Direct Access provides always-on secure connectivity for remote users by extending the corporate network to their devices. It uses IPsec for authentication and encryption over the internet. The document discusses how Direct Access works, its benefits like improved productivity and security, and provides steps to set up a Direct Access server and client configuration. It highlights technologies used like ISATAP, Teredo and IPHTTPS for IPv6 connectivity and name resolution between the internal and external networks.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
Are you considering deploying DirectAccess? DirectAccess is Microsoft’s next generation remote access solution providing a seamless corporate network connectivity experience. The session will cover a number of issues that IT professionals deploying DirectAccess should be aware of including load balancing, certificates, and IP Infrastructure requirements.
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
Direct Access is a VPN solution that extends a corporate network to remote computers and users by automatically connecting through firewalls and NAT. It provides always-on connectivity for patch management, GPOs, and authentication/encryption. Direct Access supports both IPv6 and IPv4 networks and clients through various tunneling technologies. It can provide either end-to-edge or end-to-end encryption between clients and internal servers for improved security.
Application Visibility and Experience through Flexible NetflowCisco DevNet
The world of applications is changing rapidly in the enterprise; from the way applications are increasingly hosted in the cloud, the diverse nature of apps and to the way they are consumed by many devices. The need for organizations and network administrators is to focus on "Fast IT" - "Innovation in the Enterprise" is growing, which means having to spend less time on daily operations, maintenance and troubleshooting and more time on delivering business value with newer services. Cisco AVC with its NBAR2 technology is designed to detect applications and measure application performance through measuring round trip time, retransmission rates, jitter, delay, packet loss, MoS, URL statistics etc. Those details are transmitted using Flexible Netflow/IPFIX, so partners could leverage the data for application usage reporting, performance reporting and troubleshooting application issues to deliver best possible application experience.
Watch the DevNet 2047 replay from the Cisco Live On-Demand Library at: https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=92664&backBtn=true
Check out more and register for Cisco DevNet: http://ow.ly/jCNV3030OfS
1. The document provides guidance on strategically planning and designing an IPv6 address plan for a large multi-national enterprise called ACME.
2. It outlines the requirements including supporting up to 37 countries and 40 campus locations within the largest country. The plan should be highly hierarchical, uniform and scalable.
3. Byte boundaries are recommended between hierarchy levels to support many countries, with nibble boundaries between buildings within campuses given fewer buildings. The plan should include infrastructure addressing.
If the number of spine switches were to be merely doubled, the effect of a single switch failure is halved. With 8 spine switches, the effect of a single switch failure only causes a 12% reduction in available bandwidth. So, in modern data centers, people build networks with anywhere from 4 to 32 spine switches. With a leaf-spine network, every server on the network is exactly the same distance away from all other servers – three port hops, to be precise. The benefit of this architecture is that you can just add more spines and leaves as you expand the cluster and you don't have to do any recabling. Intuition Systems will also get more predictable latency between the nodes.
As a trend, disaggregation seems to be most useful for very large companies like Facebook and Google, or cloud providers. The technology does not necessarily have significant implications for small or medium sized businesses. Historically, however, technology has a way of trickling down from the pioneering phases of existing only within large companies with tremendous resources, to becoming more standardized across the board.
The University of Edinburgh is undergoing a large project to reprocure its campus networking infrastructure. The existing network, which has grown organically over many years, contains equipment that is up to 20 years old and no longer meets the university's needs. After an internal review in 2014 recommended a new network be procured, the university embarked on a multi-stage competitive dialogue procurement process that is still ongoing. The process involves pre-market engagement, shortlisting bidders, and multiple rounds of dialogue and evaluation to refine solutions before selecting a final vendor. The procurement has proven to be a large undertaking but may result in a network solution tailored to the university's unique requirements.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
Are you considering deploying DirectAccess? DirectAccess is Microsoft’s next generation remote access solution providing a seamless corporate network connectivity experience. The session will cover a number of issues that IT professionals deploying DirectAccess should be aware of including load balancing, certificates, and IP Infrastructure requirements.
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
Direct Access is a VPN solution that extends a corporate network to remote computers and users by automatically connecting through firewalls and NAT. It provides always-on connectivity for patch management, GPOs, and authentication/encryption. Direct Access supports both IPv6 and IPv4 networks and clients through various tunneling technologies. It can provide either end-to-edge or end-to-end encryption between clients and internal servers for improved security.
Application Visibility and Experience through Flexible NetflowCisco DevNet
The world of applications is changing rapidly in the enterprise; from the way applications are increasingly hosted in the cloud, the diverse nature of apps and to the way they are consumed by many devices. The need for organizations and network administrators is to focus on "Fast IT" - "Innovation in the Enterprise" is growing, which means having to spend less time on daily operations, maintenance and troubleshooting and more time on delivering business value with newer services. Cisco AVC with its NBAR2 technology is designed to detect applications and measure application performance through measuring round trip time, retransmission rates, jitter, delay, packet loss, MoS, URL statistics etc. Those details are transmitted using Flexible Netflow/IPFIX, so partners could leverage the data for application usage reporting, performance reporting and troubleshooting application issues to deliver best possible application experience.
Watch the DevNet 2047 replay from the Cisco Live On-Demand Library at: https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=92664&backBtn=true
Check out more and register for Cisco DevNet: http://ow.ly/jCNV3030OfS
1. The document provides guidance on strategically planning and designing an IPv6 address plan for a large multi-national enterprise called ACME.
2. It outlines the requirements including supporting up to 37 countries and 40 campus locations within the largest country. The plan should be highly hierarchical, uniform and scalable.
3. Byte boundaries are recommended between hierarchy levels to support many countries, with nibble boundaries between buildings within campuses given fewer buildings. The plan should include infrastructure addressing.
If the number of spine switches were to be merely doubled, the effect of a single switch failure is halved. With 8 spine switches, the effect of a single switch failure only causes a 12% reduction in available bandwidth. So, in modern data centers, people build networks with anywhere from 4 to 32 spine switches. With a leaf-spine network, every server on the network is exactly the same distance away from all other servers – three port hops, to be precise. The benefit of this architecture is that you can just add more spines and leaves as you expand the cluster and you don't have to do any recabling. Intuition Systems will also get more predictable latency between the nodes.
