slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Reinventing Remote Access With DirectAccess PowerPoint Presentation
Download Presentation
Reinventing Remote Access With DirectAccess

Loading in 2 Seconds...

play fullscreen
1 / 39

Reinventing Remote Access With DirectAccess - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

Reinventing Remote Access With DirectAccess. Scott Roberts Lead Program Manager Microsoft Session Code: WSV320 . Agenda. Secure Access Landscape Demo DirectAccess Solution Benefits Deployment Models & Requirements Name Resolution Supporting Technologies Diagnostics

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Reinventing Remote Access With DirectAccess' - oshin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
reinventing remote access with directaccess

Reinventing Remote Access With DirectAccess

Scott Roberts

Lead Program Manager

Microsoft

Session Code: WSV320

agenda
Agenda
  • Secure Access Landscape
  • Demo
  • DirectAccess Solution
    • Benefits
    • Deployment Models & Requirements
  • Name Resolution
  • Supporting Technologies
  • Diagnostics
  • Questions & Answers
mobile workforce
Mobile Workforce

Increasingly Porous Perimeter

  • Mobile Data
  • Globalization
re perimeterization
"Re-Perimeterization"

“My network is where my buildings are”

  • How to manage, monitor, and support remote users/machines all the time?
  • How to simplify remote workers’ access

“My network is where my users and assets are”

industry trends
Industry Trends

Assume the underlying network

is always unsecure

Redefine the corporate edge

to protect the datacenter

Enterprise Network

Security policies based on identity, not location

DirectAccess Server

Internet

Data Center and Business Critical Resources

Local User

Remote User

windows server 2008 r2 addressing enterprise needs
Windows Server 2008 R2 Addressing Enterprise Needs
  • Work Anywhere Infrastructure using Direct Access
directaccess
DirectAccess
  • Providing seamless, secure access to enterprise resources from anywhere
benefits of direct access bringing the corporate network to the user
Benefits Of Direct AccessBringing the corporate network to the user

More productive

More secure

More manageable and cost effective

Always-on access to corpnet while roaming

No explicit user action required – it just works

Same user experience on premise and off

  • Simplified remote management of mobile resources as if they were on the LAN
  • Lower total cost of ownership (TCO) with an “always managed” infrastructure
  • Unified secure access across all scenarios and networks
  • Integrated administration of all connectivity mechanisms
  • Healthy, trustable host regardless of network
  • Fine grain per app/server policy control
  • Richer policy control near assets
  • Ability to extend regulatory compliance to roaming assets
  • Incremental deployment path toward IPv6
always on
Always On
  • Always connected
  • No user action required
  • Adapts to changing networks
secure
Secure
  • Encrypted by default
  • Works with Smartcards
  • Granular access control
  • Coexists with existing edge, health, and access policies
manageable
Manageable
  • Reach out to previously untouchable machines
  • Allows remote clients to process Group Policies
  • NAP integration for health compliance
  • Consolidate Edge Infrastructure
slide15

Internet

DirectAccess Client

(Windows 7)

DirectAccess Server

(Server 2008 R2)

Tunnel over IPv4 UDP, HTTPS, etc.

Encrypted IPsec+ESP

Native IPv6

Encrypted IPsec+ESP

IPsec Gateway

6to4

Teredo

IP-HTTPS

IPsec Hardware Offload Supported

enabling ipv6 in the enterprise
Enabling IPv6 in the Enterprise

Option 1 - ISATAP

DirectAccess Server

(Server 2008 R2)

Line of Business Applications

IPv6

IPv6

IPv4

Windows Server 2008/R2

enabling ipv6 in the enterprise1
Enabling IPv6 in the Enterprise

Option 2 – NAT-PT

DirectAccess Server

(Server 2008 R2)

Line of Business Applications

Windows Server 2003

Non-Windows

NAT-PT

DNS-ALG

IPv6

IPv4

slide18

Enterprise Network

DirectAccess Server

(Server 2008 R2)

Line of Business Applications

No IPsec

IPsec Integrity Only (Auth)

Windows Server 2003

Windows Server 2008

Non-Windows Server

IPsec Integrity + Encryption

IPsec Gateway

IPsec Hardware Offload Supported

deployment scenario end to edge encryption
Deployment ScenarioEnd-to-edge encryption

Corporate Network

Trusted, compliant,

healthy machine

Direct Access ServerServer 2008 R2

  • No overhead of encryption on application servers
  • Edge enforces machine/user authentication and data encryption
  • Least change from customer’s existing edge deployments

DC & DNS(Server 2008 SP2/R2)

