directaccess with unified access gateway (uag)
Post on 24-Feb-2016
47 Views
Preview:
DESCRIPTION
TRANSCRIPT
DirectAccess withUnified Access Gateway (UAG)
Ronald Beekelaarronald@beekelaar.com
Introductions• Presenter – Ronald Beekelaar– MVP Security– MVP Virtual Machine Technology– E-mail: Beekelaar Consultancy BV
ronald@beekelaar.com
• Work– Security consultancy– Virtualization consultancy– Create many VM-based labs and demos– Software to optimize, manage and run VM
Session Objectives• Main goals:
– Make it easier for you to talk to customers about using the remote access and management solution of DirectAccess in combination with Unified Access Gateway
– Or: implement DirectAccess in combination with Unified Access Gateway in your own organization
– How to do that?• Help understand the function of DirectAccess (DA)• Understand relationship between UAG and DA• Know that UAG DirectAccess + IPv6 + IPsec is "easy"
– Sub goal:• Use the lab environment for demos
Demo and Lab Environment
• For study, testing, demo, POC, etc– Download from:
• http://go.microsoft.com/fwlink/?LinkId=190269
– Contains all Forefront products• Including FIM and AD FS
What is DirectAccess• Connect with roaming client "directly" to
the company network• No VPN needed• No extra IP address needed• No terminal server "trick"• Use same "internal" server names: \\hrserver1,
http://portal• Requires IPv6 addresses• Also: connect from company network to
roaming client computer – even before user logs on
IPv6 ?
• Successor to IPv4, but not well-understood• Multiple transition techniques to have IPv4
plus IPv6Internet
Companynetwork
IPv6 in IPv4 ? ? ?IPv4IPv6 IPv4
IPv6IPv4
IPv6 ??
Technologies used
• Internal network– Isatap: automatically map ipv4 to ipv6
• External network (Internet)– 6to4 tunneling
or– Teredo
or– IP-HTTPs
UAG DirectAccess
• Provides DirectAccess 'access' to IPv4 servers on the company network
• Is IPv6 "isatap" router on company network
• Implements DNS64 and NAT64
DNS64 and NAT64 - say"6-to-4"
From: http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx
Terminology "Cheat sheet"
• IPv6 addresses– fe80: - link-local (no routing) ~~ 169.254.x.x– 2002: - 6to4 (with routing)– 2001: - Teredo addresses
• Transition– Isatap - generates link-local IPv6 based on IPv4– 6to4 - tunneling on Internet– Teredo - (if NAT) uses UDP 3544– IP-HTTPs - when no Teredo possible
Networking in lab environment
InternetCompanynetwork
top related