As a trend, disaggregation seems to be most useful for very large companies like Facebook and Google, or cloud providers. The technology does not necessarily have significant implications for small or medium sized businesses. Historically, however, technology has a way of trickling down from the pioneering phases of existing only within large companies with tremendous resources, to becoming more standardized across the board.
The University of Edinburgh is undergoing a large project to reprocure its campus networking infrastructure. The existing network, which has grown organically over many years, contains equipment that is up to 20 years old and no longer meets the university's needs. After an internal review in 2014 recommended a new network be procured, the university embarked on a multi-stage competitive dialogue procurement process that is still ongoing. The process involves pre-market engagement, shortlisting bidders, and multiple rounds of dialogue and evaluation to refine solutions before selecting a final vendor. The procurement has proven to be a large undertaking but may result in a network solution tailored to the university's unique requirements.
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Đồng Quốc Vương
This document provides the final exam answers for CCNA 3 v5 Scaling Networks from 2014. It includes 40 multiple choice questions related to networking topics like VLANs, trunking, routing, DHCP, wireless networking, and security. The questions are taken from the CCNA 3 v5 final exam and provide the correct answer choices for each question.
This document summarizes experiences from a proof of concept (PoC) federated STUN/TURN service. Key points include:
- The PoC used STUN, TURN, and ICE to enable real-time communications across firewalls and NATs.
- It explored different authentication methods like long-term credentials, REST APIs, and OAuth.
- The distributed service was deployed across multiple research networks in Europe.
- Lessons learned from the PoC included designing for security, using open source components, and supporting multiple authentication standards.
This document provides an overview of Network Address Translation (NAT) including:
- Why NAT is used to connect networks with private IP addresses to the Internet and during network mergers.
- NAT implementation considerations such as advantages of address conservation and flexibility but disadvantages of delays and incompatible applications.
- Common NAT configurations like dynamic NAT, dynamic NAT with overloading, and static NAT.
This document describes network address translation (NAT) and different NAT types. It includes a course on Cisco CCNA about NAT taught at Tehran Institute of Technology. The course covers introduction to NAT and private vs public addresses. It then describes static NAT, dynamic NAT, and port address translation. The document provides examples of configuring static and dynamic NAT on routers to allow internal hosts to access the internet using public IP addresses.
Development of a Cisco ACI device package for NGINX as a Load-BalancerFabrice Servais
This presentation summarises the development of a Cisco ACI device package for NGINX as a Load-Balancer, made as a proof-of-concept during an internship at Cisco.
Want to see the device package and its source code? Check out these Github repositories:
https://github.com/FServais/NGINX-Device-Package
https://github.com/FServais/NGINX-Agent
Description of Microsoft Silverlight technology.
Advantages over "standard streaming", download and progressive download methods.
Silverlight session description and analysis using wireshark
This document discusses how to configure DHCP snooping on a network switch to prevent DHCP spoofing attacks. It provides an overview of DHCP snooping functionality, describes trusted and untrusted sources, and outlines the impacts of unauthorized DHCP servers. Configuration steps are presented to enable DHCP snooping globally, on specific VLANs, and to configure trusted ports connected to the legitimate DHCP server. Verification commands are also included to view the DHCP snooping binding table.
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
Fortinet provides a carrier-grade NAT (CGN) solution using FortiGate firewalls. FortiGate firewalls offer high performance and scalability for CGN deployments through dedicated hardware. They can support millions of concurrent sessions and terabits of throughput. FortiGate firewalls also provide detailed logging, security features like ALGs, and redundancy for carrier networks.
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
VMworld 2013
Ninad Desai, VMware
Greg Herzog, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
This document provides instructions for configuring basic network security on a Cisco ASA 5506-x firewall. It outlines requirements for separating networks into an Internet, user, and DMZ segment. It then provides steps to update the ASA software, configure interfaces and security levels, enable internet access via NAT and routing, allow web access to servers on the DMZ, optionally configure DHCP, and optionally redirect traffic to the FirePOWER module. It also includes steps for hardening the device by shutting down unused interfaces, enabling SSH access, and configuring time and logging.
This document discusses various techniques for allowing peer-to-peer communication between hosts located behind Network Address Translation (NAT) devices, including NAT traversal using UDP hole punching, TCP hole punching, relaying, connection reversal, and the TURN protocol. It also covers proxy protocols like SOCKS that can be used to traverse NATs, as well as the UPnP standard for automatic port forwarding configuration.
1. The document provides steps to configure Avaya Spaces Calling on an Avaya IP Office system. It outlines 14 configuration steps including enabling UC profiles in IP Office, configuring the One-X portal, retrieving API keys from Avaya Spaces, enabling apps in Spaces, and configuring WebRTC settings.
2. Additional resources are listed to support Avaya Spaces Calling and IP Office subscriptions including documentation, videos, presentations, and technical support information.
3. The document concludes by thanking the reader and reiterating Avaya's focus on providing experiences that matter.
Network address translation (NAT) allows remapping of one IP address space to another. Types of NAT include static NAT, dynamic NAT, and port address translation (PAT). NAT provides benefits like IP address conservation, security, and flexibility. On Cisco routers, NAT operations follow an order of inside-to-outside and outside-to-inside translation. NAT can be deployed in scenarios involving MPLS VPNs, IP multicast, high availability, and application-level gateways. Configuration of NAT varies between Cisco routers and ASA firewalls.
Extreme is the only company in the industry that takes an architectural approach to bringing products to market (from R&D to product release). Everything we do and create is a part of this Software Defined Architecture [SDA]. Wireless LAN, Wired LAN, Data Center -- It starts with highly reliable, high performance infrastructure. This is our heritage and we have always been outstanding at this: WiFi, Campus LAN all the way to the Data Center. (Ranging from your user to the applications they consume.)
