Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Introducing Web Application Proxy: Enable Work From AnywhereShai KarivPrincipal Group Program Manager

PCIT-B327

WAP OverviewWAP @ Windows Server: 2012 R2 and futureWAP @ Azure Active Directory: Preview and futureQ & A

AGENDA

Click icon to add picture

WAP Overview

Microsoft Remote Access Solutions

Conditional access

DirectAccess & automatic VPN

Desktop Virtualization

IT Pro: Risk Management

Access corpnet apps from anywhere, on any device, Windows and non-Windows

The IW device can be un-managed, non domain joined, and even not workplace-joined

SSO and “native” device/app experience

Introducing: Web Application Proxy

Selectively publish corpnet apps Control access per app, user, device,

location Better protection with pre-authentication

(optional) No change required in existing apps No change required on devices (clientless)

Information Worker: Productivity

Network Topology

Backend ServerBackend Server

AD FS

Backend Server

Config. Store

Web Application Proxy

DMZ

AD FS Proxy

Fire

wal

l

Load

Bal

ance

r

Load

Bal

ance

r

Fire

wal

l

Active Directory Domain

Controller

Client (browser,

Office client or modern

app)

Corporate NetworkInternet

HTTP/S

HTTP/S

AuthN

Config. API over HTTPS

AuthN Web UI

Claims, KCD, OAuth, MSOFBA, or pass-through

Obtain KCD ticket for IWA AuthN

WAP: Fundamental ServicesReverse Proxy Services

Network Isolation: even in pass-through, even post pre-auth, backend is never exposed directly

Basic DOS: throttling, queuing, session establishing, before routing to backend

URL Translation: HTTP header level translation enables publishing non-FQDN URLs, and HTTPSHTTP

Selective Publishing: per internal application endpoint

AD FS Proxy services: FS, MFA, DRS

Web Protocols Only: HTTP, HTTPS

Pre-authentication services

Rich Policy: user + device identity, application identity, network location

MFA Options: smartcards, phone factor, soft password lockout

Multiple Authentication Methods: KCD, claims, OAuth, MSO-FBA, …

SSO: Avoid requesting credentials again, after first pre-auth

Via a dedicated security token of AD FS


WAP @ Windows Server

Web Application Proxy + AD FS Architecture

Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication

Conditional access with multi-factor pre-authentication is provided on a per-application basis, leveraging user identity, device registration & network location

Published applications

AD FS provides rich authentication and authorization capabilities including multi-factor and federation.

Publish any standard Web/HTTP server. Single Sign On using Kerberos, claims, Office or OAuth

New Windows Server 2012 R2 role service under RRAS server role, integrated into Windows Server Manager and RRAS admin experience (PSH + UI).

Perimeter network Internal network

User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob

https://sts.fabrikam.com


Internet

WAP

App Policies


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB

https:/lob.fabrikam.com



User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob

Internet

WAP

App Policies

LOBhttps://sts.fabrikam.com




User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB


? 302



User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob



Internet

WAP

App Policies

LOB


?

?


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob



Internet

WAP

App Policies

LOB

https:/lob.fabrikam.comEdge

Policies

ApplicationPolicies


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB




User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



Proxy

SSO

Proxy

SSO

QueryString

QueryString


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



Proxy

SSO

QueryString


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



Proxy

SSO

Proxy

?QueryString


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



Proxy

SSO

Proxy

QueryString


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



Proxy

SSO

QueryString


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



SSO

? 401


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



SSO

Kerberos

Constraine

d

Delegation

ProxyUPN


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



SSO

AP_REQ(tckt)


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



SSO

lob

lob

Proxy


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob


Internet

WAP

App Policies

LOB



SSO

lob

Proxy


User

`

Web Application

Proxy

LOB app(Windows

authN)

AD

AD FS

http://lob



Internet

https://enterpriseenrollment.fab

rikam.comDRS

WAP

App Policies

https://enterpriseenrollment.fab

rikam.com

LOB


DEMO: WAP @ Windows Server 2012R2

WAP PerformanceGreat numbers1000s of requests per second even for entry level HW

CPU bound – mainly due to SSL processing

Latency added by the proxy is <5 milliseconds

What makes the differenceTransaction size

Preauthentication type

HTTPS or HTTP

SSL certificate size

WAP Performance Labs

Entry level serverHP Proliant DL 360 G5Intel Xeon E54101 CPU 4 cores 2.33 GHZ8 GB RAM256 KB L1 cache12 MB L2 cache2 1 giga bit network cards (1 for each side)

Medium level serverHP Proliant SE316M1Intel Xeon L52202 CPU 4 cores (8 total) 2.27 GHZ16 GB RAM512 KB L1 cache2 MB L2 cache16 MB L3 cache4 1 giga bit network cards (2 for each side using teaming)

