WMS02 Direct Access Always Connected: Death of the VPN

Report
WMS02: Direct Access Always
Connected: Death of the VPN
Dan Stolts “ITProGuru”
Microsoft
[email protected]
http://Blogs.technet.com/danstolts or
http://ITProGuru.com
Twitter.com/ITProGuru
WMS02: Direct Access Always
Connected: Death of the VPN
• Direct Access Always Connected: Death of the VPN
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6
and IPsec and you have a solution that will allow direct access to
your corporate network without the need for VPNs. Come to this
session to see the ITProGuru (Dan Stolts) and learn how to
integrate DirectAccess into your environment. Can you see the
benefit of your users never having to connect to a VPN? Can you
see the benefit in your IT personal to be able to access remote
computers as long as they are connected to the Internet? Come to
this session to Learn how to control access to corporate resources
and manage Internet connected PCs through group policy.
Today’s Agenda
1. Core Infrastructure Optimization Model
2. Introduction to DirectAccess
3. Technical Introduction
4. Technical Detail
5. Summary
Network Access Infrastructure Optimization Model
Is IT a Cost Center or a Strategic Asset?
Cost
Center
No password
policies
More Efficient
Cost Center
Strong password
policy
Business
Enabler
Strategic
Asset
Strong password
policy
Strong
authentication
Perimeter
firewalls only
Host-based firewalls
Basic IPsec policies
Network
transactions are
authenticated;
may be encrypted
Antivirus not
required or installed
by default
Security suite
installed on clients
Health policies
enforced
Policy-based
network access with
auto-remediation
No remote access
policies
Remote access
available
Remote user
experience is
similar to local
Remote users are
an extension of the
network
IPv4-only network
IPv6 planning and
testing in progress
IPv6 blockers
removed,
addressing plan
complete
IPv6 is fully
deployed
Rationalized
Dynamic
Basic
Standardized
Network Access Vision
Identity:
Strong authentication required for all users
Authorization:
Computer health is validated or remediated before allowing network access
Protection:
All network transactions are authenticated and encrypted
Policies are based on identity, not on location
Evolving IT Challenges
Mobile Workforce
Mobile Data
Globalization
DirectAccess
DirectAccess:
More than Remote Access
Always
On
Manage
Out
Access
Policies
Protected
Transactions
Improved
productivity
"Light up"
remote clients
Pre-logon
health checks
and remediation
Supports
authenticated
transactions
Not user initiated
Decreases patch
miss rates
Replaces modal
"connect-time"
health checks
Supports encrypted
transactions
Simplified
connectivity
Applies GPOs to
remote computers
Full NAP integration
Authentication and
encryption mitigate
many attacks
VPNs connect the user to the network
DirectAccess extends the network to the computer and user
The Evidence
“Recently, a sales account executive and I had about an hour-long
drive back to the office from a customer site. With DirectAccess, he
was able
to log on to our network, access the documents he needed, and write
the proposal while I drove. By the time we got back to the office, he
was already hitting the send button to deliver the proposal.”
Rand Morimoto, President, Convergent Computing
www.microsoft.com/casestudies/Case_Study_Detail.aspx
?CaseStudyID=4000004062
DirectAccess:
Technical Foundation
Name Resolution:
DNS and NRPT
Data Protection:
IPsec
Connectivity:
IPv6
Connectivity:
IPv6… Can Do Without… But I Would Not!
• DirectAccess
requires IPv6
• If native IPv6 isn't
available, remote
clients use IPv6
transition technologies
IPv6 Options
DirectAccess works best if the
corporate network has native IPv6
deployed
Internet
Intranet
• The corporate network
can deploy native IPv6,
transition technologies,
or NAT-PT {protocol
translation}
NAT-PT
Native IPv6
IPv6 Transition Technologies
IPv4
Forefront UAG & DirectAccess: Better Together
MANAGED
Windows7
Windows7
UAG and DirectAccess better together:
1. Extends access to line of business servers with IPv4 support
2. Access for down level and non Windows clients
3. Enhances scalability and management
4. Simplifies deployment and administration
5. Hardened Edge Solution
Always On
DirectAccess
IPv6
IPv6
UNMANAGED
Vista
XP
Extend support
to IPv4 servers
IPv4
SSL VPN
Non
Windows
DirectAccess
Server
IPv4
+
PDA
IPv4
UAG is a hardened edge appliance available in HW and virtual options
provides
access
forextends
down
level
andtonon
Windows
clients
enhances
scale
and
management
with
integrated
LB
andinfrastructure
array
UAG UAG
improves
adoption
access
existing
UAG uses
wizards
and
tools
toand
simplify
deployments
and
ongoing
management
capabilities.
Name Resolution:
DNS and the NRPT (Name Resolution Policy Table)
DirectAccess
Connection
Internet
Connection
Remote DirectAccess clients use smart routing
for DNS queries by default
The Name Resolution Policy Table (NRPT) {client side
conditional forwarding} allows this to happen efficiently
DirectAccess sends name queries to intranet
DNS servers based on pre-configured namespace
Requirements for DirectAccess
Customer Knowledge
Should have a basic working knowledge of IPsec or TCP/IP
Should be interested in learning and deploying new technologies, such as
IPv6
DirectAccess Clients
Windows 7 Enterprise Edition or Windows 7 Ultimate Edition
Domain-joined computers
DirectAccess Server
Windows Server 2008 R2, Standard Edition or Higher
Domain-joined computers
Others
DNS Servers Supporting DirectAccess Clients - Windows Server 2008 SP2 or
later
A public key infrastructure (PKI) to issue computer certificates, smart card
certificates, and, for NAP, health certificates.