ExtremeXOS -- On top of this, we use a single consistent and differentiated OS call EXOS. (next gen HW will run on EXOS). Lots of companies make high performance hardware, so to truly offer value added differentiation; we include an integrated layer of software into our architecture.
Network Management & BYOD -- We fully integrate management across our entire portfolio. We are very proud that in only 5 months, NetSight became the management platform for the entire portfolio. This was an emphatic message to the market that we take a different approach aligned to our SDA. NetSight has a single, integrated database for all aspects of management. This streamlines operations, enables dynamic management and removes the manual aspect of correlating information.
Application Analytics -- Purview offers application layer analytics, so you can understand what is happening on your network, you can optimize your environment, help increase productivity and measure adoption. Purview allows you to deliver both tactical and strategic information to make better more rapid business decisions.
Finally, we offer orchestration across the entire architecture. Whether that infrastructure is multi-vendor or not. Orchestration within the data center is available across virtualized workloads and consolidated storage and compute. Extreme is the only company in the industry committed to this type of integration, backward compatibility and openness to support technology partners and third party vendors. Many in the industry have grown through M&A, successfully so, however it has led to a portfolio with lots of products that are not integrated through management or orchestration. Each time you add a product, it increases your complexity with the introduction of a new disparate management tool.
The document discusses Intel's DPDK Validation team and their efforts to improve the quality and robustness of DPDK. It outlines their focus on features like NICs, packet framework and virtualization. It also describes moving to a continuous integration model with automated testing of each patch to DPDK and daily health reports. This is aimed to improve the development and release cycle by catching issues earlier through more frequent testing.
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
This document provides an overview of Cisco's model-driven telemetry solution. It discusses key concepts like data models, encodings, transports and the telemetry pipeline. YANG is presented as the modeling language and telemetry is described as having three key enablers: push-based collection, analytics-ready data formats, and being data model-driven. Cisco routers support model-driven telemetry via gRPC, TCP, UDP and provide interfaces, system and other data in YANG, OpenConfig and IETF models.
This lab guide provides instructions for completing several labs that demonstrate an Intelligent WAN (IWAN) solution. The labs utilize a virtual lab environment containing routers, servers, and PCs in a data center and branch office. Students will navigate the lab topology, generate application traffic, and configure Cisco Prime Infrastructure and other components. The objective is to understand the IWAN architecture and how it optimizes application performance over the WAN.
The document provides an overview of Link Controller functionality including:
- Link Controller balances load across multiple ISP links and provides failover capability.
- It offers advantages over BGP by not requiring ISP coordination and allows transparent addition of new links.
- While it functions similarly to LTM for outbound traffic and GTM for inbound, it has limitations such as no advanced load balancing or ability to resolve IPs it does not host.
- Key aspects of deployment include defining links, listeners, pools, virtual servers, and WideIPs to direct inbound and outbound traffic across ISP links.
In today’s Experience Economy, networks must provide a great user experience meeting each individual’s personal expectation. Users do not care about what happens behind the scenes to make everything work; in fact, users don’t even consider it until something breaks. People living in today’s Experience Economy care about simply connecting to a video, where the network is smart enough to remember who they are without a lot of hassle connecting, and then providing a blisteringly fast connection so that there is no interruption to the video stream. Think about what makes you happy when connecting with your own device and then think about what makes you really upset when things are hard, complicated, and slow. If the user has a bad experience in anyone of these areas (simple, fast, and smart), they are likely to leave, share their negative experience, and potentially never return.
Where Does Networking Fit In? To gain the full benefits of cloud computing and virtualization and achieve a business agile IT infrastructure, organizations need a reliable, high-performance data center networking infrastructure with built-in investment protection. Several technology inflection points are coming together that are fundamentally changing the way networks are architected, deployed and operated both in the public cloud as well as the private cloud. From performance, to scale, to virtualization support and automation to simplified orchestration, the requirements are rapidly changing and driving new approaches to building data center networks.
With Extreme Networks, IT can manage more with less. Automated intelligence and analytics for compliance, forensics, and traffic patterns translates into reduced help desk calls. Businesses can predict costs and return on investment, and increase employee productivity by securely onboarding BYOD, increasing both customer and employee satisfaction. A constant risk to the network, and ultimately the hospital, are unapproved applications and rogue devices that may appear on the network and either permit unauthorized access or interfere with other devices. A means to monitor all devices and applications that operate across the network is vital. Just as important are the audit and reporting capabilities necessary to report on who, what, where, when, and how patient data is accessed.
What is SDN? What software-defined networking really means has evolved dramatically and now includes automation and virtualization. Hardware is still a critical component in data center networking equipment, but the influence of switch software shouldn’t be overlooked. When everyone began to get excited about SDN a few years ago, we thought of it as only one thing: the separation of network control from network data packet handling. Traditional networks had already started down this path, with the addition of controller cards to manage line cards in scalable chassis-based switches, and with various data center fabric technologies.
This document summarizes Jeff Schmidt's presentation on Telstra's deployment of IPv6 for mobiles. Key points include:
1) Telstra implemented IPv6 to future-proof their network and address IPv4 depletion issues, using dual-stack and 464XLAT architectures.
2) Business drivers were addressing the growing traffic demand and enabling new technologies like IoT, while technical drivers addressed IPv4 depletion and inefficiencies.
3) The deployment included addressing and subnetting plans, network security designs, and testing multiple deployment models.
IPv6 was developed as a replacement for IPv4 to address limitations in IPv4 including address depletion. IPv6 uses a 128-bit address space compared to IPv4's 32-bit address space, providing trillions of times more addresses. IPv6 supports features like auto-configuration, end-to-end connectivity without NAT, faster routing, and security through IPsec.
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Đồng Quốc Vương
This document provides the final exam answers for CCNA 3 v5 Scaling Networks from 2014. It includes 40 multiple choice questions related to networking topics like VLANs, trunking, routing, DHCP, wireless networking, and security. The questions are taken from the CCNA 3 v5 final exam and provide the correct answer choices for each question.
