Blog (includes deployment whitepaper and demo script for today’s session) http://www.networkworld.com/community/morimoto.
Download ReportTranscript Blog (includes deployment whitepaper and demo script for today’s session) http://www.networkworld.com/community/morimoto.
Blog (includes deployment whitepaper and demo script for today’s session) http://www.networkworld.com/community/morimoto DirectAccess Client (Windows 7) Internet Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Teredo IP-HTTPS DirectAccess Server (Server 2008 R2) End-to-Edge Access Model For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture does not require IPsec on the intranet and works with any IPv6-capable application servers. End-to-End Access Model With end-to-end protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server. However, this architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec. Selected Server Access Trusted, compliant, healthy machine Direct Access Server Server 2008 R2 or UAG Internet Windows 7 client Corporate Network DC & DNS (Server 2008 SP2/R2) Applications & Data (non-IPsec enabled) For Selected Server Access, the DirectAccess Setup Wizard allows you to configure one of the following for the selected server access model: 1. The only servers that DirectAccess clients can communicate with are selected intranet servers using Internet Protocol security (IPsec) peer authentication and end-to-end data integrity. 2. The only servers that DirectAccess clients can communicate with are selected intranet servers using IPsec peer authentication but no IPsec protection. 3. Communications between DirectAccess clients and selected intranet servers must perform IPsec peer authentication and end-to-end data integrity. Communications with all other intranet endpoints use clear text. 4. Communications between DirectAccess clients and intranet servers must perform IPsec peer authentication but no IPsec protection. Communications with all other intranet endpoints use clear text. DirectAccess Server (Server 2008 R2) IPv6 Using ISATAP IPv4 Line of Business Applications IPv6 DirectAccess Server (Server 2008 R2) IPv6 Line of Business Applications NAT64 DNS-ALG Windows Server 2003 Non-Windows IPv4 Teredo Host Private IPv4 address NAT Device IPv4 Internet IPv4 private Private IPv4 address Public IPv4 address Teredo server & relay Web server with CRL XX IPHTTPS Host NAT Device X IPv6 Host IPHTTPS server IPv4 Internet IPv6 Intranet Tunnel IPv6 in HTTPS Certificate MANAGED Windows7 Windows7 UAG and DirectAccess better together: 1. Extends access to line of business servers with IPv4 support 2. Access for down level and non Windows clients 3. Enhances scalability and management 4. Simplifies deployment and administration 5. Hardened Edge Solution IPv6 Always On DirectAccess IPv6 UNMANAGED Vista XP Extend support to IPv4 servers IPv4 SSL VPN Non Windows PDA DirectAccess Server + + UAG provides down levelin and non clients enhances and management with integrated LB and array capabilities. UAG adoption and for extends access toHW existing infrastructure UAG isimproves ascale hardened edge appliance available andWindows virtual options UAG uses wizards and tools to access simplify deployments and ongoing management. IPv4 IPv4 “At the end of the day, IT operations is really It’s a free download! Go to www.microsoft.com/ipd _ about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year