configure each system individually
5: Configuring the NLS • Enroll the server with a certificate and configure for SSL access
6: Certificate Auto-Enrollment • Make sure all systems in the Direct Access group of client systems have a valid client authentication certificate
7: Install & Config Direct Access • Add a certificate to the DirectAccess server • Add the DirectAccess feature on the server • Run the DirectAccess setup
8: Finalizing Configurations • Run Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto- enrollment policies) • Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard • Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
9: Testing DA: Internal • With the client system internal, run IPConfig and check to make sure you have a local address
10: Testing DirectAccess (External) • With the client system external, run IPConfig and check to make sure you have an external IP address • Access a file on a fileserver or SharePoint using an internal http(s) connection
11: Testing DA: IPHTTPS • Step 10 tested external access using the automatically generated Teredo 2001: address • Now to verify that external access is working using IP-HTTPS, disable Teredo: – Netsh interface teredo set state disable – Netsh interface httpstunnel show interfaces • Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
MANAGED 1. Extends access to line of business servers with IPv4 support 2. Access for down level and non Windows clients IPv6 3. Enhances scalability and management Windows7 4. Simplifies deployment and administration 5. Hardened Edge Solution IPv6 DirectAccess Always On Windows7 UNMANAGED Vista Extend support IPv4 XP SSL VPN to IPv4 servers Non DA Server IPv4 Windows + PDA IPv4
Da for dummies techdays 2012

Recommended

SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
Louis Göhl
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’ts
kieranjacobsen
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 
Direct access for dummies
Direct access for dummiesDirect access for dummies
Direct access for dummies
Alex de Jong
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
Tim Martin
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
Jeff Green
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 

Recommended

SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
Louis Göhl
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’ts
kieranjacobsen
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 
Direct access for dummies
Direct access for dummiesDirect access for dummies
Direct access for dummies
Alex de Jong
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
Tim Martin
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
Jeff Green
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Đồng Quốc Vương
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
Mihály Mészáros
 
Nat
NatNat
Nat
Elshan86
 
NAT Scneario
NAT ScnearioNAT Scneario
NAT Scneario
Mansour Naslcheraghi
 
Development of a Cisco ACI device package for NGINX as a Load-Balancer
Development of a Cisco ACI device package for NGINX as a Load-BalancerDevelopment of a Cisco ACI device package for NGINX as a Load-Balancer
Development of a Cisco ACI device package for NGINX as a Load-Balancer
Fabrice Servais
 
Silverlight Wireshark Analysis
Silverlight Wireshark AnalysisSilverlight Wireshark Analysis
Silverlight Wireshark Analysis
Yoss Cohen
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP Spoofing
KHNOG
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PROIDEA
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
Davide Carboni
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1
ManmeetShandilya2
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
Pratik Bhide
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
Dpdk Validation - Liu, Yong
Dpdk Validation - Liu, YongDpdk Validation - Liu, Yong
Dpdk Validation - Liu, Yong
harryvanhaaren
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Canada
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
jww330015
 
F5 link controller
F5 link controllerF5 link controller
F5 link controller
Jimmy Saigon
 
15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)
Jeff Green
 
IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for Mobiles
APNIC
 
Ipv6 presention
Ipv6 presentionIpv6 presention
Ipv6 presention
Tayyab Hussain
 

More Related Content

What's hot

Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Đồng Quốc Vương
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
Mihály Mészáros
 
Nat
NatNat
Nat
Elshan86
 
NAT Scneario
NAT ScnearioNAT Scneario
NAT Scneario
Mansour Naslcheraghi
 
Development of a Cisco ACI device package for NGINX as a Load-Balancer
Development of a Cisco ACI device package for NGINX as a Load-BalancerDevelopment of a Cisco ACI device package for NGINX as a Load-Balancer
Development of a Cisco ACI device package for NGINX as a Load-Balancer
Fabrice Servais
 