This document summarizes experiences from a proof of concept (PoC) federated STUN/TURN service. Key points include:
- The PoC used STUN, TURN, and ICE to enable real-time communications across firewalls and NATs.
- It explored different authentication methods like long-term credentials, REST APIs, and OAuth.
- The distributed service was deployed across multiple research networks in Europe.
- Lessons learned from the PoC included designing for security, using open source components, and supporting multiple authentication standards.
This document provides an overview of Network Address Translation (NAT) including:
- Why NAT is used to connect networks with private IP addresses to the Internet and during network mergers.
- NAT implementation considerations such as advantages of address conservation and flexibility but disadvantages of delays and incompatible applications.
- Common NAT configurations like dynamic NAT, dynamic NAT with overloading, and static NAT.
This document describes network address translation (NAT) and different NAT types. It includes a course on Cisco CCNA about NAT taught at Tehran Institute of Technology. The course covers introduction to NAT and private vs public addresses. It then describes static NAT, dynamic NAT, and port address translation. The document provides examples of configuring static and dynamic NAT on routers to allow internal hosts to access the internet using public IP addresses.
Development of a Cisco ACI device package for NGINX as a Load-BalancerFabrice Servais
This presentation summarises the development of a Cisco ACI device package for NGINX as a Load-Balancer, made as a proof-of-concept during an internship at Cisco.
Want to see the device package and its source code? Check out these Github repositories:
https://github.com/FServais/NGINX-Device-Package
https://github.com/FServais/NGINX-Agent
Description of Microsoft Silverlight technology.
Advantages over "standard streaming", download and progressive download methods.
Silverlight session description and analysis using wireshark
This document discusses how to configure DHCP snooping on a network switch to prevent DHCP spoofing attacks. It provides an overview of DHCP snooping functionality, describes trusted and untrusted sources, and outlines the impacts of unauthorized DHCP servers. Configuration steps are presented to enable DHCP snooping globally, on specific VLANs, and to configure trusted ports connected to the legitimate DHCP server. Verification commands are also included to view the DHCP snooping binding table.
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
Fortinet provides a carrier-grade NAT (CGN) solution using FortiGate firewalls. FortiGate firewalls offer high performance and scalability for CGN deployments through dedicated hardware. They can support millions of concurrent sessions and terabits of throughput. FortiGate firewalls also provide detailed logging, security features like ALGs, and redundancy for carrier networks.
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
VMworld 2013
Ninad Desai, VMware
Greg Herzog, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
This document provides instructions for configuring basic network security on a Cisco ASA 5506-x firewall. It outlines requirements for separating networks into an Internet, user, and DMZ segment. It then provides steps to update the ASA software, configure interfaces and security levels, enable internet access via NAT and routing, allow web access to servers on the DMZ, optionally configure DHCP, and optionally redirect traffic to the FirePOWER module. It also includes steps for hardening the device by shutting down unused interfaces, enabling SSH access, and configuring time and logging.
This document discusses various techniques for allowing peer-to-peer communication between hosts located behind Network Address Translation (NAT) devices, including NAT traversal using UDP hole punching, TCP hole punching, relaying, connection reversal, and the TURN protocol. It also covers proxy protocols like SOCKS that can be used to traverse NATs, as well as the UPnP standard for automatic port forwarding configuration.
1. The document provides steps to configure Avaya Spaces Calling on an Avaya IP Office system. It outlines 14 configuration steps including enabling UC profiles in IP Office, configuring the One-X portal, retrieving API keys from Avaya Spaces, enabling apps in Spaces, and configuring WebRTC settings.
2. Additional resources are listed to support Avaya Spaces Calling and IP Office subscriptions including documentation, videos, presentations, and technical support information.
3. The document concludes by thanking the reader and reiterating Avaya's focus on providing experiences that matter.
Network address translation (NAT) allows remapping of one IP address space to another. Types of NAT include static NAT, dynamic NAT, and port address translation (PAT). NAT provides benefits like IP address conservation, security, and flexibility. On Cisco routers, NAT operations follow an order of inside-to-outside and outside-to-inside translation. NAT can be deployed in scenarios involving MPLS VPNs, IP multicast, high availability, and application-level gateways. Configuration of NAT varies between Cisco routers and ASA firewalls.
Extreme is the only company in the industry that takes an architectural approach to bringing products to market (from R&D to product release). Everything we do and create is a part of this Software Defined Architecture [SDA]. Wireless LAN, Wired LAN, Data Center -- It starts with highly reliable, high performance infrastructure. This is our heritage and we have always been outstanding at this: WiFi, Campus LAN all the way to the Data Center. (Ranging from your user to the applications they consume.)
ExtremeXOS -- On top of this, we use a single consistent and differentiated OS call EXOS. (next gen HW will run on EXOS). Lots of companies make high performance hardware, so to truly offer value added differentiation; we include an integrated layer of software into our architecture.
Network Management & BYOD -- We fully integrate management across our entire portfolio. We are very proud that in only 5 months, NetSight became the management platform for the entire portfolio. This was an emphatic message to the market that we take a different approach aligned to our SDA. NetSight has a single, integrated database for all aspects of management. This streamlines operations, enables dynamic management and removes the manual aspect of correlating information.
Application Analytics -- Purview offers application layer analytics, so you can understand what is happening on your network, you can optimize your environment, help increase productivity and measure adoption. Purview allows you to deliver both tactical and strategic information to make better more rapid business decisions.
Finally, we offer orchestration across the entire architecture. Whether that infrastructure is multi-vendor or not. Orchestration within the data center is available across virtualized workloads and consolidated storage and compute. Extreme is the only company in the industry committed to this type of integration, backward compatibility and openness to support technology partners and third party vendors. Many in the industry have grown through M&A, successfully so, however it has led to a portfolio with lots of products that are not integrated through management or orchestration. Each time you add a product, it increases your complexity with the introduction of a new disparate management tool.
