slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
DirectAccess Technical Overview and Security Considerations PowerPoint Presentation
Download Presentation
DirectAccess Technical Overview and Security Considerations

Loading in 2 Seconds...

play fullscreen
1 / 42

DirectAccess Technical Overview and Security Considerations - PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on

Session Code : SEC302. Principal Knowledge Engineer/Principal Writer. Microsoft – SCD iX Solutions Team. DirectAccess Technical Overview and Security Considerations. Dr. Thomas W Shinder. What’s on Tap?. Technical Discussion of DirectAccess Define DirectAccess

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'DirectAccess Technical Overview and Security Considerations' - gates


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
directaccess technical overview and security considerations
Session Code: SEC302

Principal Knowledge Engineer/Principal Writer

Microsoft – SCD iX Solutions Team

DirectAccess Technical Overview and Security Considerations

Dr. Thomas W Shinder

slide3

What’s on Tap?

  • Technical Discussion of DirectAccess
    • Define DirectAccess
    • DirectAccess Infrastructure Technologies
    • Deploying DirectAccess
    • DirectAccess Security Issues
slide4

Assumptions

  • You’ve heard of IPsec
  • You’re comfortable with IPv4
  • You’ve worked with Active Directory authentication and AuthN protocols
  • You’ve worked with Active Directory Group Policy
  • You’ve heard of Network Load Balancing (NLB)
  • You’ve worked with DNS
  • You’ve worked with certificates (PKI)
  • You don’t know anything about IPv6
  • You want to know more about the technologies that support a DirectAccess solution
slide5

Define DirectAccess – 30,000 Foot Description

  • Always on – bidirectional remote access connection
    • Not a VPN!
    • Extends intranet management to all corporate computers
    • Makes “always managed” a reality
  • Core requirements
    • Windows 7 Enterprise or Ultimate
    • Windows Server 2008 R2 for the DirectAccess Server
    • DirectAccess Client and Server are domain members
  • Two “flavors” of DirectAccess
    • Vanilla – Windows DirectAccess
    • Vanilla Chocolate Swirl – Forefront UAG DirectAccess

DirectAccess is an Enterprise Solution:

No support for Windows 7 Professional

Requires two consecutive public IP addresses

Cannot NAT to the DirectAccess server

Value depends on enterprise management infrastructure

slide6

Define DirectAccess – Windows DA and UAG DA

  • Windows DirectAccess
    • Windows Server 2008 SP2 or 2008 R2 DC required
    • Windows Server 2008 SP2 or 2008 R2 DNS required
    • IPv6 capable intranet resource access only
    • Limited HA
  • UAG DirectAccess
    • Only the UAG DirectAccess server must be Windows Server 2008 R2
    • Can have mix of IPv4/IPv6 intranet resources
    • Built-in HA with UAG DirectAccess arrays and NLB
  • Today’s focus is UAG DirectAccess
slide7

Define DirectAccess – Always-On Employees

  • Employee on Corpnet
    • Turn on laptop and connects to intranet
  • Employee at home
    • Turn on laptop and connect to intranet
  • Employee at Hotel or Conference Center
    • Turn on laptop and connect to intranet
  • User experience is the same regardless of location
  • When on intranet – connect over local interface
  • When on Internet – connect over DirectAccess
  • Internet access method might differ/force tunneling/split tunneling
slide8

Define DirectAccess – Always-on IT

  • Laptop on the intranet– Always Managed
    • Group Policy updates
    • Applications deployed
    • Remote assistance initiated by IT
    • Password changes CTRL+ALT+DEL
  • Laptop on the Internet – Always Managed
    • Group Policy update
    • Applications deployed
    • Remote assistance initiated by IT
    • Password change CTRL+ALT+DEL
  • Internal or External – no difference
slide9

DirectAccess – Infrastructure Technologies

  • IPv6 and related technologies
  • IPsec and Windows Firewall with Advanced Security (WFAS)
  • Name Resolution Policy Table (NRPT)
  • Network Location Detection (NLS)
slide10