External Connectivity
IP Address
Assigned
by ISP:
IPv6 Address
Used to
connect:
Private
IPv4
Native IPv4
IPv6
Public
6to4IPv6
Teredo
Native
Supports native IPv6
6to4 tunnels IPv6 inside
IPv4 (protocol 41) (used
by public IPv4
addresses)
Teredo tunnels IPv6
inside IPv4 UDP (UDP
3544) (used by private
IPv4 addresses)
DirectAccess
Client
Native IPv6
6to4
Teredo
IP-HTTPS
IP-HTTPS tunnels IPV6
inside IPv4 SSL (TCP
443) if client can’t
connect using 6to4 or
Teredo
Internal IPv6
IPv6 Options
Native IPv6
Works with any server OS that supports
IPv6
Requires IPv6 infrastructure
Delivers best choice over time
ISATAP
DirectAccess works best if the
corporate network has native IPv6
deployed
Internet
Intranet
Tunnels IPv6 inside IPv4
Doesn’t require routing
infrastructure upgrades
Requires Windows Server 2008 or R2
NAT-PT {Protocol Translation}
NAT-PT
Translates IPv6 to IPv4
Works with any server OS
Is available in Forefront UAG
Native IPv6
IPv6 Transition Technologies
IPv4
External IPsec
IP-HTTPS
Encrypted IPsec+ESP
DirectAccess
Client
IPsec Hardware Offload
Supported
IPsec
Gateway
DirectAccess
Server
Internal IPsec Options
IPsec Tunnel Detail - Split Tunneling
DirectAccess
Client
Tunnel 1: Infrastructure Tunnel
Authentication: Computer
Certificate + NTLM
Client Access:
AD/DNS/Management
Tunnel 2: Intranet Tunnel
Authentication: Computer
Certificate + User Kerb
Client Access: Other available
resources
DirectAccess
Server
Multi Factor Credentials for Intranet Access
Two Factor Authentication (TFA) is
fully supported but not required
Edge-based enforcement is a smarter way to enforce TFA
Users are assigned a well-known SID when
they log on with a smartcard (S-1-5-65-)
Users may log on to a laptop without TFA
When users access corporate resources, the
IPsec authorization policy checks for the SID…
Name Resolution Policy Table
(NRPT)
Pertains to the client side only
Uses a static table to define
which DNS servers will be
used by the client for the
listed names
Is configurable via Group
Policy Objects (GPO) at
Computer Configuration/
Windows Settings/Name
Resolution Policy
NRPT
.ad.contoso.com
2001:db8:b90a:c7d8::178
2001:db8:b90a:c7d8::183
.lab.contoso.com
2001:db8:b90a:c7a8::202
.nls.contoso.com
2001:db8:b90a:c7e4::801
Can be viewed with
netsh name show policy
Demo
CLIENT EXPERIENCE…
Direct Access Deployment
Deployment Strategy
Prepare to monitor IPv6 traffic
Choose an access model (e.g., full
intranet access vs. selected server access)
Determine deployment scale
Deployment Process
Prepare infrastructure
Configure DirectAccess server
Customize policies, as needed
DirectAccess Monitoring
• Built-in to the
DirectAccess
feature installed on
the DA server
• Provides server
monitoring
information on
DirectAccess
components
DirectAccess:
More than Remote Access
Always
On
Manage
Out
Access
Policies
Protected
Transactions
Improved
productivity
"Light up"
remote clients
Pre-logon
health checks
and remediation
Supports
authenticated
transactions
Not user initiated
Decreases patch
miss rates
Replaces modal
"connect-time"
health checks
Supports encrypted
transactions
Simplified
connectivity
Applies GPOs to
remote computers
Full NAP integration
Authentication and
encryption mitigate
many attacks
VPNs connect the user to the network
DirectAccess extends the network to the computer and user
INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDE
What are IPD Guides?
•
Guidance & best practices for infrastructure planning
of Microsoft technologies
Direct Access Guide Benefits
•
Presents common scenarios, decisions, and practices
in an easy-to-follow, step-by-step process for
designing DirectAccess infrastructure
• Provides a straightforward explanation of the
infrastructure required to allow client connectivity from
any network to resources on the corporate network
• Assists the reader in deploying DirectAccess for
situations
“At the end of the day, IT operations
where the organization hasn’t started IPv6
is really about running your
implementation
business as efficiently as you can so
you have more dollars left for
innovation. IPD guides help us
It’s a free download!
achieve this.”
Go to www.microsoft.com/ipd
_
Peter Zerger, Consulting Practice Lead
for Management Solutions, AKOS
Technology Services
DirectAccess Architecture Deeper Dive
http://www.msteched.com/2010/NorthAmerica/WSV306
Shortcut..
http://bit.ly/DADeepDive
Dan Stolts “ITProGuru” Sessions
• 10:00 am WMS03: 10 Hot Topics Every IT
Admin Needs to Know about Windows
Server 2008 R2 SP1
• 11:15 am WMS02: Direct Access Always
Connected: Death of the VPN
• 3:15 pm WMS04: Monitoring and
Managing All Critical Infrastructure
Blog: ITProGuru.com
All Slides Available Now!
Your Feedback is Important
Please fill out a session evaluation form drop
it off at the conference registration desk.
Thank you!
WMS02: Direct Access Always Connected: Death of the VPN
•
•
•
•
Dan Stolts “ITProGuru”
Microsoft
Blog: ITProGuru.com
Twitter.com/ITProGuru

similar documents