The document discusses Intel's DPDK Validation team and their efforts to improve the quality and robustness of DPDK. It outlines their focus on features like NICs, packet framework and virtualization. It also describes moving to a continuous integration model with automated testing of each patch to DPDK and daily health reports. This is aimed to improve the development and release cycle by catching issues earlier through more frequent testing.
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
This document provides an overview of Cisco's model-driven telemetry solution. It discusses key concepts like data models, encodings, transports and the telemetry pipeline. YANG is presented as the modeling language and telemetry is described as having three key enablers: push-based collection, analytics-ready data formats, and being data model-driven. Cisco routers support model-driven telemetry via gRPC, TCP, UDP and provide interfaces, system and other data in YANG, OpenConfig and IETF models.
This lab guide provides instructions for completing several labs that demonstrate an Intelligent WAN (IWAN) solution. The labs utilize a virtual lab environment containing routers, servers, and PCs in a data center and branch office. Students will navigate the lab topology, generate application traffic, and configure Cisco Prime Infrastructure and other components. The objective is to understand the IWAN architecture and how it optimizes application performance over the WAN.
The document provides an overview of Link Controller functionality including:
- Link Controller balances load across multiple ISP links and provides failover capability.
- It offers advantages over BGP by not requiring ISP coordination and allows transparent addition of new links.
- While it functions similarly to LTM for outbound traffic and GTM for inbound, it has limitations such as no advanced load balancing or ability to resolve IPs it does not host.
- Key aspects of deployment include defining links, listeners, pools, virtual servers, and WideIPs to direct inbound and outbound traffic across ISP links.
In today’s Experience Economy, networks must provide a great user experience meeting each individual’s personal expectation. Users do not care about what happens behind the scenes to make everything work; in fact, users don’t even consider it until something breaks. People living in today’s Experience Economy care about simply connecting to a video, where the network is smart enough to remember who they are without a lot of hassle connecting, and then providing a blisteringly fast connection so that there is no interruption to the video stream. Think about what makes you happy when connecting with your own device and then think about what makes you really upset when things are hard, complicated, and slow. If the user has a bad experience in anyone of these areas (simple, fast, and smart), they are likely to leave, share their negative experience, and potentially never return.
Where Does Networking Fit In? To gain the full benefits of cloud computing and virtualization and achieve a business agile IT infrastructure, organizations need a reliable, high-performance data center networking infrastructure with built-in investment protection. Several technology inflection points are coming together that are fundamentally changing the way networks are architected, deployed and operated both in the public cloud as well as the private cloud. From performance, to scale, to virtualization support and automation to simplified orchestration, the requirements are rapidly changing and driving new approaches to building data center networks.
With Extreme Networks, IT can manage more with less. Automated intelligence and analytics for compliance, forensics, and traffic patterns translates into reduced help desk calls. Businesses can predict costs and return on investment, and increase employee productivity by securely onboarding BYOD, increasing both customer and employee satisfaction. A constant risk to the network, and ultimately the hospital, are unapproved applications and rogue devices that may appear on the network and either permit unauthorized access or interfere with other devices. A means to monitor all devices and applications that operate across the network is vital. Just as important are the audit and reporting capabilities necessary to report on who, what, where, when, and how patient data is accessed.
What is SDN? What software-defined networking really means has evolved dramatically and now includes automation and virtualization. Hardware is still a critical component in data center networking equipment, but the influence of switch software shouldn’t be overlooked. When everyone began to get excited about SDN a few years ago, we thought of it as only one thing: the separation of network control from network data packet handling. Traditional networks had already started down this path, with the addition of controller cards to manage line cards in scalable chassis-based switches, and with various data center fabric technologies.
This document summarizes Jeff Schmidt's presentation on Telstra's deployment of IPv6 for mobiles. Key points include:
1) Telstra implemented IPv6 to future-proof their network and address IPv4 depletion issues, using dual-stack and 464XLAT architectures.
2) Business drivers were addressing the growing traffic demand and enabling new technologies like IoT, while technical drivers addressed IPv4 depletion and inefficiencies.
3) The deployment included addressing and subnetting plans, network security designs, and testing multiple deployment models.
IPv6 was developed as a replacement for IPv4 to address limitations in IPv4 including address depletion. IPv6 uses a 128-bit address space compared to IPv4's 32-bit address space, providing trillions of times more addresses. IPv6 supports features like auto-configuration, end-to-end connectivity without NAT, faster routing, and security through IPsec.
in this slides the topic of internet protocol version 6 is covered in very easy form that help the beginners of networking students .. l for more suggestions comment there
The document discusses the upcoming introduction of IPv6. [1] IPv6 is a new standard for IP numbering that will provide more IP addresses as the current IPv4 addresses are running out. [2] It will help overcome limitations in the old IPv4 system and ensure there are enough addresses available into the next century. [3] The document outlines some of the key features and improvements IPv6 will provide, such as larger packet sizes, better security features, quality of service support, and mobility support.
Migration of corperate networks from ipv4 to ipv6 using dual stackpraveenReddy268
Migration of corperate networks from ipv4 to ipv6 using dual stack
in this you will be learning about internet protocols of version4 & 6.And also about OSI layers and their architecture and coding to the routers
Microsoft Direct Access (Part II)_John DelizoQuek Lilian
The document discusses the infrastructure and configuration requirements for implementing DirectAccess in a Windows environment, including needing Windows 7 clients, Windows Server 2008 servers, and setting up a DirectAccess server to enable remote access via always-on VPN connections for intranet resources using IPv6 and IPsec encryption. It also provides an overview of how DirectAccess works and additional resources for learning more about DirectAccess deployment.
This hands on workshop for OpenContrail will be led by Sreelakshmi Sarva & Aniket Daptari.
This is a labs session so we will have hard RSVP limits. Please RSVP only if you are confident that you will be able to attend.
About Sreelakshmi Sarva
Sree is currently working as part of solution engineering team at Juniper’s Contrail team. She is responsible for delivering & managing SDN solutions & partnerships relating to Contrail. She has been with Juniper for the last 13 years working on various Routing, Switching, Network programmability & virtualization platforms. Prior to Juniper, She worked at Nortel networks in the Systems Engineering group. Sree received her Masters in Computer Science from University of Texas at Dallas and Bachelor’s in Computer Science from India.
