1 / 31

Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access Solution

Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access Solution ( SIA319). Ben Bernstein Program Manager Microsoft Corporation

purity
Download Presentation

Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access Solution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access Solution (SIA319) Ben Bernstein Program Manager Microsoft Corporation Originally Written By Principal Writer Dr. Tom Shinder for TechEd 2010 New Orleans, Augmented for TechEd 2010 Berlin

  2. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • 30K Foot Description • Always on • DirectAccess Infrastructure Technologies • IPv6 Transition Technologies • IPsec • Name Resolution Policy Table (NRPT) • Network Location Awareness • Deploying DirectAccess • Demo No DirectAccess marketing – you’ve heard that already

  3. Assumptions • You’ve heard of IPsec and maybe read a little about it • You’re comfortable with IPv4 TCP/IP networking • You’ve worked with Active Directory authentication and AuthN protocols • You’ve worked with Active Directory Group Policy • You’ve heard of NLB • You’ve worked with DNS • You’ve worked with certificates (PKI) • You don’t know anything about IPv6 • You want to know more about the technologies that underlie a DirectAccess solution

  4. Define DirectAccess – 30,000 Foot Description Always on – bidirectional connection Makes “always managed” a reality • Core requirements • Windows 7 Enterprise or Ultimate • Windows Server 2008 R2 for the DirectAccess Server • DirectAccess Client and Server are domain members • Two “flavors” of DirectAccess • Vanilla – Windows DirectAccess (2008 DC required, IPv6 resources only) • Vanilla Chocolate Swirl – Forefront UAG DirectAccess

  5. Always-On Employees – Quick Anywhere Access • Turn on laptop and connect to stuff you need • Home, Hotel, Conference Center, or the Bus • Group Policy updates • Application installation • Remote assistance initiated by IT • Password changes CTRL+ALT+DEL • Internet access method might differ (force tunneling/split tunneling) IT – I’m not in the dark anymore

  6. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • 30K Foot Description • Always on • DirectAccess Infrastructure Technologies • IPv6 Transition Technologies • Client Side • Server side • IPSec • Name Resolution Policy Table (NRPT) • Network Location Awareness • Deploying DirectAccess • Demo No DirectAccess marketing – you’ve heard that already

  7. Infrastructure Technologies – IPv6 Transition Technologies • Solves IPv4 address depletion problem • Window 7/2008+ transition technologies enable it over IPv4 Uses IPv6 • Unique addresses (prevents the “hotel has the same network ID as the office” scenario) • Enables true end-to-end connectivity and security (someday)

  8. Infrastructure Technologies – IPv6 Transition Technologies • Getting IPv6 over the IPv4 Internet • Getting IPv6 over the intranet • 6to4 • Teredo • IP-HTTPS • NAT64 • ISATAP (Intra-site Automatic Tunnel Addressing Protocol) • Native IPv6

  9. Infrastructure Technologies – Client Side • All addresses are registered in the DNS as IPv6 addresses and can be reachable by internal IPv6 clients

  10. Infrastructure Technologies – Corporate Side

  11. NAT64/DNS64 – The Flow

  12. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • DirectAccess Infrastructure Technologies • IPv6 Transition Technologies • Client Side • Server side • IPSec • Name Resolution Policy Table (NRPT) • Network Location Awareness • Deploying DirectAccess • Demo No DirectAccess marketing – you’ve heard that already

  13. IPsec • Transport Mode • End to End • Tunnel Mode • Edge to Edge • End to Edge • Since Windows 2000 • Works with both IPv4 and IPv6 • Supports Suite B cryptography

  14. IPsec and DirectAccess • Two IPSec Tunnels (IPSec End to Edge) • Infrastructure (Black) • Management Servers • Computer Account (NTLMv2) + Cert • Intranet (Blue) • Everything but Management Servers • User Account (Kerberos) + Cert • Another mode • End to end inside a tunnel (Red) • End to End not through a tunnel (isn’t supported in UAG DirectAccess) • DirectAccessuses an augmented IKEv1 version called AuthIP • AuthIP supports two authentications in IKEv1 • OTP Intranet tunnel uses Short Lived Certs instead of Kerberos

  15. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • DirectAccess Infrastructure Technologies • IPv6 Transition Technologies • Client Side • Server side • IPSec • Name Resolution Policy Table (NRPT) • Network Location Awareness • Deploying DirectAccess • Demo No DirectAccess marketing – you’ve heard that already

  16. Name Resolution Policy Table (NRPT) ( • “Routing Policy for DNS Queries”: • *.intranet.contoso.com go to UAG DNS64 • everything else, go to local DNS server • Windows 7 and Windows Server 2008 R2 • Configured in GP,. Settings can be displayed in netsh • NRPT Exemption Rules - examples: • DNS queries for *.splitbrain.intranet.contoso.com go to locally configured DNS Server • DNS queries for ocs.contoso.com go to locally configured DNS Server • DNS queries for nls.contoso.com go to locally configured DNS server (to enable understanding if you are in or out) • Used in force tunneling proxy mode • Used to support both DirectAccess and DNSSEC • Includes both AAAA and A in DirectAccess