Silverlight Wireshark Analysis
Silverlight Wireshark AnalysisSilverlight Wireshark Analysis
Silverlight Wireshark Analysis
Yoss Cohen
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP Spoofing
KHNOG
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PROIDEA
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
Davide Carboni
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1
ManmeetShandilya2
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
Pratik Bhide
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
Dpdk Validation - Liu, Yong
Dpdk Validation - Liu, YongDpdk Validation - Liu, Yong
Dpdk Validation - Liu, Yong
harryvanhaaren
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Canada
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
jww330015
 
F5 link controller
F5 link controllerF5 link controller
F5 link controller
Jimmy Saigon
 
15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)
Jeff Green
 

What's hot (20)

Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
 
Nat
NatNat
Nat
 
NAT Scneario
NAT ScnearioNAT Scneario
NAT Scneario
 
Development of a Cisco ACI device package for NGINX as a Load-Balancer
Development of a Cisco ACI device package for NGINX as a Load-BalancerDevelopment of a Cisco ACI device package for NGINX as a Load-Balancer
Development of a Cisco ACI device package for NGINX as a Load-Balancer
 
Silverlight Wireshark Analysis
Silverlight Wireshark AnalysisSilverlight Wireshark Analysis
Silverlight Wireshark Analysis
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP Spoofing
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 
Dpdk Validation - Liu, Yong
Dpdk Validation - Liu, YongDpdk Validation - Liu, Yong
Dpdk Validation - Liu, Yong
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
 
F5 link controller
F5 link controllerF5 link controller
F5 link controller
 
15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)
 

Similar to Da for dummies techdays 2012

IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for Mobiles
APNIC
 
Ipv6 presention
Ipv6 presentionIpv6 presention
Ipv6 presention
Tayyab Hussain
 
Ipv6 presention
Ipv6 presentionIpv6 presention
Ipv6 presention
Tayyab Hussain
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
srmanjuskp
 
Migration of corperate networks from ipv4 to ipv6 using dual stack
Migration of corperate networks from ipv4 to ipv6 using dual stackMigration of corperate networks from ipv4 to ipv6 using dual stack
Migration of corperate networks from ipv4 to ipv6 using dual stack
praveenReddy268
 
Microsoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John DelizoMicrosoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John Delizo
Quek Lilian
 
Banv meetup-contrail
Banv meetup-contrailBanv meetup-contrail
Banv meetup-contrail
nvirters
 
I pv6
I pv6I pv6
I pv6
Udi Ghosh
 
Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002
suvobgd
 
VPN
VPNVPN
VPN
Swarup Kumar Mall
 
Vp ns
Vp nsVp ns
Vp ns
Swarup Kumar Mall
 
IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
Rochester Security Summit
 
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC
6WIND
 
Hands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack NetworkHands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack Network
PLUMgrid
 
Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4
newbie2019
 
ENSA_Module_8.pptx
ENSA_Module_8.pptxENSA_Module_8.pptx
ENSA_Module_8.pptx
SkyBlue659156
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
Cisco Canada
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
karthikvcyber
 
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WIND
 
Ipx protocol slide share
Ipx protocol slide shareIpx protocol slide share
Ipx protocol slide share
MUHAMMED SIDIBEH
 

Similar to Da for dummies techdays 2012 (20)

IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for Mobiles
 
Ipv6 presention
Ipv6 presentionIpv6 presention
Ipv6 presention
 
Ipv6 presention
Ipv6 presentionIpv6 presention
Ipv6 presention
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
Migration of corperate networks from ipv4 to ipv6 using dual stack
Migration of corperate networks from ipv4 to ipv6 using dual stackMigration of corperate networks from ipv4 to ipv6 using dual stack
Migration of corperate networks from ipv4 to ipv6 using dual stack
 
Microsoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John DelizoMicrosoft Direct Access (Part II)_John Delizo
Microsoft Direct Access (Part II)_John Delizo
 
Banv meetup-contrail
Banv meetup-contrailBanv meetup-contrail
Banv meetup-contrail
 
I pv6
I pv6I pv6
I pv6
 
Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC
 
Hands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack NetworkHands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack Network
 
Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4
 
ENSA_Module_8.pptx
ENSA_Module_8.pptxENSA_Module_8.pptx
ENSA_Module_8.pptx
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways
 
Ipx protocol slide share
Ipx protocol slide shareIpx protocol slide share
Ipx protocol slide share
 

More from Alex de Jong

Surviving public speaking
Surviving public speakingSurviving public speaking
Surviving public speaking
Alex de Jong
 
Client management.ppt
Client management.pptClient management.ppt
Client management.ppt
Alex de Jong
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
Alex de Jong
 
What’s new in windows server 2012
What’s new in windows server 2012What’s new in windows server 2012
What’s new in windows server 2012
Alex de Jong
 
Windows 7 deployment
Windows 7 deploymentWindows 7 deployment
Windows 7 deployment
Alex de Jong
 
Deploying windows 8
Deploying windows 8Deploying windows 8
Deploying windows 8
Alex de Jong
 
Windows 7 Deployment
Windows 7 DeploymentWindows 7 Deployment
Windows 7 Deployment
Alex de Jong
 

More from Alex de Jong (7)

Surviving public speaking
Surviving public speakingSurviving public speaking
Surviving public speaking
 
Client management.ppt
Client management.pptClient management.ppt
Client management.ppt
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
 
What’s new in windows server 2012
What’s new in windows server 2012What’s new in windows server 2012
What’s new in windows server 2012
 
Windows 7 deployment
Windows 7 deploymentWindows 7 deployment
Windows 7 deployment
 
Deploying windows 8
Deploying windows 8Deploying windows 8
Deploying windows 8
 
Windows 7 Deployment
Windows 7 DeploymentWindows 7 Deployment
Windows 7 Deployment
 

Da for dummies techdays 2012

  • 1.
  • 2. Direct Access for Dummies Alex de Jong Microsoft Freelance
  • 3. Agenda • Direct Access Overview • Direct Access Basics • So how does it work • Cool, I want that… How do I build it? • Where do I start from here?
  • 4. Direct Access is the ultimate VPN solution that is one of the enablers for the New Way of Work
  • 5. Direct Access benefits • Improved Productivity – Helps improve the productivity of remote staff by providing the same, always-on connectivity experience no matter if users are inside or outside the corporate network. • Secure Connectivity – Leverages IPsec for authentication and encryption. – Provides the ability to apply granular policy control over access to resources, applications, and servers. – Integrates with Microsoft Server and Domain Isolation, Network Access Protection (NAP), and BitLocker solutions, resulting in security, access, and health requirement policies that seamlessly interoperate between intranets and remote computers.
  • 6. Direct Access Benefits (cont’d) • Greater Manageability – Helps ensure that machines both on the network and off are always healthy, managed, and up-to-date. – Provides administrators with the ability to update Group Policy settings and distribute software updates any time a remote computer has Internet connectivity, even if the user is not logged on. – Helps ensure that organizations can meet regulatory and privacy mandates for security and data protection for assets that must roam beyond the corporate network.
  • 9. Direct Access Basics • Authentication – DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards. • Encryption – DirectAccess uses IPsec to provide encryption for communications across the Internet. • Access Control – IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.
  • 10. Direct Access Basics (cont’d) • IT Simplification and Cost Reduction – DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server
  • 11. DirectAccess a VPN on Steroids Always On Patch management, health check and GPOs Corporate Network level computer/user authentication and encryption Network Automatically connects through NAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user
  • 12. End-to-End IPv6 Client Client and Server applications must be IPv6 compatible Server app app IPV6 IPV6 Internet Corporate intranet  Are all you applications IPv6 compatible?
  • 13. Simple? Internet Corporate intranet Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4 Internet tunnelling selection based on client location – Internet, NAT, firewall Encryption/authentication of Internet traffic (end-to-edge/end-to-end) Client location detection: Internet or corporate intranet
  • 14. Connectivity Summary Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64 NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnel NAT IPv6 in HTTPS UDP port 3544 blocked
  • 15. What is 6to4 • 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
  • 16. What is Teredo • Teredo is a transition technology that gives full IPv6 connectivity for IPv6- capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers.
  • 17. What is IPHTTPS • The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to be established using a secure HTTP connection.
  • 18. What is ISATAP • ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. • ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4
  • 19. Connectivity Summary Forefront Native IPv6 Unified Access IPv4 Internet Gateway ISATAP 6to4 tunnel (UAG) IPv6 in IPv4 protocol 41 IPv6 in IPv4 protocol 41 Corporate Network Teredo tunnel DNS64 NAT IPv6 in UDP port 3544 NAT64 IPv4 IPHTTPS tunnel NAT IPv6 in HTTPS UDP port 3544 blocked
  • 21. Client Location corp.example.com zone IP configured DNS 1 DNS 2 DNS address Corporate intranet Internet • To resolve names on the Internet – DirectAccess host queries DNS 1 • To resolve names on the intranet – DirectAccess host queries DNS 2
  • 22. End-to-Edge Access Model For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
  • 23. End-to-Edge End-to-End IPSec Model For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
  • 24. End-to-End IPSec Access Model With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
  • 25. Steps • Enable IPv6 internally (ISATAP) • Network Location Server • Client Groups • Firewall Settings on clients • Certificate Auto Enrollment • Direct Access Server • Finalize • Test
  • 26. 1: Enabling IPv6 in the Enterprise DirectAccess Server Line of Business Applications (Server 2008 R2) Using ISATAP IPv6 IPv4 IPv6 On all internal DCs: Dnscmd/config/globalqueryblocklistwpad
  • 27. 2: Configuring NLS • Any INTERNAL server running Web services • Create a DNS name (like nls.yourdomain.com) • Associate this new NLS DNS name to an IP Address of an Internal Web server NLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***
  • 28. 3: Create Group(s) for the DA Clients • Create a security group (Global or Universal) • Add Win7 client systems into this group Remember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
  • 29. 4: Windows Firewall for DA • Allow inbound and outbound ICMPv6 Echo Request messages • Create a Group Policy or configure each system individually
  • 30. 5: Configuring the NLS • Enroll the server with a certificate and configure for SSL access
  • 31. 6: Certificate Auto-Enrollment • Make sure all systems in the Direct Access group of client systems have a valid client authentication certificate
  • 32. 7: Install & Config Direct Access • Add a certificate to the DirectAccess server • Add the DirectAccess feature on the server • Run the DirectAccess setup
  • 33. 8: Finalizing Configurations • Run Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto- enrollment policies) • Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard • Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
  • 34. 9: Testing DA: Internal • With the client system internal, run IPConfig and check to make sure you have a local address
  • 35. 10: Testing DirectAccess (External) • With the client system external, run IPConfig and check to make sure you have an external IP address • Access a file on a fileserver or SharePoint using an internal http(s) connection
  • 36. 11: Testing DA: IPHTTPS • Step 10 tested external access using the automatically generated Teredo 2001: address • Now to verify that external access is working using IP-HTTPS, disable Teredo: – Netsh interface teredo set state disable – Netsh interface httpstunnel show interfaces • Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
  • 37. MANAGED 1. Extends access to line of business servers with IPv4 support 2. Access for down level and non Windows clients IPv6 3. Enhances scalability and management Windows7 4. Simplifies deployment and administration 5. Hardened Edge Solution IPv6 DirectAccess Always On Windows7 UNMANAGED Vista Extend support IPv4 XP SSL VPN to IPv4 servers Non DA Server IPv4 Windows + PDA IPv4