Microsoft Confidential

Trusted, compliant,

healthy machine

Windows 7 client

Corporate

Network

Applications & Data

DC & DNS

(Win 2008)

NAP

(includes

Server &

Domain

Isolation

[SDI])

Forefront

Client

Security

Windows

Firewall

BitLocker

+ Trusted

Platform

Module

(TPM)

IAG SP2

Internet

131.107.0.0/24

Homenet

192.168.137.0/24

Corpnet

10.0.0.0/24DA1

INET1 DC1

APP1

NAT1

CLIENT1

Microsoft Confidential

DirectAccess Server

Compliant

Client

Compliant

Client

Data Center and Business

Critical Resources

NAP / NPS

Servers

Internet

Intranet

User

Enterprise

Network

Intranet

User

Assume the underlying

network is always insecure

Redefine CORPNET edge to

insulate the datacenter and

business critical resources

Tunnel over IPv4 UDP, HTTPS, etc.

Security policies based on

identity, not location

Internet Intranet

DirectAccess

server

DirectAccess

client

Corporate resources

Internet servers

Internal traffic

Internet traffic

Microsoft Confidential

Microsoft Windows 7 clients

Microsoft Windows 7 DirectAccess Server

Application servers Windows Server 2008 (for native IPv6 support)

Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2

DC/DNS serversWindows Server 2008

Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory

NAT-PT server if IPv4 access is desired

DirectAccess Overview

Supporting infrastructure and technologies

Using DirectAccess with Windows 7

Microsoft Confidential

Client

Server

Receives configuration while directly connectedto corpnet (provisioning) via Group Policy

NAP used to check configuration and healthwhen remotely connected

DirectAccess wizard to set up DirectAccess Server(s)

Policies controlled via Group Policy

Microsoft Confidential

Configure DirectAccess ServerRequires Windows Server 2008 R2

Use DirectAccess server MMC

Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway

Windows 7 Enterprise & Ultimate SKU Client Machines

Done using DirectAccess configuration wizard

Customize policies as needed

Microsoft Confidential

Facing Corpnet

Gateway for native IPv6

IPv6 over IPv4 Service for EnterpriseSATAP Relay

IPsec Gateway (Tunnel Mode Endpoint)

Forwarding Gateway for native IPv6

IPv6 over IPv4 services6to4 relay

Teredo Relay (optionally also Teredo Server)

Facing Internet

Firewall/Proxy Travel

IP-TLS relay

Internal

IPsec Dos Protection

Microsoft Confidential

Be ready to monitor IPv6 traffic

Choose an Access Model: Full Intranet Access vs.

Selected Server Access?

Assess deployment scale

DirectAccess Overview

Supporting infrastructure and technologies

Configuring DirectAccess

Microsoft Confidential

Client tries to access

.corp.phiwug.com

Looks in provisioned list for DNS

server(s) associated with .phiwug.com

Connects with DNS server (using

IPsec. IPv6 is thru DAS

What Happens At Client

Client tries to connect to targetIPv6 route again thru DAS.

IPsec is required.

What happens at DAS/DNS

DAS lets thru AuthIP packets from client to DNSAfter negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address

information to client. DNS registers clients current address information

Microsoft Confidential

Evolution, not revolution

Upgrade your network to an IPv6 end state

Requires Windows 7 on the client

Transition to Windows Server 2008 simplifies the solution

Little or no change to applications – upgrade the server platform

30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6

Additional 40 planned to upgrade in next two months

Allows you to take concrete steps toward satisfying any IPv6 mandate

Seamless integration with your current access and security solutions

Seamless transition to DirectAccess over time

Integrates with Forefront solutions

http://technet.microsoft.com

DirectAccess Design Guide:http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E-

4CDB-BA34-F057FBC7198F&displaylang=en

Step by Step Guide:http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217-4D84-B698-F39360D82FAC&displaylang=en

Next Generation Remote Access with DirectAccess and VPNs: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182-744ceaf8c04a#tm

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2: http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86-ab77014495f4&DisplayLang=en

Microsoft Server and Tools solution site for Direct Access: http://www.microsoft.com/servers/directaccess.mspx

http://johndelizo.spaces.live.comhttp://technetphilippines.net/blogs/johndelizojohndelizo@live.com

http://msforums.ph

http://msforums.ph/blogs/phiwug

http://phiwug.org

http://technetphilippines.net

Microsoft Confidential