Infrastructure Technologies – IPv6

  • Why-oh-why IPv6?
    • Solves IPv4 address depletion problem
    • Addressing method of the future
    • New IPv6 transition technologies in Windows Server 2008+ and Windows 7 actually makes IPv6 deployable
    • Provides globally unique addresses (prevents the “hotel has the same network ID as the office” scenario) for all nodes
    • Enables true end-to-end connectivity and security (no NAT!)
slide11

Infrastructure Technologies – IPv6 Transition Technologies

  • Connecting IPv6 over the IPv4 Internet
    • 6to4
    • Teredo
    • IP-HTTPS
  • Connecting IPv6 over the IPv4 intranet
    • Intra-site Automatic Tunnel Addressing Protocol (ISATAP)
slide12

Infrastructure Technologies – 6to4

  • 6to4 encapsulates IPv6 packets in an IPv4 header (Protocol 41)
  • Requires that IP Protocol 41 be open between DirectAccess client and DirectAccess server
  • Used when the DirectAccess client has a public IP address
  • Connects the DirectAccess client to the 6to4 relay (automatically installed on the UAG DirectAccess server)
  • 6to4 address *is* an IPv6 address
    • DirectAccess client registers this address with corporate DNS
    • Internal hosts can reach the 6to4 enabled DirectAccess client using the 6to4 IPv6 address
    • 6to4 hosts can communicate with one another (potential security consideration, discussed later)
slide13

Infrastructure Technologies - Teredo

  • Teredo encapsulates IPv6 packets in IPv4 header (UDP transport)
  • Used when DirectAccess client behind a NAT (assigned private address)
  • Requires UDP port 3544 be open between DirectAccess client and server
  • Connects to corporate resources through Teredo server and Teredo relay (automatically configured on UAG DirectAccess server)
    • Teredo server – enables Teredo client address configuration
    • Teredo relay – enables access to the resources on intranet
  • Teredo address *is* an IPv6 address
    • DirectAccess client registers this address with corporate DNS
    • Internal hosts can reach the Teredo enabled DirectAccess client using the Teredo address
    • Teredo hosts can communicate with one another (potential security consideration, discussed later)
slide14

Infrastructure Technologies – IP-HTTPS

  • IP-HTTPS encapsulates IPv6 in IPv4, TCP and HTTP headers (and TLS encryption of HTTP) – TCP Port 443
  • IPv6 Transition Technology of “last resort”
  • IP-HTTPS used when 6to4 and Teredo connectivity not available
  • UAG DirectAccess wizard configures DirectAccess server as IP-HTTPS server
    • Requires web site certificate for IP-HTTPS Listener (public or private cert)
  • Typically used when DirectAccess client is behind a port restricted firewall or web proxy
    • web proxy must not force authentication/DirectAccess - client cannot auth with proxy
    • Netsh command required to inform DirectAccess client web proxy address
      • netsh winhttp import proxy source=ie
  • Required for “Force Tunneling”
  • High encryption (IPsec/HTTPS) and protocol overhead reduces performance
slide15

Infrastructure Technologies - ISATAP

  • Used on intranet to tunnel IPv6 messages over IPv4 network (IP Protocol 41)
  • Address assignment via ISATAP router
    • UAG DirectAccess server configured as ISATAP router by UAG DirectAccess wizard
    • You enable ISATAP queries and create ISATAP entry in DNS
    • Windows Vista+/2008+ clients automatically configured as ISATAP hosts
  • ISATAP addresses registered in DNS
  • DirectAccess clients on Internet connect to intranet ISATAP IPv6 addresses
  • TIP: Do not disable IPv6 on ISATAP hosts
slide16

Infrastructure Technologies – NAT64/DNS64 (1/3)

  • NAT64 and DNS64 are the current IPv6/IPv4 Translation Technologies
  • Enables access to IPv4-only resources
    • Server OS might be IPv4-only (Windows 2000/2003)
    • Server application might be IPv4-only (IPv4-only service on a IPv6 capable OS)
  • Extends DirectAccess client reach to:
    • Native IPv6 networks
    • IPv6 capable networks (non-native IPv6, but ISATAP capable/some native)
    • IPv4-only network or IPv4 servers, services or segments
  • Available with UAG only!
slide17