About Aniket Daptari
Aniket is currently working as part of Juniper Networks' Contrail Cloud Solutions team. He is responsible for delivering SDN solutions and technology partnerships related to Contrail. He has been with Juniper for the last 3 years working on various Network programmability & virtualization platforms. Prior to Juniper, he worked at Cisco Systems in the Internet Systems Business Unit (Catalyst 6500). Aniket received his Masters in Computer Science from University of Southern California and a graduate certificate in Management Science and Engineering from Stanford University.
Course Abstract
This session will be the first of a series of OpenContrail hands-on tutorials for developers who want to get deep into OpenContrail code.
This “Basic OpenContrail Programming” Hands-on Session will focus on making developers proficient in writing and contributing code for our OpenContrail Project.
Session will cover the following areas
1) Contrail Overview
· Use Cases
· Architecture recap
2) Contrail Hands on
· Demo + Hands on - Configuration , VN, VM, Network Policies etc
· DevStack introduction
This document provides a 3-paragraph summary of a 10-page project report on IPv6. The report was submitted by Udipto Ghosh to MIT Pune in partial fulfillment of a post-graduate diploma in management. The summary discusses that IPv6 is an evolutionary upgrade to IPv4 designed to allow continued growth of the internet. It also describes some key features of IPv6 like larger address space and auto-configuration. The transition from IPv4 to IPv6 is expected to occur gradually as IPv6 is deployed incrementally for early benefits while coexisting with IPv4 for a long time.
IPv6 is the next-generation Internet protocol that replaces IPv4. It features a 128-bit address size allowing for many more IP addresses compared to IPv4's 32-bit addresses. IPv6 also includes improvements in routing, network autoconfiguration, security, quality of service, and extensibility. A transition from IPv4 to IPv6 is underway using mechanisms like dual stacking that allow both protocols to coexist on networks. While not yet widely deployed, IPv6 is expected to fully replace IPv4 in the coming years.
Virtual Private Networks (VPNs) allow private networks to be connected securely over the public Internet. There are two main methods for implementing VPNs - using IPSec at the network level or SSL at the transport level. IPSec VPNs require client software installation on each workstation while SSL VPNs only require a web browser with SSL support, making SSL VPNs easier to use. VPNs offer benefits over dedicated leased lines such as lower cost, easier setup, and flexibility, but are less secure, reliable, and performant than isolated private networks.
Virtual Private Networks (VPNs) allow private networks to be connected securely over the public Internet. There are two main methods for implementing VPNs - using IPSec at the network level or SSL at the transport level. IPSec VPNs require client software installation on each workstation while SSL VPNs only require a web browser with SSL support, making SSL VPNs easier to use. VPNs offer benefits over dedicated leased lines such as lower cost, easier setup, and flexibility, but can be less reliable, secure, and performant than isolated private networks.
While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4.
Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC
After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
Peter Rounds, Senior Network Engineer, Syracuse University
Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.
6WINDGate™ - Accelerated Data Plane Solution for EPC and vEPC6WIND
The document discusses 6WIND and its 6WINDGate software. It begins by stating that 6WIND aims to replace dedicated networking hardware with commodity servers and virtualization using its software. It then provides facts about 6WIND, including that it has over 150 man years of experience developing 6WINDGate, which supports major hardware platforms. Finally, it outlines the key benefits of 6WINDGate, such as enabling high performance networking on standard platforms for both physical and virtual environments.
Hands-on Lab: Test Drive Your OpenStack NetworkPLUMgrid
Neutron is deployed in the majority of OpenStack clouds but it still constitutes one of the key areas of concerns for organizations world-wide. The transition from traditional hardware-centric networking to the software defined model takes time and learning and requires a mental shift as well as a change in workflows, procedures, tools and best-practices. In this session each participant will be provided with a personal sandbox OpenStack running a live Liberty-based environment and will work on common use cases and applications of SDNs in an OpenStack Cloud. The class will focus on test cases that will move beyond the basics of L2 and L3 and deploy VNFs such as NAT and security policies on top of a 3-tier application topology. The class will also go through exercises that are focused on monitoring and troubleshooting SDNs in an OpenStack cloud.
This document provides an overview of Network Address Translation (NAT) for IPv4. It contains the following sections:
1. NAT Operation - Explains the purpose and function of NAT, the different types of NAT (static, dynamic, PAT), and the advantages and disadvantages of NAT.
2. Configure NAT - Details how to configure static NAT, dynamic NAT, PAT, and port forwarding on Cisco routers using the command line interface.
3. Troubleshoot NAT - Covers how to troubleshoot NAT issues in a network.
The document is intended to instruct users on the basic concepts and configuration of NAT to provide IPv4 address translation and scalability in small to medium business networks.
This module covers VPN and IPsec concepts, including how VPNs use encryption protocols like IPsec to securely connect site-to-site and remote networks. It describes different types of VPNs for remote access and connecting sites, as well as how the IPsec framework provides confidentiality, integrity, authentication, and secure key exchange to protect network traffic. The module also examines IPsec encapsulation modes and the benefits of dynamic VPN solutions like DMVPN and IPsec VTIs.
Session: The Data Center Network Evolution: Journey to the Programmable Fabric
Presenter: Robert Zalobinski, Technical Solutions Architect
Date: October 6, 2015
IDS, IPS, NAT and VPN
The document discusses and defines intrusion detection systems (IDS), intrusion prevention systems (IPS), network address translation (NAT), and virtual private networks (VPN). It explains that IDS monitor networks for suspicious activity, while IPS can also block threats. It describes static and dynamic NAT and port address translation (PAT). It also outlines remote access VPNs for connecting remote users, site-to-site VPNs for connecting office networks, and common VPN protocols like IPsec. The document provides an overview of these key network security concepts.
6WINDGate™ - Powering the New-Generation of IPsec Gateways6WIND
6WINDGate™ for IPsec Gateways:
- High performance IPsec stack to sustain encrypted traffic over several tens of thousands of IPsec tunnels with low-latency
- Optimal use of software and hardware crypto-acceleration for best price/performance
- High-capacity IKE control plane to manage several tens of thousands of IKE sessions on a single server
- High capacity for encapsulation protocols such as VLAN, PPP, L2TP and GRE…
- High performance and scalable IPv4 and IPv6 forwarding with virtual routing support for a large number of instances
- High performance and capacity firewall and NAT
IPX is a networking protocol originally used by Novell Netware Operating System to interconnect networks using Novell clients and servers. It is a connectionless datagram protocol that operates at the Network layer of the OSI model. IPX addresses network interfaces using a combination of physical addresses, network numbers, and socket numbers. While it was high performing in LANs, IPX is not suitable for wide area networks due to packet reordering issues.
This document discusses a session about clients, Configuration Manager 2012, and Windows Intune 3.0 beta. It provides overviews of new features in Configuration Manager 2012 such as managing up to 400,000 devices, improved asset management, deployment, compliance, and security capabilities. It also discusses the Windows Intune 3.0 beta focus on consumerization trends and enterprise-class mobile device management in the cloud without infrastructure.
PKI is a set of components needed to issue and manage digital certificates. It includes hardware, software, policies and people. Certificates contain a subject's public key and are digitally signed by a certificate authority. PKIs can be public, where any system can validate certificates, or private, where only an organization's systems participate. Building a private PKI requires designing certificate templates and revocation processes. Managing certificates involves enrollment methods and checking certificate status.
1. The document highlights top features of Windows Server 2012 for storage, security, access control, and Hyper-V including file system improvements, thin provisioning, dynamic access control, shared-nothing live migration, and support for up to 320 logical processors and 4 TB of physical memory on a single host.
2. New features allow for improved storage management, centralized SSL management, network virtualization, and dynamic virtual machine queue management.
3. Windows Server 2012 provides enhanced security features such as classification, direct access, private virtual LANs, and multitenant security and isolation in Active Directory.
This document discusses approaches for automating the installation and deployment of Windows 7. It compares traditional and modular imaging approaches, and recommends the modular approach for its benefits like reduced maintenance costs and easy customization. It also covers various tools for automating Windows deployment, including Windows Imaging (WIM), Windows AIK, ImageX, DISM, Windows Setup, and Microsoft Deployment Toolkit 2010.
The document discusses customizing Windows images using the Microsoft Deployment Toolkit (MDT). It explains how to capture a reference Windows installation to a .WIM file using ImageX and Sysprep. This customized .WIM file can then be imported into MDT and deployed to target devices using a task sequence to perform an unattended installation. The document also mentions downloading all Windows updates to easily integrate them into the customized .WIM file.
The document discusses various approaches and tools for automating the installation and deployment of Windows 7, including traditional and modular imaging approaches. It describes Microsoft Deployment Toolkit 2010 (MDT) as the recommended toolset for automating desktop and server deployment. MDT provides a centralized console for managing tools like Windows Imaging (WIM), Deployment Image Servicing and Management (DISM), and Windows Automated Installation Kit (Windows AIK) to configure, capture, and deploy Windows 7 images. MDT supports both lite touch and zero touch installation deployment scenarios with different infrastructure requirements.
3. Agenda
• Direct Access Overview
• Direct Access Basics
• So how does it work
• Cool, I want that… How do I build it?
• Where do I start from here?
4. Direct Access is the ultimate VPN
solution that is one of the enablers
for the New Way of Work
5. Direct Access benefits
• Improved Productivity
– Helps improve the productivity of remote staff by providing the same,
always-on connectivity experience no matter if users are inside or outside
the corporate network.
• Secure Connectivity
– Leverages IPsec for authentication and encryption.
– Provides the ability to apply granular policy control over access to
resources, applications, and servers.
– Integrates with Microsoft Server and Domain Isolation, Network Access
Protection (NAP), and BitLocker solutions, resulting in security, access, and
health requirement policies that seamlessly interoperate between intranets
and remote computers.
6. Direct Access Benefits (cont’d)
• Greater Manageability
– Helps ensure that machines both on the network and off are always
healthy, managed, and up-to-date.
– Provides administrators with the ability to update Group Policy settings and
distribute software updates any time a remote computer has Internet
connectivity, even if the user is not logged on.
– Helps ensure that organizations can meet regulatory and privacy mandates
for security and data protection for assets that must roam beyond the
corporate network.
9. Direct Access Basics
• Authentication
– DirectAccess authenticates the computer, enabling the computer to connect
to the intranet before the user logs on. DirectAccess can also authenticate
the user and supports two-factor authentication using smart cards.
• Encryption
– DirectAccess uses IPsec to provide encryption for communications across
the Internet.
• Access Control
– IT professionals can configure which intranet resources different users can
access using DirectAccess, granting DirectAccess users unlimited access
to the intranet or only allowing them to use specific applications and access
specific servers or subnets.
10. Direct Access Basics (cont’d)
• IT Simplification and Cost Reduction
– DirectAccess separates intranet from Internet traffic, which reduces
unnecessary traffic on the corporate network by sending only traffic
destined for the corporate network through the DirectAccess server.
Optionally, IT can configure DirectAccess clients to send all traffic through
the DirectAccess server
11. DirectAccess a VPN on Steroids
Always On
Patch management, health check and GPOs
Corporate
Network level computer/user authentication and encryption Network
Automatically
connects through
NAT and firewalls
VPNs connect the user to the network
DirectAccess extends the network to the remote
computer and user
12. End-to-End IPv6
Client Client and Server applications must be IPv6 compatible Server
app app
IPV6 IPV6
Internet Corporate intranet
Are all you applications IPv6 compatible?
