1 / 39

Working remote: what to consider, technology evolution

Working remote: what to consider, technology evolution. Session Agenda. Remote access: do we need it? Remote access: what are the options? Microsoft’s strategy for remote access The vision: seamless, secure, ubiquitous Making it real: DirectAccess & Unified Access Gateway Q & A.

samuru
Download Presentation

Working remote: what to consider, technology evolution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Working remote: what to consider, technology evolution

  2. Session Agenda • Remote access: do we need it? • Remote access: what are the options? • Microsoft’s strategy for remote access • The vision: seamless, secure, ubiquitous • Making it real: DirectAccess & Unified Access Gateway • Q & A

  3. Information Worker’s World Has Been Changing… CENTRAL OFFICE In 2008, mobile workers will represent 26.8% of the total workforce, and that number will increase to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813) REMOTE WORK BRANCH OFFICES MOBILE & DISTRIBUTED WORKFORCE

  4. Remote Access Needs Managed and Unmanaged devices Internal & External Users Internal Resources Home PC Financial Partner or Field Agent Kiosk Logistics Partner Changing threat environment IT governance Regulatory compliance Project Manager Employee Corporate Managed Laptop Unmanaged Partner PC Remote Technician Employee

  5. Remote Access Options • Dialup? too costly, limited user experience • Reverse Proxy? Only Web apps • Terminal Services? Not from everywhere, TCO considerations • Traditional VPN based on IPSec – most popular • Limited functionality from firewalled or NAT’ed networks / Not very user friendly • Client becomes difficult to roll out / Managed devices only • Requires administrative installation • Potential security exposure by extending network • SSL VPN • In office experience from anywhere • Granular policy control • Next-Gen IPSec VPN • User friendly: no more FW/NAT problems; seamless access from everywhere • Built into client OSs • Granular policy control

  6. DirectAccess Providing seamless, secure access to enterprise resources from anywhere • Provides seamless, always-on, secure connectivity to on-premise and remote users alike • Eliminates the need to connect explicitly to corpnet while remote • Facilitates secure, end-to-end communication and collaboration • Leverages a policy-based network access approach • Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network

  7. Benefits Of DirectAccess More manageable and cost effective More productivity More secure • Always-on access to corpnet while roaming • No explicit user action required – it just works • Same user experience on premise and off • Simplified remote management of mobile resources as if they were on the LAN • Lower total cost of ownership (TCO) with an “always managed” infrastructure • Unified secure access across all scenarios and networks • Integrated administration of all connectivity mechanisms • Healthy, trustable host regardless of network • Fine grain per app/server policy control • Richer policy control near assets • Ability to extend regulatory compliance to roaming assets • Incremental deployment path toward IPv6

  8. DirectAccess Technologies IPsec/IPv6 Internet • Microsoft Windows 7 clients • Microsoft Windows Server 2008 DirectAccess Server • IPv6 • IPSec v6 • Tunneling protocols • 6to4 • Teredo • IP-HTTPS • NAT-PT devices Compliant Client IPsec/IPv6 Tunnel over IPv4 UDP, HTTPS, etc. IPsec/IPv6 DirectAccess Server Assume the underlying network is always insecure Intranet User Redefine CORPNET edge to insulate the datacenter and business critical resources Intranet User Enterprise Network Security policies based on identity, not location

  9. Making It Real • Extend access to line of business servers with IPv4-only support? • Access for down level and non Windows clients? • Scalability and management? • Deployment and administration? • Hardened Edge Solution?

  10. UAG & DA Solution Architecture UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN DirectAccessServer + IPv4 Non Windows PDA IPv4

  11. UAG History and Evolution Protection Integrated and comprehensive protection from Internet-based threats Access Unified platform for all enterprise remote access needs

  12. UAG Product "Stack" End Point Detection Client and deep policies for security health assessment Application Intelligence Optimizers for core, common, scenarios enabling security and functionality SSL VPN Tunneling +DA Multiple tunnels providing access for non web applications Reverse Proxy Intelligent URL rewriting and manipulation engine to simplify publishing Application Access Policy and Security Management Wizard driven configuration for core scenarios allowing easy implementation and enforcement of granular policies. Web based monitoring and control across arrays.