Infrastructure Technologies – NAT64/DNS64 (2/3)

  • DirectAccess client always uses IPv6 to communicate with DirectAccess server
  • NAT64/DNS64 translates the IPv6 communications to IPv4 communications
  • NAT64/DNS64 translates IPv4 responses to IPv6 responses
  • No support for reverse NAT64
    • Management stations cannot initiate connections to DirectAccess clients over NAT64/DNS64 (reduces “manage out” capabilities a bit)
    • Like other NAT solutions, protocols that imbed addresses in the application layer protocol can be problematic (OCS client)
  • Enables scenarios where the UAG DirectAccess server is the only Windows Server 2008 R2 server on the network
slide19

Infrastructure Technologies: Summary of IPv6 and Related Technologies

  • Windows DirectAccess requires IPv6 from end to end
  • UAG DirectAccess with NAT64/DNS64 enables DirectAccess clients to connect to IPv4 resources through IPv6/IPv4 protocol translation
  • DirectAccess client always uses IPv6 to communicate with DirectAccess server
  • DirectAccess client can use the following IPv6 transition technologies to tunnel IPv6 packets over the IPv4 Internet:
    • 6to4 (when DirectAccess client has public IP address)
    • Teredo (when DirectAccess client has private IP address)
    • IP-HTTPS (when 6to4 or Teredo can’t be used)
  • ISATAP is used on the intranet to tunnel IPv6 messages over an IPv4 intranet
slide20

Infrastructure Technologies: IPsec

  • IPsec support built into Windows since Windows 2000
  • Works with both IPv4 and IPv6
  • Supports two modes:
    • IPsec Transport Mode – protects packet payload from end to end
    • IPsec Tunnel Mode – protects entire packet from client to gateway
  • DirectAccess uses IPsec to:
    • Protect traffic between the DirectAccess client and DirectAccess server using IP sec tunnel mode
    • Protect traffic end to end between DirectAccess client and destination intranet server using IPsec transport mode
slide21

Infrastructure Technologies: IPsec Configuration for DirectAccess Clients

  • Windows Firewall with Advanced Security (WFAS) console
  • WFAS Group Policy and Group Policy snap-in
  • WFAS Connection Security Rules configuration:
    • Source and destination address (IPv6 addresses)
    • Authentication (Kerberos, NTLMv2, Certificates)
    • Encryption (DES, 3DES, AES128, AES192, AES256
  • NEW! Dynamic tunnel endpoints
    • Create tunnel-mode Connection Security Rules that specify an address for only one endpoint of the tunnel
  • NEW! IPsec tunnel authorization with null encapsulation (AuthIP)
    • Not the same as ESP-NULL
slide22

Infrastructure Technologies: IPsec and Access Models

  • DirectAccess Infrastructure Tunnel (IPsec tunnel mode/management servers/computer account (NTLMv2) + certificate)
  • DirectAccess Intranet Tunnel (IPsec tunnel mode/user account (Kerberos) + computer certificate)
  • UAG DirectAccess Access Models
    • End to edge
    • End to end (referred to as Selected Server Access in Windows DirectAccess)
slide23

Infrastructure Technologies: Name Resolution Policy Table (NRPT) (1/2)

  • NEW! NRPT in Windows 7 and Windows Server 2008 R2
  • Used to support both DirectAccess and DNSSEC
  • NRPT enables “policy based routing” for DNS queries – examples:
    • DNS queries for *.contoso.com go to UAG DirectAccess DNS proxy
    • DNS queries for *.woodgrovebank.com go to UAG DirectAccess DNS proxy
    • DNS queries for everything else, goes to locally configured DNS server
  • NRPT Exemption Rules - examples:
    • DNS queries for nls.contoso.com go to locally configured DNS server (NLS server exemption)
    • DNS queries for www.contoso.com to locally configured DNS server (split DNS infrastructure example)
slide24

Infrastructure Technologies: NRPT (2/2)