  17. Network Location and DirectAccess • Network Location Information consumers: • NRPT (not to be applied when you are inside) • IPSec (apply WFAS, domain connectivity doesn’t mean domain profile anymore) • IP-HTTPS (spins up when there is no corp connectivity) • DirectAccess location settings include: • NLS Server – Internal (Highly Available) HTTPS server • DNS probe of a unique name which is registered by UAG • Site prefixes Network Location Manager logic updated with NLS Server (domain profile is valid only when NLS is not reachable). IP-HTTPS checks for internet connectivity using NLM, if there is one, it tries to check for corp connectivity using new NLM Logic: DNS probe, and SitePrefix

  18. Network Location Detection – An Example) • DirectAccess client on the intranet • Assumes not connected to intranet • Establishes HTTPS connection to Network Location Server • RESULT: Domain WFAS Profile activated and NRPT disabled –No DA tunnels • DirectAccess client on the Internet • Assumes not connected to intranet • Fails to establish HTTPS connection to Network Location Server • RESULT: Public or Private Profile activated and NRPT enabled – DA tunnels activated • UAGDirectAccess-corpConnectivityHost.corp.contoso.com isn’t resolvable • RESULT: IP-HTTPS spins up

  19. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • DirectAccess Infrastructure Technologies • IPv6 Transition Technologies • Client Side • Server side • IPSec • Name Resolution Policy Table (NRPT) • Network Location Awareness • Deploying DirectAccess • AD, DNS • PKI • Demo No DirectAccess marketing – you’ve heard that already

  20. Active Directory and DNS • Active Directory • DNS Dependencies on Group Policy and Active Directory Certificate mapping (DS Mapper for IP-HTTPS clients) Active Directory authentication (Certificate/NTLMv2/Kerberos) Two way trust is required if gateway and clients are in different domains. • 2003 AD is fine • Gateway and Clients must be domain members • Clients are configured using group policy. • To “Touch” DA clients Dynamic DNS Registration of AAAA is required

  21. PKI • Public Key Infrastructure Requirement • Usually DirectAccess client have auto cert enrollment configured in group policy • Issuing CA chain must have Certificate Revocation Lists which are accessible in the internet • NLS and IPSec cert chain Certificate Revocation Lists aren’t required to be accessible in the internet • IP-HTTPS client cert must map to a client account in AD • DirectAccess clients – client cert (IPSec, IP-HTTPS client) • UAG server – client cert (IPSec) web cert (IP-HTTPS listener) • NLS server – web cert

  22. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • DirectAccess Infrastructure Technologies • Deploying DirectAccess • AD, DNS • PKI • Demo No DirectAccess marketing – you’ve heard that already

  23. The UAG DirectAccess Wizard DEMO

  24. Deploying DirectAccess: What did the Wizard Do? (1/2) • Create and (optionally) deploy a DirectAccess clients Group Policy Object • Configures IPv6 transition technologies • WFAS Firewall and Connection Security rules • Sets NRPT entries • Sets Network Location Server address • Creates and deploys a DirectAccess servers Group Policy Object • WFAS Firewall and Connection Security rules • Creates and deploys an Application Servers Group Policy Object • WFAS Firewall and Connection Security rules

  25. Deploying DirectAccess: What did the Wizard Do? (2/2) • Configure the UAG DirectAccess server as a ISATAP router • Configure the UAG DirectAccess server as a 6to4 relay • Configure the UAG DirectAccess server as a Teredo server and relay • Configure the UAG DirectAccess server as an IP-HTTPS server • Configure the UAG DirectAccess server as a NAT64/DNS64 IPv6/IPv4 Protocol Translator • Configure the TMG firewall to support DirectAccess connectivity • Register the Corporate DNS Probe Host Name in DNS • Configure the HOSTS file (in an array deployment

  26. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • DirectAccess Infrastructure Technologies • Deploying DirectAccess • AD, DNS • PKI • Demo No DirectAccess marketing – you’ve heard that already

  27. Unified Access Gateway 2011 H1 (UAG SP1 UP1) 2010 H2 (UAG SP1) 2010H1 (UAG) Secure Application Publishing • SharePoint, Exchange, Dynamics CRM • Generic web application publishing • Strong AuthN • SSO with multiple backend repositories • Built-in endpoint health check; NAP integration • Granular authorization policies Remote Access Consolidation • RDS Remote Apps/Desktop/VDI; Citrix integration • Client/ Server Apps publishing • Mobile Access • Full connectivity (DirectAccess, SSL Network Tunneling) DirectAccess • All IPv6 transition technologies (incl. NAT64/DNS64) in one box • Scale-out through array management, NLB and H/W LB integration • DA policy management • Enhanced DirectAccess Deployment and Operation • One-time-password support for DA • Simplified DA deployment • Comprehensive policy management • Integrated NAP for simplified endpoint policy enforcement • Improved monitoring and troubleshooting • ADFSv2 Integration • Claims-based authentication & authorization • RMS Server Publishing • Support Sharepoint 2010 IRM, Exchange RMS • Web Publishing • Office 14 alignment Basic Multi Geo Support BCP/DR Support FQDN based failover between arrays

  28. Questions and Answers

  29. Session Evaluations Tell us what you think, and you could win! All evaluations submitted are automatically entered into a daily prize draw*  Sign-in to the Schedule Builder at http://europe.msteched.com/topic/list/ * Details of prize draw rules can be obtained from the Information Desk.

  30. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related