Windows 7 client

Applications & Data

(non-IPsec enabled)

IPsec ESP tunnel encryption using machine cert (DC/DNS access)

Internet

IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access

Clear Text traffic from client flows through encrypted tunnel to Corporate network resources

deployment scenario end to edge encryption end to end ipsec
Deployment ScenarioEnd-to-Edge Encryption + End to End IPsec
  • No overhead of encryption on application servers (just authentication)
  • DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation

Corporate Network

Direct Access ServerServer 2008 R2

Trusted, compliant,

healthy machine

DC & DNS(Server 2008 SP2/R2)

Windows 7 client

IPsec ESP tunnel encryption using machine cert (DC/DNS access)

Applications & Data

IPsec-enabled

Internet

IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access

IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources

deployment scenario end to end ipsec transport encryption
Deployment ScenarioEnd-To-End IPsec Transport Encryption
  • Thin edge solution using IPsec
  • Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic
  • Full End to End IPsec Encryption
  • IP-HTTPS tunnel used for proxy scenarios only

Corporate Network

Direct Access ServerServer 2008 R2

Trusted, compliant,

healthy machine

DC & DNS(Server 2008 SP2/R2)

Internet

Windows 7 client

Applications & Data

IPsec-enabled

IPsec ESP-encrypted transport to access Corporate network resources

name resolution policy table nrpt
Name Resolution Policy Table (NRPT)
  • New feature in Windows 7
  • Used by DirectAccess Client to determine ‘which’ DNS Server to use based on namespace
  • New name resolution order:
    • Local cache
    • Hosts file
    • NRPT
    • DNS
slide27
NRPT
  • For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPT
  • These are internal DNS servers – they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZ
  • If the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface
direct access supporting technologies
Direct Access Supporting Technologies

Corporate Network

Trusted, compliant,

healthy machine

DC & DNS(Server 2008 R2)

Applications & Data

Windows 7 client

Forefront

UAG

IAG SP2

NAP (includes Server & Domain Isolation [SDI])

Forefront Client Security

Windows Firewall

BitLocker + Trusted Platform Module (TPM)

direct access supporting technologies1
Direct Access Supporting Technologies

Internet

Forefront Client Security

Non- Compliant Client

Compliant Client

Compliant Client

NAP / NPS Servers

IPsec/IPv6

Unmanaged Client

IPsec/IPv6

DA Server

CORPNET User

Data Center and Business Critical Resources

IAG SP2

CORPNET User

CORPNETCompliant Network

slide31

7 Direct Access

+

UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability.

directaccess solution
DirectAccess – Solution

UAG and DirectAccess better together:

Extends access to line of business servers with IPv4 support

Access for down level and non Windows clients

Enhances scalability and management

Simplifies deployment and administration

Hardened Edge Solution

MANAGED

IPv6

Windows7

IPv6

Always On

DirectAccess

Windows7

UNMANAGED

IPv4

VistaXP

Extend support to IPv4 servers

SSL VPN

DirectAccessServer

IPv4

Non Windows

+

+

PDA

IPv4

UAG provides access for down level and non Windows clients

UAG enhances scale and management with integrated LB and array capabilities.

UAG improves adoption and extends access to existing infrastructure

UAG is a hardened edge appliance available in HW and virtual options

UAG uses wizards and tools to simplify deployments and ongoing management.

diagnostics1
Diagnostics
  • Internet Explorer Diagnose Problem Button
    • It has been enhanced to troubleshoot DirectAccess
  • Networking Icon (right click)
    • Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point
  • Control Panel, Troubleshooting
    • Connect to a Workplace place using DirectAccess
  • Command Prompt (Elevated)
    • NETSH TRACE START SCENARIO=DIRECTACCESS
windows 7 builds on windows vista deployment testing and pilots today will continue to pay o ff
Windows 7 Builds on Windows VistaDeployment, testing, and pilots today will continue to pay off
  • Similar Compatibility:
  • Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc).
  • Hardware that runs Windows Vista well will run Windows 7 well.

Few Changes: Focus on quality and reliability improvements

Deep Changes: New models for security, drivers, deployment, and networking

summary call to action
SummaryCall-to-action
  • Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructure
  • Learn more about Direct Access
  • Start deploying Windows Server 2008 now to get ready
  • http://www.microsoft.com/directaccess
resources
Resources
  • www.microsoft.com/teched

Sessions On-Demand & Community

www.microsoft.com/learning

Microsoft Certification & Training Resources

  • http://microsoft.com/technet
    • Resources for IT Professionals
  • http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification and Training Resources

slide39

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.