DirectAccess client speaks IPv6 only

DNS queries are for only AAAA records

slide25

Infrastructure Technologies: Network Location Detection(1/2)

  • Network Location Awareness/Domain Determination
    • Detects if the client is connected to the intranet
    • Uses connectivity tests to a domain controller (any domain controller)
    • Determines what WFAS Profile to use
    • If intranet detected – Enable Domain WFAS Profile
    • If intranet not detected – Enable either Public or Private Profile (user choice)
    • DirectAccess firewall and Connection Security Rules are enabled by public or private WFAS profile – these turn on the infrastructure and intranet tunnels
  • Intranet Detection
    • Connect to SSL Web site (Network Location Server)
    • Success turns off NRPT
slide26

Infrastructure Technologies: Network Location Detection (2/2)

  • DirectAccess client on the intranet
    • Assumes not connected to intranet
    • Establishes HTTPS connection to Network Location Server/Finds DC
    • RESULT: Domain WFAS Profile activated and NRPT disabled –No DA tunnels
  • DirectAccess client on the Internet
    • Assumes not connected to intranet
    • Fails to establish HTTPS connection to Network Location Server
    • RESULT: Public or Private Profile activated and NRPT enabled – DA tunnels activated
slide27

DirectAccess Deployment

  • Infrastructure requirements
  • UAG DirectAccess solution requirements
  • Service configuration before deployment
  • The UAG DirectAccess Setup Wizard
  • The UAG DirectAccess Options and Advantages
  • DirectAccess Security Issues
slide28

UAG DirectAccess Deployment: Infrastructure Requirements (1/3)

  • Active Directory
    • UAG DirectAccess server and DirectAccess clients must be domain members
    • Dependencies on Group Policy and Active Directory Certificate mapping (DS Mapper for IP-HTTPS clients to enable mutual certificate authentication)
    • Active Directory authentication (Certificate/NTLMv2/Kerberos)
    • Windows Server 2008+ Active Directory not required
  • DNS
    • Any DNS server – Windows or non-Windows
    • Prefer DNS server that can dynamically register IPv6 addresses, though not required
slide29

UAG DirectAccess Deployment: Infrastructure Requirements (2/3)

  • Public Key Infrastructure
    • Assign computer certificates to DirectAccess clients
    • Assign web site certificate to Network Location Server
    • Assign web site certificate to IP-HTTPS listener on DirectAccess server
    • CRL for the CA must be accessible for NLS and IP-HTTPS certificates

HINT

slide30

UAG DirectAccess Deployment: Infrastructure Requirements (3/3)

  • Network Location Server
    • Used for intranet detection
    • Highly available SSL Web site
    • Responsible for disabling the NRPT
  • UAG DirectAccess Server running on Windows Server 2008 R2
    • Two consecutive public IP addresses on external NIC
    • Computer certificate for IPsec authentication/encryption
    • Web site certificate (server authentication) for IP-HTTPS listener
  • DirectAccess clients running Windows 7 (Enterprise or Ultimate) or Windows Server 2008 R2 (branch office scenario)
    • Computer certificate for IPsec authentication/encryption (autoenrollment)
slide31

UAG DirectAccess Deployment: Service Configuration

  • Create Global Groups for DirectAccess clients and “end to end” (Selected Server) destination servers
  • Remove ISATAP from the DNS query block list
  • Configure computer certificate autoenrollment
  • Configure intranet DNS with name of Network Location Server
  • Configure intranet DNS with mapping for ISATAP (internal address of UAG DirectAccess server)
  • Configure public DNS with name on IP-HTTPS certificate
  • Configure Internet and back-end firewall (as needed)
  • Confirm internal network access to NLS certificate CA’s CRL
  • Confirm external network access to IP-HTTPS certificate CA’s CRL
slide33

Deploying DirectAccess: What does the Wizard Do? (1/2)

  • Create and (optionally) deploy a DirectAccess clients Group Policy Object
    • Configures IPv6 transition technologies
    • WFAS Firewall and Connection Security rules
    • Sets NRPT entries
    • Sets Network Location Server address
  • Creates and deploys a DirectAccess servers Group Policy Object
    • WFAS Firewall and Connection Security rules
  • Creates and deploys an Application Servers Group Policy Object
    • WFAS Firewall and Connection Security rules