13. Simple?
Internet Corporate intranet
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)
Client location detection: Internet or corporate intranet
14. Connectivity Summary
Forefront
Native IPv6
Unified
Access
IPv4 Internet Gateway ISATAP
6to4 tunnel (UAG)
IPv6 in IPv4 protocol 41
IPv6 in IPv4 protocol 41
Corporate Network
Teredo tunnel DNS64
NAT
IPv6 in UDP port 3544
NAT64 IPv4
IPHTTPS tunnel
NAT
IPv6 in HTTPS
UDP port 3544 blocked
15. What is 6to4
• 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a
system that allows IPv6 packets to be transmitted over an IPv4 network
(generally the IPv4 Internet) without the need to configure explicit tunnels.
Special relay servers are also in place that allow 6to4 networks to communicate
with native IPv6 networks.
16. What is Teredo
• Teredo is a transition technology that gives full IPv6 connectivity for IPv6-
capable hosts which are on the IPv4 Internet but which have no direct native
connection to an IPv6 network. Compared to other similar protocols its
distinguishing feature is that it is able to perform its function even from behind
network address translation (NAT) devices such as home routers.
17. What is IPHTTPS
• The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to be
established using a secure HTTP connection.
18. What is ISATAP
• ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition
mechanism meant to transmit IPv6 packets between dual-stack nodes on top of
an IPv4 network.
• ISATAP defines a method for generating a link-local IPv6 address from an IPv4
address, and a mechanism to perform Neighbor Discovery on top of IPv4
19. Connectivity Summary
Forefront
Native IPv6
Unified
Access
IPv4 Internet Gateway ISATAP
6to4 tunnel (UAG)
IPv6 in IPv4 protocol 41
IPv6 in IPv4 protocol 41
Corporate Network
Teredo tunnel DNS64
NAT
IPv6 in UDP port 3544
NAT64 IPv4
IPHTTPS tunnel
NAT
IPv6 in HTTPS
UDP port 3544 blocked
21. Client Location
corp.example.com zone
IP configured DNS 1 DNS 2
DNS address
Corporate intranet
Internet
• To resolve names on the Internet
– DirectAccess host queries DNS 1
• To resolve names on the intranet
– DirectAccess host queries DNS 2
22. End-to-Edge Access Model
For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway
server (which by default is the same computer as the DirectAccess server). The IPsec gateway
server then forwards unprotected traffic, shown in red, to application servers on the intranet.
This architecture works with any IPv6-capable application server but does not require that
server to run IPsec, simplifying the configuration and setup
23. End-to-Edge End-to-End IPSec Model
For end-to-edge with End to End IPSec protection, DirectAccess clients establish an
IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way
to the Intranet server for end to end IPSec protection. This architecture provides
better security than just the End to Edge model.
24. End-to-End IPSec Access Model
With end-to-end IPSec protection, DirectAccess clients establish an IPsec session
through the DirectAccess server to each application server to which they connect.
This provides the highest level of security because you can configure access control
on the DirectAccess server and extend IPSec all the way to the internal server. This
architecture requires that application servers run Windows Server 2008 SP2 or
Windows Server 2008 R2 and use both IPv6 and IPsec.
25. Steps
• Enable IPv6 internally (ISATAP)
• Network Location Server
• Client Groups
• Firewall Settings on clients
• Certificate Auto Enrollment
• Direct Access Server
• Finalize
• Test
26. 1: Enabling IPv6 in the Enterprise
DirectAccess Server Line of Business Applications
(Server 2008 R2) Using ISATAP
IPv6 IPv4 IPv6
On all internal DCs: Dnscmd/config/globalqueryblocklistwpad
27. 2: Configuring NLS
• Any INTERNAL server running Web services
• Create a DNS name (like nls.yourdomain.com)
• Associate this new NLS DNS name to an IP Address of an Internal Web server
NLS tells the DirectAccess clients whether they are “inside” or “outside” of the
network. *** Make sure this system is HIGHLY available!!! ***
28. 3: Create Group(s) for the DA Clients
• Create a security group (Global or Universal)
• Add Win7 client systems into this group
Remember, systems are no longer really part of a “site” as they are now universally
roaming systems. So you define the group of systems by policy of what you want
the systems to have access to, not where they arbitrarily are.
29. 4: Windows Firewall for DA
• Allow inbound and outbound ICMPv6 Echo Request messages
• Create a Group Policy or configure each system individually
30. 5: Configuring the NLS
• Enroll the server with a certificate and configure for SSL access
31. 6: Certificate Auto-Enrollment
• Make sure all systems in the Direct Access group of client systems have a valid
client authentication certificate
32. 7: Install & Config Direct Access
• Add a certificate to the DirectAccess server
• Add the DirectAccess feature on the server
• Run the DirectAccess setup
33. 8: Finalizing Configurations
• Run Gpupdate / force on all systems to make sure new policies have been
applied (servers for firewall policy, clients for firewall and certificate auto-
enrollment policies)
• Stop/Start the iphlpsvc on all servers and test to make sure that all systems
can resolve the isatap.yourdomain.com DNS entry that was created during
the DirectAccess setup wizard
• Use ping (ipaddress) -6 to make sure you can ping servers and systems
internally
34. 9: Testing DA: Internal
• With the client system
internal, run IPConfig and
check to make sure you
have a local address
35. 10: Testing DirectAccess (External)
• With the client system
external, run IPConfig
and check to make
sure you have an
external
IP address
• Access a file on a
fileserver or SharePoint
using an internal
http(s) connection
36. 11: Testing DA: IPHTTPS
• Step 10 tested external access using the automatically generated Teredo
2001: address
• Now to verify that external access is working using IP-HTTPS, disable
Teredo:
– Netsh interface teredo set state disable
– Netsh interface httpstunnel show interfaces
• Re-access your fileserver and your Web server with an internal address, see
if you still have access now over IP-HTTPS
37. MANAGED 1. Extends access to line of business servers with IPv4 support
2. Access for down level and non Windows clients IPv6
3. Enhances scalability and management
Windows7
4. Simplifies deployment and administration
5. Hardened Edge Solution
IPv6
DirectAccess Always On
Windows7
UNMANAGED
Vista Extend support IPv4
XP SSL VPN
to IPv4 servers
Non
DA Server IPv4
Windows +
PDA IPv4