Upload
quek-lilian
View
2.595
Download
2
Tags:
Embed Size (px)
Citation preview
Microsoft Confidential
Trusted, compliant,
healthy machine
Windows 7 client
Corporate
Network
Applications & Data
DC & DNS
(Win 2008)
NAP
(includes
Server &
Domain
Isolation
[SDI])
Forefront
Client
Security
Windows
Firewall
BitLocker
+ Trusted
Platform
Module
(TPM)
IAG SP2
Internet
131.107.0.0/24
Homenet
192.168.137.0/24
Corpnet
10.0.0.0/24DA1
INET1 DC1
APP1
NAT1
CLIENT1
Microsoft Confidential
DirectAccess Server
Compliant
Client
Compliant
Client
Data Center and Business
Critical Resources
NAP / NPS
Servers
Internet
Intranet
User
Enterprise
Network
Intranet
User
Assume the underlying
network is always insecure
Redefine CORPNET edge to
insulate the datacenter and
business critical resources
Tunnel over IPv4 UDP, HTTPS, etc.
Security policies based on
identity, not location
Internet Intranet
DirectAccess
server
DirectAccess
client
Corporate resources
Internet servers
Internal traffic
Internet traffic
Microsoft Confidential
Microsoft Windows 7 clients
Microsoft Windows 7 DirectAccess Server
Application servers Windows Server 2008 (for native IPv6 support)
Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2
DC/DNS serversWindows Server 2008
Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory
NAT-PT server if IPv4 access is desired
DirectAccess Overview
Supporting infrastructure and technologies
Using DirectAccess with Windows 7
Microsoft Confidential
Client
Server
Receives configuration while directly connectedto corpnet (provisioning) via Group Policy
NAP used to check configuration and healthwhen remotely connected
DirectAccess wizard to set up DirectAccess Server(s)
Policies controlled via Group Policy
Microsoft Confidential
Configure DirectAccess ServerRequires Windows Server 2008 R2
Use DirectAccess server MMC
Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway
Windows 7 Enterprise & Ultimate SKU Client Machines
Done using DirectAccess configuration wizard
Customize policies as needed
Microsoft Confidential
Facing Corpnet
Gateway for native IPv6
IPv6 over IPv4 Service for EnterpriseSATAP Relay
IPsec Gateway (Tunnel Mode Endpoint)
Forwarding Gateway for native IPv6
IPv6 over IPv4 services6to4 relay
Teredo Relay (optionally also Teredo Server)
Facing Internet
Firewall/Proxy Travel
IP-TLS relay
Internal
IPsec Dos Protection
Microsoft Confidential
Be ready to monitor IPv6 traffic
Choose an Access Model: Full Intranet Access vs.
Selected Server Access?
Assess deployment scale
DirectAccess Overview
Supporting infrastructure and technologies
Configuring DirectAccess
Microsoft Confidential
Client tries to access
.corp.phiwug.com
Looks in provisioned list for DNS
server(s) associated with .phiwug.com
Connects with DNS server (using
IPsec. IPv6 is thru DAS
What Happens At Client
Client tries to connect to targetIPv6 route again thru DAS.
IPsec is required.
What happens at DAS/DNS
DAS lets thru AuthIP packets from client to DNSAfter negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address
information to client. DNS registers clients current address information
Microsoft Confidential
Evolution, not revolution
Upgrade your network to an IPv6 end state
Requires Windows 7 on the client
Transition to Windows Server 2008 simplifies the solution
Little or no change to applications – upgrade the server platform
30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6
Additional 40 planned to upgrade in next two months
Allows you to take concrete steps toward satisfying any IPv6 mandate
Seamless integration with your current access and security solutions
Seamless transition to DirectAccess over time
Integrates with Forefront solutions
http://technet.microsoft.com
DirectAccess Design Guide:http://www.microsoft.com/downloadS/details.aspx?familyid=647222D1-A41E-
4CDB-BA34-F057FBC7198F&displaylang=en
Step by Step Guide:http://www.microsoft.com/downloads/details.aspx?FamilyID=8D47ED5F-D217-4D84-B698-F39360D82FAC&displaylang=en
Next Generation Remote Access with DirectAccess and VPNs: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=70723e47-3d57-415b-9182-744ceaf8c04a#tm
Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2: http://www.microsoft.com/downloads/details.aspx?FamilyID=64966e88-1377-4d1a-be86-ab77014495f4&DisplayLang=en
Microsoft Server and Tools solution site for Direct Access: http://www.microsoft.com/servers/directaccess.mspx
http://johndelizo.spaces.live.comhttp://technetphilippines.net/blogs/[email protected]
http://msforums.ph
http://msforums.ph/blogs/phiwug
http://phiwug.org
http://technetphilippines.net
Microsoft Confidential