  13. How UAG works Authenticated user? Allowed application? Allowed device? Allowed request? Client-side caching? “Good” URL? Web Applications Client-Server Applications Legacy Applications Secure Connection

  14. UAG Networking Options SSL VPN Options HTTP(S) apps SSL port fwd (SSL Wrapper) SSL socket fwd (Socket Forwarder) Client SSL Network Tunneling SSTP Next-gen IPSec VPN Direct Access

  15. UAG Client Components Socket Forwarder LSP NSP Quarantine Enforcement Session Clean-up Client Trace Utility Endpoint Detection Network Connector SSL Wrapper (Java Applet) SSL Wrapper Component Manager

  16. Dynamic User Session Each user session is determined by access policies that relate to the user, the device, and the resources Financial Partner or Field Agent Home PC Logistics Partner Kiosk Corporate Laptop Project Manager Employee Remote Technician Employee Unmanaged Partner PC

  17. User Experience – UAG Portals

  18. Endpoint Security • It uses client-side scripting for detection to generate variables that describe client properties • AV running/AV up-to-date • Personal Firewall • Host IDS running • Processes running/not running • Registry entries • Custom • The variables are uploaded as a chunk of XML data, and ASP policy expressions are evaluated on the UAG • Results are stored in the UAG Session Manager service • Various components in UAG query the Session Manager • The filter web site (for download/upload/restricted zones blocking functionality) • The PortalHomePage (to decide which links to display/gray out etc.)

  19. User Authentication • Front-end authentication • Most authentication services supported OOB • Active Directory • Other LDAP (Novell,Sun, IBM, …) • RADIUS/TACACS • ADFS • Custom • Multiple auth services can be used to control access • At logon • On the fly (application access)

  20. User Authentication • Back-end authentication • SSO • Credential replay • KCD • Custom

  21. Coarse-grained authorization • User-based • Access to each application can be granted to selected users/groups • Users and groups defined in external authentication services

  22. Fine-grained Authorization • Policy-based • Application functionalities enabled/disabled according to output from endpoint security check • Sending email with attachments through OWA not allowed if AV not running • Downlaoding documents from SharePoint not permitted if client is not “certified” • Enabled by “Application Intelligence” • Built-in application knowledge • MS Sharepoint, Outlook Web Access, Dynamics CRM… • SAP Enterprise Portal • Lotus Notes (iNotes, Nativ, DOLS) • Lotus SameTime • DocumentumeRoom • …other

  23. Session clean-up • UAG wipes session data when session ends • Transparent to end users • Application Optimizer: application-specific modules allow wiping additional data outside browser’s cache • Application-based (Citrix Bitmap Cache, Lotus Notes…) • Extensible via custom scripts • What can be wiped • Files and html pages downloaded • Cookies, History information, User credential • When it can be executed • User logoff, Inactivity timeout • Crash, browser closed by user • Shutdown

  24. Browser support • Windows OSs • Internet Explorer • Netscape Navigator • FireFox • Safari • Linux • Netscape Navigator • FireFox • MAC OS (10.3 and up) • Safari

  25. Seamless, Secure, Ubiquitous DMZ Network Data Center / Corporate Network Internet Exchange CRM SharePoint IIS based IBM, SAP, Oracle Mobile T Home / Friend / Kiosk HTTPS / HTTP Terminal / Remote Desktop Services Layer3 VPN LDAP, RADIUS RDP HTTPS (443) Internet DirectAccess Telnet, RPC,… Non web Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. NPS, ILM Employees Managed Machines

  26. Q & A

More Related