Downloaded 208 times
![Corporate
Trusted, compliant, Network
healthy machine
DC & DNS
(Win 2008)
Applications & Data
Windows 7 client
NAP Forefront Windows BitLocker IAG SP2
(includes Client Firewall + Trusted
Server & Security Platform
Domain Module
Isolation (TPM)
[SDI])
Microsoft Confidential](https://image.slidesharecdn.com/technet-microsoftdirectaccess-johndelizopart2-090929043356-phpapp01/75/Microsoft-Direct-Access-Part-II-_John-Delizo-1-2048.jpg)
Uploaded byQuek Lilian
Microsoft Direct Access (Part II)_John Delizo
The document discusses the infrastructure and configuration requirements for implementing DirectAccess in a Windows environment, including needing Windows 7 clients, Windows Server 2008 servers, and setting up a DirectAccess server to enable remote access via always-on VPN connections for intranet resources using IPv6 and IPsec encryption. It also provides an overview of how DirectAccess works and additional resources for learning more about DirectAccess deployment.
More Related Content
Similar to Microsoft Direct Access (Part II)_John Delizo
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
Microsoft Direct Access (Part II)_John Delizo
- 1. Corporate Trusted, compliant, Network healthy machine DC & DNS (Win 2008) Applications & Data Windows 7 client NAP Forefront Windows BitLocker IAG SP2 (includes Client Firewall + Trusted Server & Security Platform Domain Module Isolation (TPM) [SDI]) Microsoft Confidential
- 3. INET1 DC1 NAT1 Internet Corpnet 131.107.0.0/24 DA1 10.0.0.0/24 APP1 Homenet 192.168.137.0/24 CLIENT1
- 4. Internet Compliant Compliant NAP / NPS Client Client Servers Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess Server Assume the underlying Intranet network is always insecure User Data Center and Business Redefine CORPNET edge to Critical Resources insulate the datacenter and Intranet User business critical resources Enterprise Security policies based on Network identity, not location Microsoft Confidential
- 5. Internet Intranet DirectAccess client DirectAccess server Corporate resources Internal traffic Internet traffic Internet servers
- 6. Microsoft Windows 7clients Microsoft Windows 7 DirectAccess Server Application servers Windows Server 2008 (for native IPv6 support) Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2 DC/DNS servers Windows Server 2008 Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory NAT-PT server if IPv4 access is desired Microsoft Confidential
- 7. DirectAccess Overview Supporting infrastructureand technologies Using DirectAccess with Windows 7
- 8. Client Receivesconfiguration while directly connected to corpnet (provisioning) via Group Policy NAP used to check configuration and health when remotely connected Server DirectAccess wizard to set up DirectAccess Server(s) Policies controlled via Group Policy Microsoft Confidential
- 10. Configure DirectAccess Server Requires Windows Server 2008 R2 Use DirectAccess server MMC Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway Windows 7 Enterprise & Ultimate SKU Client Machines Done using DirectAccess configuration wizard Customize policies as needed Microsoft Confidential
- 11. Facing Internet Forwarding Gateway for native IPv6 IPv6 over IPv4 services 6to4 relay Teredo Relay (optionally also Teredo Server) Firewall/Proxy Travel IP-TLS relay Internal IPsec Dos Protection Facing Corpnet Gateway for native IPv6 IPv6 over IPv4 Service for Enterprise SATAP Relay IPsec Gateway (Tunnel Mode Endpoint) Microsoft Confidential
- 12. Be ready tomonitor IPv6 traffic Choose an Access Model: Full Intranet Access vs. Selected Server Access? Assess deployment scale Microsoft Confidential
- 13. DirectAccess Overview Supporting infrastructureand technologies Configuring DirectAccess
- 15. What Happens AtClient Client tries to access Looks in provisioned list for DNS Connects with DNS thru DAS. IPv6 route again server (using Client tries to connect to target .corp.phiwug.com server(s) associated with .phiwug.com IPsec. IPv6required. IPsec is is thru DAS What happens at DAS/DNS After negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address DAS lets thru AuthIP packets from client to DNS Microsoft Confidential information to client. DNS registers clients current address information
- 16. Evolution, not revolution Upgrade your network to an IPv6 end state Requires Windows 7 on the client Transition to Windows Server 2008 simplifies the solution Little or no change to applications – upgrade the server platform 30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6 Additional 40 planned to upgrade in next two months Allows you to take concrete steps toward satisfying any IPv6 mandate Seamless integration with your current access and security solutions Seamless transition to DirectAccess over time Integrates with Forefront solutions Microsoft Confidential
- 18. http://technet.microsoft.com DirectAccess Design Guide: http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E- 4CDB-BA34-F057FBC7198F&displaylang=en Step by Step Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217- 4D84-B698-F39360D82FAC&displaylang=en Next Generation Remote Access with DirectAccess and VPNs: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182- 744ceaf8c04a#tm Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2: http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86- ab77014495f4&DisplayLang=en Microsoft Server and Tools solution site for Direct Access: http://www.microsoft.com/servers/directaccess.mspx
- 19.
- 20.
- 21.