Transcript Scott Roberts Lead Program Manager Microsoft Session Code: WSV320 Agenda Secure Access Landscape Demo DirectAccess Solution Benefits Deployment Models & Requirements Name Resolution Supporting Technologies Diagnostics Questions & Answers.

Scott Roberts
Lead Program Manager
Microsoft
Session Code: WSV320
Agenda
Secure Access Landscape
Demo
DirectAccess Solution
Benefits
Deployment Models & Requirements
Name Resolution
Supporting Technologies
Diagnostics
Questions & Answers
Mobile Workforce
Increasingly
Mobile
Data
Porous
Perimeter
Globalization
"Re-Perimeterization"
“My network is where my buildings are”
How to manage, monitor, and support remote
users/machines all the time?
How to simplify remote workers’ access
“My network is where my users and assets are”
Industry Trends
Assume the underlying network
is always unsecure
Redefine the corporate edge
to protect the datacenter
Enterprise
Network
Security policies based on identity, not location
DirectAccess
Server
Internet
Data Center and
Business Critical
Resources
Local User
Remote
User
Windows Server 2008 R2
Addressing Enterprise Needs
Addressing User Needs
Supporting IT Professionals
Work Anywhere Infrastructure using Direct Access
DirectAccess
Providing seamless, secure access to enterprise
resources from anywhere
DirectAccess in Action
Benefits Of Direct Access
Bringing the corporate network to the user
More productive
Always-on access to
corpnet while roaming
No explicit user action
required – it just works
Same user experience on
premise and off
More secure
Healthy, trustable host
regardless of network
Fine grain per
app/server policy control
Richer policy control
near assets
Ability to extend
regulatory compliance to
roaming assets
Incremental deployment
path toward IPv6
More manageable
and cost effective
Simplified remote
management of mobile
resources as if they were
on the LAN
Lower total cost of
ownership (TCO) with an
“always managed”
infrastructure
Unified secure access
across all scenarios and
networks
Integrated administration
of all connectivity
mechanisms
Always On
Always connected
No user action required
Adapts to changing
networks
Secure
Encrypted by default
Works with Smartcards
Granular access control
Coexists with existing
edge, health, and
access policies
Manageable
Reach out to previously untouchable machines
Allows remote clients to process Group Policies
NAP integration for health compliance
Consolidate Edge Infrastructure
VPN vs. DirectAccess - Value
VPN
DirectAccess
DirectAccess Client
(Windows 7)
Internet
DirectAccess Server
(Server 2008 R2)
Tunnel over IPv4 UDP,
HTTPS, etc.
Encrypted IPsec+ESP
Native IPv6
IPsec Gateway
6to4
Teredo
IP-HTTPS
IPsec Hardware Offload Supported
Enabling IPv6 in the Enterprise
DirectAccess Server
(Server 2008 R2)
IPv6
Option 1 - ISATAP
IPv4
Line of Business
Applications
IPv6
Enabling IPv6 in the Enterprise
DirectAccess Server
(Server 2008 R2)
IPv6
Option 2 – NAT-PT
NAT-PT
DNS-ALG
Line of Business
Applications
Windows Server 2003
Non-Windows
IPv4
DirectAccess Server
(Server 2008 R2)
Enterprise
Network
Line of Business
Applications
No IPsec
IPsec Integrity
Only (Auth)
IPsec Gateway
IPsec Integrity +
Encryption
IPsec Hardware Offload Supported
Windows Server 2003
Windows Server 2008
Non-Windows Server
Deployment Models
Deployment Scenario
End-to-edge encryption
Trusted, compliant,
healthy machine
Direct Access
Server
Server 2008 R2
Internet
Corporate
Network
DC & DNS
(Server 2008 SP2/R2)
Windows 7 client
IPsec ESP tunnel encryption using machine cert (DC/DNS access)
IPsec ESP tunnel encryption using UserKerb/Health
Cert/Smartcard for broad network access
Clear Text traffic from client flows through
encrypted tunnel to Corporate network resources
No overhead of encryption on application servers
Edge enforces machine/user authentication and data encryption
Least change from customer’s existing edge deployments
Applications & Data
(non-IPsec enabled)
Deployment Scenario
End-to-Edge Encryption + End to End IPsec
Direct Access
Server
Server 2008 R2
Trusted, compliant,
healthy machine
Corporate
Network
DC & DNS
(Server 2008 SP2/R2)
Internet
Windows 7 client
IPsec ESP tunnel encryption using machine cert (DC/DNS access)
Applications & Data
IPsec-enabled
IPsec ESP tunnel encryption using UserKerb/Health
Cert/Smartcard for broad network access
IPsec ESP-Null AuthIP Transport Traffic flows through
encrypted tunnel to Corporate network resources
No overhead of encryption on application servers (just authentication)
DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation
Deployment Scenario
End-To-End IPsec Transport Encryption
Direct Access
Server
Server 2008 R2
Trusted, compliant,
healthy machine
Internet
Windows 7 client
IPsec ESP-encrypted transport to access
Corporate network resources
Corporate
Network
DC & DNS
(Server 2008 SP2/R2)
Applications & Data
IPsec-enabled
Thin edge solution using IPsec
Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic
Full End to End IPsec Encryption
IP-HTTPS tunnel used for proxy scenarios only
Deployment Requirements
DirectAccess Clients
DirectAccess Servers
Application Servers
• Requires Windows 7
Enterprise or Ultimate
SKU
• Clients Domain
Joined
• Initial Provisioning
while on Corpnet or
through VPN
• Requires Windows
Server 2008 R2
• Located at Edge
• End-to-end V6 &
IPsec requires
Windows Server
2008 or later
• Other models can
use Windows Server
2003 or later
Deployment Requirements
DC/DNS
• Needs at least
one W2K8 SP2 or
R2 DC/DNS server
for client
registration of V6
records
Network
Infrastructure
• Can be IPv4
because we
deploy ISATAP
with DirectAccess
NAT-PT
• Can be used to
provide access to
IPv4-only
resources
Name Resolution
Name Resolution Policy Table (NRPT)
New feature in Windows 7
Used by DirectAccess Client to determine
‘which’ DNS Server to use based on namespace
New name resolution order:
Local cache
Hosts file
NRPT
DNS
NRPT
Corp.contoso.com
2001:1:1::b3df
2001:1:1::b3de
For any given query, if the domain matches an
entry in the NRPT, the query will be sent to the
DNS Servers specified in the NRPT
These are internal DNS servers – they do not need
to be dedicated to DirectAccess, and they do not
need to be in the DMZ
If the name doesn't match an NRPT entry, the
query will be sent to the DNS server configured for
the interface
Supporting Technologies
Direct Access Supporting Technologies
Corporate
Network
Trusted, compliant,
healthy machine
DC & DNS
(Server 2008 R2)
Applications &
Data
Windows 7 client
NAP
(includes
Server &
Domain
Isolation
[SDI])
Forefront
Client
Security
Windows
Firewall
BitLocker +
Trusted
Platform
Module
(TPM)
IAG SP2
Forefront
UAG
Direct Access Supporting Technologies
Forefront Client
Security
Internet
Non- Compliant
Client
NAP / NPS
Servers
Compliant
Client
Compliant
Client
Unmanaged
Client
DA Server
CORPNET
User
Data Center and Business
Critical Resources
CORPNET
Compliant Network
IAG SP2 CORPNET
User
+
7 Direct Access
UAG extends the benefits of Windows Direct Access enabling an easy
migration path and enhanced scalability.
Anywhere
Access
• Extend Windows Direct Access to legacy applications and resources running on
existing infrastructure.
• Support down-level and non Windows clients using a variety of connectivity
options.
Granular
Security
• Minimize configuration errors and simplify deployment using built-in wizards
and tools.
• Protect the Direct Access gateway with a hardened edge solution.
Unified
Management
• Enhance scale and ongoing administration through built-in array management
and integrated load balancing
• Consolidate access gateways for centralized control and auditing.
DirectAccess – Solution
MANAGED
Windows7
Windows7
UAG and DirectAccess better together:
1. Extends access to line of business servers with IPv4 support
2. Access for down level and non Windows clients
3. Enhances scalability and management
4. Simplifies deployment and administration
5. Hardened Edge Solution
Always On
DirectAccess
IPv6
IPv6
UNMANAGED
Vista
XP
Extend support
to IPv4 servers
IPv4
SSL VPN
Non
Windows
PDA
DirectAccess
Server
+
+
UAG
provides
access
forextends
down
level
and
non
Windows
clients
enhances
scale
and
management
with
integrated
LBand
andvirtual
array
capabilities.
UAGwizards
adoption
and
access
existing
infrastructure
UAG
isimproves
a hardened
edge
available
intoHW
options
UAG uses
and
tools
toappliance
simplify
deployments
and
ongoing
management.
IPv4
IPv4
Diagnostics
Diagnostics
Internet Explorer Diagnose Problem Button
It has been enhanced to troubleshoot DirectAccess
Networking Icon (right click)
Troubleshoot problems option. Supports providing
a location. Also has a DirectAccess Entry Point
Control Panel, Troubleshooting
Connect to a Workplace place using DirectAccess
Command Prompt (Elevated)
NETSH TRACE START SCENARIO=DIRECTACCESS
Summary
Call-to-action
Windows Server 2008 R2 offers great innovation
for your Anywhere Access infrastructure
Learn more about Direct Access
Start deploying Windows Server 2008 now to
get ready
http://www.microsoft.com/directaccess
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.