DirectAccess Technical Drilldown Part 2Putting it all together

John CraddockInfrastructure & Security ArchitectXTSeminars LtdSession Code: SVR402

Part1: Internet to Intranet 6to4Relay

6to4Host/Router

IPHTTPSHost

NAT Device

IPHTTPSserver

TeredoHost

Teredoserver & relay

NAT Device

Corporateintranet

Internet

Part1: IPv6/IPv4 Intranet

IPv4

IPv6

IPv6

ISATAP Router

IPv6\IPv4

IPv6\IPv4

IPv4

NAT-PTor NAT64

Native IPv6

What’s Left?

Corporate IntranetInternet

Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4

Internet tunnelling selection based on client location – Internet, NAT, firewall

Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required

Client location detection: Internet or corporate intranet

Don’t Give Up Now

Part 1IPv6 IntroTransition TechnologiesEnd-to-end connectivity

Part 2IPsecConfiguring Direct AccessNetwork location and name resolution policiesIt all works – just like that!

Home

Demo Environment

Corporate intranetInternet

DC1

APP1

NAT1 DA1

DC, DNS,CA

IIS for CRLdistribution

EX1DNS

WIN7WIN7 WIN7

All servers Windows 2008 R2

Securing the Tunnel

DirectAccess uses IPsec to secure network traffic

Traffic over the Internet is encrypted and authenticatedAccess via IPHTTPs is double encrypted

Encrypted IPv6 within HTTPS

Corporate IntranetInternet

IPsec to the Rescue

IPsec is managed through Windows Firewall with Advanced Security

Best deployed through group policyConnection rules create:

IPsec tunnels (authenticated and encrypted)Authenticated connects (computer and user authentication

Inbound / outbound rules set requirements for encryption

Traffic Profile

Rules are based on a traffic profileConnection Security Rule

Authenticate all TCP traffic between A & B on ports W & X

Inbound/Outbound RuleEncrypt authenticated TCP traffic between A & B on ports W & X

Traffic profile: <Protocol> <source IP> <destination IP> <source port> <destination port>

IPsec Primer

AuthIP AuthIPCreate shared secret between hostsUses Diffie-Hellman

Main modesecurity associationKey life configurableDefault: 8 hours

Quick mode:IPsec SAKey life configurableDefault 1 hour/100 MBDrops after 3 Minsof inactivity

Exchange data

Integrityor

Integrity + encryption

IPsec SAIPsec SA Create Security Association for session

AuthIP AuthIPEstablish IPSec session Keys

AuthIP AuthIPAuthenticate over secure channelKerberos / certificates

Computer and/or user authentication AuthIP

Main Mode Association

Quick Mode Association

Data Exchange

IP Header IP payloadAH

IP Header ESPIP payloadESP

Signed - ignoring ICV field andfields that change in transport

Protocol ID 51Authentication Header (AH) contains:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV) calculated with SHA1 or MD5

ICV

Protocol ID 50 Encrypted

signed

Encrypted Security ProtocolESP headers contain:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV)

When you just want integrity through NAT use ESP-Null

Negotiated Security Options

Do not authenticateRequest inbound and outbound

A host responds to both IPsec and unauthenticated (non-IPsec) requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communications

Require inbound and request outboundA host responds to inbound traffic secured by IPsec, and ignores unauthenticated requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communications

Require inbound and require outboundA host requires IPsec-secured communications for both inbound and outgoing requests

Require inbound and clear outbound

Integrity / encryption / authentication Intranet

IPsec Tunnel

End points can be single host or act as a gatewayThe gateway acts as the end-point for integrity encryption and authentication

Traffic on the Intranet is not protected by IPsec

IPsec Gateway includes IPsec DoS PreventionReduces DoS attacks from key management protocols IKE & AuthIP

IPsec Access Options

Integrity / encryption / authentication Intranet

Tunnel 1: Machine Auth

Tunnel 2: Machine & User Auth

ESP NULL (transport mode) machine and user auth to intranet server

ESP (transport mode) encryption and authentication to intranet server

Selective authentication onto endpoint servers

Internet

Client Location

To resolve names on the InternetDirectAccess host queries DNS 1

To resolve names on the IntranetDirectAccess host queries DNS 2

Corporate Intranet

corp.example.com zone

DNS 1 DNS 2IP configuredDNS address

How Does It Do that?

Name Resolution Policy Table (NRPT) to the rescueNRPT allows the definitions of which DNS servers to query based on the namespace to be resolved

The NRPT can point DNS queries for corp.example.com to the intranet DNS serverAll other DNS queries are sent to the DNS server address configured in the client IP settings

NRPT

There is a special entry in the table to direct DNS queries for an internalHTTPS website to the DNS servers configured in the client IP settingsFor example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet

Internet Corporate Intranet

corp.example.com zone

DNS 1 DNS 2IP configuredDNS address

nls.corp.example.com

NRPT:corp.example.com: query DNS 2All other name spaces query DNS server configured in client IP settings

No NRPT

Viewing the NRPT

NRPT Inside/Outside

NRPT enabled by defaultIf the client can access an internal HTTPS website (https://nls.corp.example.com)

Considered to be on the intranet NRPT disabled

No access to secure website Considered to be on the Internet NRPT remains enabled

Corporateintranet

Internet

Putting it All Together6to4Relay

6to4Host/Router

IPHTTPSHost

NAT Device

HTTPSserver

TeredoHost

Teredoserver & relay

NAT Device

ISATAP Router

DirectAccess Server

DirectAccess Management Console

Before Running Setup

DNS server requires isatap block to be removedComputer certificates must be issued to computersServer certificates must be issued to

DA server with external DNS name in certificateNLS web server with nls url address in certificate

CRL distribution should be configured in certificate

CRL distribution location must be available on both the Internet and intranet

Authentication to Servers

IPsec ESP NULL can be used for authentication to end-point servers

Provides another layer of protectionCan control which servers are available from DA hostRequires 2008 end-point servers

IPSEC does not work over IPv6 for Windows 2003

Two factor authentication can be enabled for end-to-end authentication

Requires 2008 domain functional level

DirectAccess Setup

Configures on DA server6to4 relayTeredo server and relayIPHTTPS serverISATAP

Creates group policy for IPSec rules forDA server IPsec TunnelDA client IPsec TunnelDA clients and servers requiring end point authentication

DirectAccess Setup (continued)

Creates group policy for client configurationEnable and supply addresses for

6to4 relayTeredo server and relay IPHTTPS server

Enable and configure NRPTEnable inside/outside probe

DA server and DA clients must be members of the domain

Windows DirectAccess

The DA server represents a single point of failure

Functionality can be split across multiple servers for performance

For HA, run DA server as VM in a Hyper-v clusterDoes not guarantee DA service availabilityLive Migration available in Windows 2008 R2

Load balancing option available with UAG

All Done

Corporate IntranetInternet

Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4

Internet tunnelling selection based on client location – Internet, NAT, firewall

Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required

Client location detection: Internet or corporate intranet

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

Breakout Sessions:SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and BeyondSVR315 IPv6 for the Reluctant: What to Know Before You Turn It Off

Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess

My Sessions at TechEd

Breakout Sessions:SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition TechnologiesSVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together

Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.