But that’s not all!

slide34

Deploying DirectAccess: What did the Wizard Do? (2/2)

  • Configure the UAG DirectAccess server as a ISATAP router
  • Configure the UAG DirectAccess server as a 6to4 relay
  • Configure the UAG DirectAccess server as a Teredo server and relay
  • Configure the UAG DirectAccess server as an IP-HTTPS server
  • Configure the UAG DirectAccess server as a NAT64/DNS64 IPv6/IPv4 Protocol Translator
  • Configure the TMG firewall to support DirectAccess connectivity
  • Register the Corporate DNS Probe Host Name in DNS
  • Configure the HOSTS file (in an array deployment)
slide35

Deploying DirectAccess: UAG DirectAccess Advantages and Options (1/2)

  • Enables access to IPv4 only network, IPv4 only resources or IPv4 segments
    • Courtesy of NAT64/DNS64
  • High Availability
    • Built-in support for using NLB with bidirectional affinity
    • Built-in support for UAG DirectAccess arrays
  • Centralized configuration
    • Configure on the array manager
    • Automatically deploys configuration to other array members
  • Consolidate all remote access using a single solution
    • Web portal/reverse proxy
    • SSL VPN (port/socket forwarding, Network Connector-not supported on DirectAccess server )
    • Network Level VPN (SSTP)
    • DirectAccess
slide36

Deploying DirectAccess: UAG DirectAccess Options and Advantages (2/2)

  • Integrated support for Network Access Protocol (NAP)
    • Requires built up internal NAP infrastructure – automatic integration
  • Integrated support for two-factor authentication
    • Requires built up internal Smart Card infrastructure – automatic integration
    • Also support for OTP (OAuth)
  • Supports concurrent use for network level VPN connections
    • Host the SSTP server on the UAG DirectAccess server
    • Enables support for incompatible applications (not IPv6 aware)
    • When SSTP client connects – DirectAccess configuration disabled
      • VPN connection enables Domain Profile
      • Turns off the NRPT
      • Disables the DirectAccess Connection Security Rules
slide37

Deploying DirectAccess: Security Considerations (1/2)

  • Default configuration is to enable split tunneling
    • Configure “Force Tunneling” to disable split tunneling
  • ICMPv6 is exempted from IPsec protection by default
    • Can configure ICMPv6 with IPsec protection
    • Disables Teredo client connectivity
  • Local Name Resolution enables NetBIOS and Local Link Multicast Name Resolution (LLMNR) when name is absent or DNS server is not available
    • Local name resolution configurable in UAG DirectAccess wizard
  • DirectAccess clients on the Internet are able to communicate with each other without IPsec protection
    • Can configure Connection Security Rules to force IPsec protection
slide38

Deploying DirectAccess: Security Considerations (2/2)

  • All mobile clients (DirectAccess enabled or not) need BitLocker
    • Boot PIN should also be required
  • All clients (DirectAccess enabled or not) need AV/AM protection
  • Two factor log on significantly improves DirectAccess security
  • Strong enterprise management is key to secure DirectAccess deployment
  • Disable computer account to prevent connections from stolen clients
feedback
Feedback

Your feedback is very important!

Please complete an evaluation form!

Thank you!

resources
Resources
  • The Edge Man Blog
  • Test Lab Guide Wiki Site
  • DirectAccess Planning and Deployment Guide
  • UAG DirectAccess Planning and Deployment Guide
  • Book: Deploying UAG 2010
  • DirectAccess in the Enterprise: Best Practices
    • SEC310
    • Artyom Sinitsyn
    • HALL C1 – 11:00 AM
    • Be there!
questions
Questions?
  • SEC 302
  • Dr. Thomas W Shinder
    • Principal Knowledge Engineer/Principal Writer
    • tomsh@microsoft.com
    • The Edge Man blog
  • You can ask your questions at “Ask the expert” zone within an hour after end of this session