Top level serverHP Proliant DL580 G7Intel Xeon E7-48504 CPU 10 cores (40 total) 2.00 GHZ128 GB RAM2.5 MB L1 cache10 MB L2 cache96 MB L3 cache

100B files

2KB files

4KBfiles

8KBfiles

16KBfiles

32KBfiles

1MBfiles

Pass-through preauthentication

Claims preauthentication

Claims preauthentication + KCD

Transaction size impactRequests/sec

Bandwidth100B

16K

2KB

13K

4KB

12K

8KB

10K

16KB

7K

32KB

4K

1MB180

* Medium level HW* CPU: 95%-98%* Keep alive: on* HTTPS external and backend* SSL certificate 2048 bit* No fine tunes – OOB windows

100B15M

2KB

43M

4KB

67M

8KB

94M

16KB

121M

32KB

145M

1MB

204M

Experience with Microsoft ApplicationsSharePoint is working with preauthentication in AD FS when the

SharePoint authentication is claims or Windows/Kerberos (via KCD).

Known limitation: Web Application Proxy does not support wildcard domain publishing (e.g. https://*.apps.contoso.com) so when publishing SharePoint Apps, their domains shall be published explicitly.

OWA can be published with preauthentication and KCD or with claim based preauthentication (requires 2013 SP1).ActiveSync and Outlook Anywhere could be published with pass-through preauthenticationKnown limitations: Some old ActiveSync clients do not support SNI.

Lync mobility could be published using pass-through authentication. Known limitations: no support for HTTP interfaces, some Lync clients do not support SNI.

Lync SIP traffic is handled by Lync Edge.

Note: Web Application Proxy does not certify a specific application or its versions

Customers were asking for the following features:

AD FS Token signing certificate rollover is an issue.

Pre-authentication for Exchange Active-Sync / Outlook Anywhere.

HTTP publishing over port 80.

Automatic HTTP to HTTPS redirection, for select applications.

Wildcard FQDN publishing.

Built-in load balancing for back-end applications.

URL translation in HTTP body.

Extensibility by 1st or 3rd party code.

API Management, RDS: integrated stack.

Enhanced protocol support: WebSockets, HTTP 2.0

We’re busy building the future…


WAP @ Azure Active Directory

Remote Access as a ServiceEasy to deploy and operate: minimal on-prem footprintSecure remote access to business applications with zero DMZ on-prem infrastructure deployment and no network infrastructure change.

More secure to the business: pre-DMZ protectionAll security verifications are outside of the organization premises done in cloud scale. DDoS attacks will not influence your business.

Deep integration with Azure Active DirectoryRichness of AAD capabilities and experiences: IW access panel discovery and SSO, manage apps across SaaS and on-prem, machine learning traffic analysis, multifactor authentication, device registration, cloud ADFS proxy deployment, … Built for the cloud design point, available for AAD Premium customers

Azure Active Directory

The new cloud connector patternBetter security: no incoming requestsSimple, light on-prem deploymentMinimal operation: IT or departmentOne or multiple redundant connectorsStateless architecture

Resource ResourceResource

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

Architecture – ConnectivityOnce started, the connectors

open HTTP requests to the WAP service. The requests remain waiting until user request arrives or timeout

AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – ConnectivityUser sends a request to the public

address of the service that is unique per tenant and per

application. E.g. https://app1-contoso.cwap.net/

AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – ConnectivityThe WAP service selects one

of the pending connector requests and send the user

request as payload.

AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – ConnectivityThe connector sends the

user request to the backend application and once there is a response, it sends it to the server as a new request

AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – Connectivity

The cloud service returns the response to

the client request

AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – PreauthenticationUser sends a new unauthenticated

request to applications that is configured to

require preauthentication. AAD-AP

Connector

AAD-APConnector

AAD-APCloud Service

Architecture – PreauthenticationWAP redirects the user to the Azure AD STS address with

information on the application that needs preauthentication.

Nothing is sent to the backend.AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – PreauthenticationUser is authenticating to

Azure AD STS. This process may involve other systems

depending on tenant configuration. E.g. 2FA and

federation. Once done, user is redirected back to

the WAP service with a token

AAD-APConnector

AAD-APConnector

AAD-APCloud Service

Architecture – PreauthenticationThe user request arrives again

but now with a valid authentication token. Once the token is validated, the request

is sent to the backend application AAD-AP

Connector

AAD-APConnector

AAD-APCloud Service

DEMO: WAP @ Azure AD


Q & A

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

http://www.microsoft.com/learning

http://microsoft.com/msdn

http://microsoft.com/technet



Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Documents

Transcript of Conditional access DirectAccess & automatic VPN Desktop Virtualization.