Microsoft Direct Access (Part II)_John Delizo
-
Upload
quek-lilian -
Category
Technology
-
view
2.595 -
download
2
Transcript of Microsoft Direct Access (Part II)_John Delizo
![Page 1: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/1.jpg)
Microsoft Confidential
Trusted, compliant,
healthy machine
Windows 7 client
Corporate
Network
Applications & Data
DC & DNS
(Win 2008)
NAP
(includes
Server &
Domain
Isolation
[SDI])
Forefront
Client
Security
Windows
Firewall
BitLocker
+ Trusted
Platform
Module
(TPM)
IAG SP2
![Page 2: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/2.jpg)
![Page 3: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/3.jpg)
Internet
131.107.0.0/24
Homenet
192.168.137.0/24
Corpnet
10.0.0.0/24DA1
INET1 DC1
APP1
NAT1
CLIENT1
![Page 4: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/4.jpg)
Microsoft Confidential
DirectAccess Server
Compliant
Client
Compliant
Client
Data Center and Business
Critical Resources
NAP / NPS
Servers
Internet
Intranet
User
Enterprise
Network
Intranet
User
Assume the underlying
network is always insecure
Redefine CORPNET edge to
insulate the datacenter and
business critical resources
Tunnel over IPv4 UDP, HTTPS, etc.
Security policies based on
identity, not location
![Page 5: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/5.jpg)
Internet Intranet
DirectAccess
server
DirectAccess
client
Corporate resources
Internet servers
Internal traffic
Internet traffic
![Page 6: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/6.jpg)
Microsoft Confidential
Microsoft Windows 7 clients
Microsoft Windows 7 DirectAccess Server
Application servers Windows Server 2008 (for native IPv6 support)
Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2
DC/DNS serversWindows Server 2008
Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory
NAT-PT server if IPv4 access is desired
![Page 7: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/7.jpg)
DirectAccess Overview
Supporting infrastructure and technologies
Using DirectAccess with Windows 7
![Page 8: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/8.jpg)
Microsoft Confidential
Client
Server
Receives configuration while directly connectedto corpnet (provisioning) via Group Policy
NAP used to check configuration and healthwhen remotely connected
DirectAccess wizard to set up DirectAccess Server(s)
Policies controlled via Group Policy
![Page 9: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/9.jpg)
![Page 10: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/10.jpg)
Microsoft Confidential
Configure DirectAccess ServerRequires Windows Server 2008 R2
Use DirectAccess server MMC
Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway
Windows 7 Enterprise & Ultimate SKU Client Machines
Done using DirectAccess configuration wizard
Customize policies as needed
![Page 11: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/11.jpg)
Microsoft Confidential
Facing Corpnet
Gateway for native IPv6
IPv6 over IPv4 Service for EnterpriseSATAP Relay
IPsec Gateway (Tunnel Mode Endpoint)
Forwarding Gateway for native IPv6
IPv6 over IPv4 services6to4 relay
Teredo Relay (optionally also Teredo Server)
Facing Internet
Firewall/Proxy Travel
IP-TLS relay
Internal
IPsec Dos Protection
![Page 12: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/12.jpg)
Microsoft Confidential
Be ready to monitor IPv6 traffic
Choose an Access Model: Full Intranet Access vs.
Selected Server Access?
Assess deployment scale
![Page 13: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/13.jpg)
DirectAccess Overview
Supporting infrastructure and technologies
Configuring DirectAccess
![Page 14: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/14.jpg)
![Page 15: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/15.jpg)
Microsoft Confidential
Client tries to access
.corp.phiwug.com
Looks in provisioned list for DNS
server(s) associated with .phiwug.com
Connects with DNS server (using
IPsec. IPv6 is thru DAS
What Happens At Client
Client tries to connect to targetIPv6 route again thru DAS.
IPsec is required.
What happens at DAS/DNS
DAS lets thru AuthIP packets from client to DNSAfter negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address
information to client. DNS registers clients current address information
![Page 16: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/16.jpg)
Microsoft Confidential
Evolution, not revolution
Upgrade your network to an IPv6 end state
Requires Windows 7 on the client
Transition to Windows Server 2008 simplifies the solution
Little or no change to applications – upgrade the server platform
30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6
Additional 40 planned to upgrade in next two months
Allows you to take concrete steps toward satisfying any IPv6 mandate
Seamless integration with your current access and security solutions
Seamless transition to DirectAccess over time
Integrates with Forefront solutions
![Page 17: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/17.jpg)
![Page 18: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/18.jpg)
http://technet.microsoft.com
DirectAccess Design Guide:http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E-
4CDB-BA34-F057FBC7198F&displaylang=en
Step by Step Guide:http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217-4D84-B698-F39360D82FAC&displaylang=en
Next Generation Remote Access with DirectAccess and VPNs: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182-744ceaf8c04a#tm
Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2: http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86-ab77014495f4&DisplayLang=en
Microsoft Server and Tools solution site for Direct Access: http://www.microsoft.com/servers/directaccess.mspx
![Page 19: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/19.jpg)
http://johndelizo.spaces.live.comhttp://technetphilippines.net/blogs/[email protected]
![Page 20: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/20.jpg)
http://msforums.ph
http://msforums.ph/blogs/phiwug
http://phiwug.org
http://technetphilippines.net
![Page 21: Microsoft Direct Access (Part II)_John Delizo](https://reader031.fdocuments.in/reader031/viewer/2022020207/5554be2ab4c90559398b4cac/html5/thumbnails/21.jpg)
Microsoft Confidential