forefront uag 2010 directaccess and rdg l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Forefront UAG 2010 DirectAccess and RDG PowerPoint Presentation
Download Presentation
Forefront UAG 2010 DirectAccess and RDG

Loading in 2 Seconds...

play fullscreen
1 / 19

Forefront UAG 2010 DirectAccess and RDG - PowerPoint PPT Presentation


  • 200 Views
  • Uploaded on

Forefront UAG 2010 DirectAccess and RDG. Idan Plotnik Security Engineer Forefront MVP. Help us to help you to help others …. A word on wording. In Windows 7 / Windows Server 2008 R2, Terminal Service (TS) was renamed to Remote Desktop Services (RDS) Other terminology changes:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Forefront UAG 2010 DirectAccess and RDG' - arva


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
forefront uag 2010 directaccess and rdg

Forefront UAG 2010DirectAccess and RDG

Idan Plotnik

Security Engineer

Forefront MVP

a word on wording
A word on wording
  • In Windows 7 / Windows Server 2008 R2, Terminal Service (TS) was renamed to Remote Desktop Services (RDS)
  • Other terminology changes:
      • Terminal Services Gateway (TSG)  Remote Desktop Gateway (RDG)
      • Terminal Services Server  Remote Desktop Session Host
      • TS Broker  RD Connection Broker
how sslvpn works
How SSLVPN works …

RD/TS is published by tunneling its

traffic without IAG or any other SSLVPN being

able to control the traffic.

RDP

HTTPS Tunnel

IAG

RD/TS Client

(MSTSC)

RD Session Host

(TS Server)

what s new in uag
What’s new in UAG

In UAG RD/TS client traffic goes over HTTPS.

The HTTPS tunnel is terminated at UAG,

therefore, we can inspect the traffic.

The traffic is then passed to the backend RD

Session Host using the RDP protocol.

UAG

+

RDG

RDP

RDP over HTTPS

RD/TS Client

(MSTSC)

RD Session Host

(TS Server)

new functionality
New functionality
  • UAG seamlessly integrates Terminal Services / Remote Desktop Gateway (TSG/RDG) to provide application level gateway for RDS applications.
  • Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation
  • Benefits:
        • Enhanced security
        • Granular policies based on client health:
              • no anti-virus  no driver sharing
        • TS RemoteApps are integrated into UAG portal side-by-side with Web applications
        • Single sign-on experience
directaccess
DirectAccess
  • Providing seamless, secure access to enterprise resources from anywhere
always on
Always On
  • Always connected
  • No user action required
  • Adapts to changing networks
secure
Secure
  • Encrypted by default
  • 2 Factor AuthN
  • Strong Authentication!
    • Computer AuthN
    • User AuthN
  • Granular access control
  • Coexists with existing edge, health, and access policies
manageable
Manageable
  • Reach out to previously untouchable machines
  • Allows remote clients to process Group Policies
  • Ongoing updates (AV/WSUS etc …) from the internal infrastructure
  • NAP integration for health compliance
  • Consolidate Edge Infrastructure
slide12

Internet

DirectAccess Client

(Windows 7)

Forefront UAG DirectAccess

Tunnel over IPv4 UDP, HTTPS, etc.

Encrypted IPsec+ESP

Native IPv6

6to4

Teredo

IP-HTTPS

slide13

Enterprise Network

Forefront UAG DirectAccess

Line of Business Applications

No IPsec

IPsec Integrity Only (Auth)

Windows Server 2003

Windows Server 2008

Non-Windows Server

IPsec Integrity + Encryption

end to edge encryption
End-to-Edgeencryption

Corporate Network

Trusted, compliant,

healthy machine

No overhead of encryption on application servers

Edge enforces machine/user authentication and data encryption

Least change from existing edge deployments

Forefront UAG DirectAccess

DC & DNS(Server 2008 SP2/R2)

Windows 7 client

Applications & Data

(non-IPsec enabled)

IPsec ESP tunnel encryption using machine cert (DC/DNS access)

Internet

IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access

Clear Text traffic from client flows through encrypted tunnel to Corporate network resources

end to edge encryption end to end ipsec
End-to-EdgeEncryption + End to End IPsec

Corporate Network

No overhead of encryption on application servers (just authentication)

DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation

Trusted, compliant,

healthy machine

Forefront UAG DirectAccess

DC & DNS(Server 2008 SP2/R2)

Windows 7 client

Applications & Data

IPsec-enabled

Internet

IPsec ESP tunnel encryption using machine cert (DC/DNS access)

IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access

IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources

end to end ipsec transport encryption
End-To-End IPsec Transport Encryption

Thin edge solution using IPsec

Denial of Service Protection (DoSP) Service only allows IPSec & ICMP traffic

Full End to End IPsec Encryption

IP-HTTPS tunnel used for proxy scenarios only

Corporate Network

Forefront UAG DirectAccess

Trusted, compliant,

healthy machine

DC & DNS(Server 2008 SP2/R2)

Internet

Windows 7 client

Applications & Data

IPsec-enabled

IPsec ESP-encrypted transport to access Corporate network resources

slide18

Extends access to LOB servers with IPv4 support

Access for down level and non Windows clients

Enhances scalability and management

Simplifies deployment and administration

Hardened Edge Solution

MANAGED

IPv6

Windows7

IPv6

Always On

DirectAccess

Windows7

UNMANAGED

IPv4

VistaXP

Extend support to IPv4 servers

SSL VPN

Forefront UAG

DirectAccess

IPv4

Non Windows

PDA

IPv4

UAG provides access for down level and non Windows clients

UAG enhances scale and management with integrated LB and array capabilities.

UAG improves adoption and extends access to existing infrastructure

UAG uses wizards and tools to simplify deployments and ongoing management.

UAG is a hardened edge appliance available in HW and virtual options