Dawie Human Infrastructure Architect Inobits Consulting Session Code: WSV320 Agenda Secure Access Landscape Demo DirectAccess Solution Benefits Deployment Models & Requirements Name Resolution Supporting Technologies Diagnostics Questions & Answers Mobile Workforce Mobile Data Globalization Increasingly Porous Perimeter "Re-Perimeterization" How to manage, monitor, and support remote users/machines all the time? How to simplify remote workers access My network is where my buildings are My network is where my users and assets are DirectAccess Server Data Center and Business Critical Resources Local User Enterprise Network Remote User Assume the underlying network is always unsecure Assume the underlying network is always unsecure Redefine the corporate edge to protect the datacenter Redefine the corporate edge to protect the datacenter Security policies based on identity, not location Industry Trends Internet Windows Server 2008 R2 Addressing Enterprise Needs Addressing User Needs Supporting IT Professionals Work Anywhere Infrastructure using Direct Access DirectAccess Providing seamless, secure access to enterprise resources from anywhere DirectAccess in Action Benefits Of Direct Access Bringing the corporate network to the user Always-on access to corpnet while roaming No explicit user action required it just works Same user experience on premise and off Simplified remote management of mobile resources as if they were on the LAN Lower total cost of ownership (TCO) with an always managed infrastructure Unified secure access across all scenarios and networks Integrated administration of all connectivity mechanisms Healthy, trustable host regardless of network Fine grain per app/server policy control Richer policy control near assets Ability to extend regulatory compliance to roaming assets Incremental deployment path toward IPv6 Always On Always connected No user action required Adapts to changing networks Secure Encrypted by default Works with Smartcards Granular access control Coexists with existing edge, health, and access policies Manageable Reach out to previously untouchable machines Allows remote clients to process Group Policies NAP integration for health compliance Consolidate Edge Infrastructure VPN vs. DirectAccess - Value VPNDirectAccess Manageability Granular Security Ease of use Ubiquitous Easy to install DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to46to4 TeredoTeredo IP-HTTPSIP-HTTPS Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP IPsec Gateway Encrypted IPsec+ESP IPsec Hardware Offload Supported Option 1 - ISATAP DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv4 IPv6 Enabling IPv6 in the Enterprise Option 2 NAT-PT DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv4 NAT-PTDNS-ALG Windows Server 2003 Non-Windows Enabling IPv6 in the Enterprise Enterprise Network DirectAccess Server (Server 2008 R2) Line of Business Applications No IPsec IPsec Gateway IPsec Integrity Only (Auth) IPsec Integrity + Encryption Windows Server 2003 Windows Server 2008 Non-Windows Server IPsec Hardware Offload Supported Deployment Models Deployment Scenario End-to-edge encryption No overhead of encryption on application servers Edge enforces machine/user authentication and data encryption Least change from customers existing edge deployments Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data (non-IPsec enabled) DC & DNS (Server 2008 SP2/R2) Internet Direct Access Server Server 2008 R2 IPsec ESP tunnel encryption using machine cert (DC/DNS access) Clear Text traffic from client flows through encrypted tunnel to Corporate network resources IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access Deployment Scenario End-to-Edge Encryption + End to End IPsec No overhead of encryption on application servers (just authentication) DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data IPsec-enabled Internet IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources Direct Access Server Server 2008 R2 IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access IPsec ESP tunnel encryption using machine cert (DC/DNS access) DC & DNS (Server 2008 SP2/R2) Deployment Scenario End-To-End IPsec Transport Encryption Thin edge solution using IPsec Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic Full End to End IPsec Encryption IP-HTTPS tunnel used for proxy scenarios only Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data IPsec-enabled Internet IPsec ESP-encrypted transport to access Corporate network resources Direct Access Server Server 2008 R2 DC & DNS (Server 2008 SP2/R2) Deployment Requirements DirectAccess Clients Requires Windows 7 Enterprise or Ultimate SKURequires Windows 7 Enterprise or Ultimate SKU Clients Domain JoinedClients Domain Joined Initial Provisioning while on Corpnet or through VPNInitial Provisioning while on Corpnet or through VPN DirectAccess Servers Requires Windows Server 2008 R2Requires Windows Server 2008 R2 Located at EdgeLocated at Edge Application Servers End-to-end V6 & IPsec requires Windows Server 2008 or laterEnd-to-end V6 & IPsec requires Windows Server 2008 or later Other models can use Windows Server 2003 or laterOther models can use Windows Server 2003 or later Deployment RequirementsDC/DNS Needs at least one W2K8 SP2 or R2 DC/DNS server for client registration of V6 recordsNeeds at least one W2K8 SP2 or R2 DC/DNS server for client registration of V6 records Network Infrastructure Can be IPv4 because we deploy ISATAP with DirectAccessCan be IPv4 because we deploy ISATAP with DirectAccessNAT-PT Can be used to provide access to IPv4-only resourcesCan be used to provide access to IPv4-only resources Name Resolution Name Resolution Policy Table (NRPT) New feature in Windows 7 Used by DirectAccess Client to determine which DNS Server to use based on namespace New name resolution order: Local cache Hosts file NRPT DNS NRPT For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPT These are internal DNS servers they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZ If the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface Corp.contoso.com2001:1:1::b3df 2001:1:1::b3de Diagnostics Internet Explorer Diagnose Problem Button It has been enhanced to troubleshoot DirectAccess Networking Icon (right click) Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point Control Panel, Troubleshooting Connect to a Workplace place using DirectAccess Command Prompt (Elevated) NETSH TRACE START SCENARIO=DIRECTACCESS Supporting Technologies Direct Access Supporting Technologies Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data NAP (includes Server & Domain Isolation [SDI]) Forefront Client Security Windows Firewall BitLocker + Trusted Platform Module (TPM) IAG SP2 ForefrontUAG DC & DNS (Server 2008 R2) DA Server Compliant Client Data Center and Business Critical Resources NAP / NPS Servers Internet CORPNET User CORPNET Compliant Network CORPNET User IPsec/IPv6 Direct Access Supporting Technologies Non- Compliant Client Forefront Client Security IAG SP2 Unmanaged Client Extend Windows Direct Access to legacy applications and resources running on existing infrastructure. Support down-level and non Windows clients using a variety of connectivity options. Anywhere Access Minimize configuration errors and simplify deployment using built-in wizards and tools. Protect the Direct Access gateway with a hardened edge solution. Granular Security Enhance scale and ongoing administration through built-in array management and integrated load balancing Consolidate access gateways for centralized control and auditing. Unified Management UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability. + 7 Direct Access DirectAccess Solution IPv6 IPv6 Always On Windows7 IPv4 IPv4 IPv4 DirectAccess Server Extend support to IPv4 servers UAG improves adoption and extends access to existing infrastructure UAG and DirectAccess better together: 1.Extends access to line of business servers with IPv4 support 2.Access for down level and non Windows clients 3.Enhances scalability and management 4.Simplifies deployment and administration 5.Hardened Edge Solution MANAGED Vista XP UNMANAGED Non Windows PDA DirectAccess SSL VPN UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG uses wizards and tools to simplify deployments and ongoing management. UAG is a hardened edge appliance available in HW and virtual options +Windows7 + Summary Call-to-action Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructure Learn more about Direct Access Start deploying Windows Server 2008 now to get ready International Content & CommunityResources for IT ProfessionalsResources for DevelopersMicrosoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Tech Ed Africa 2009 sessions will be made available for download the week after the event from: Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide