Direct Access for Dummies

Alex de JongMicrosoft Freelance

Agenda• Direct Access Overview• Direct Access Basics• So how does it work• Cool, I want that… How do I build it?• Where do I start from here?

Direct Access is the ultimate VPN solution that is one of

the enablers for the New Way of Work

Direct Access benefits• Improved Productivity

– Helps improve the productivity of remote staff by providing the same, always-on connectivity experience no matter if users are inside or outside the corporate network.

• Secure Connectivity– Leverages IPsec for authentication and encryption.– Provides the ability to apply granular policy control over access to

resources, applications, and servers.– Integrates with Microsoft Server and Domain Isolation, Network

Access Protection (NAP), and BitLocker solutions, resulting in security, access, and health requirement policies that seamlessly interoperate between intranets and remote computers.

Direct Access Benefits (cont’d)

• Greater Manageability– Helps ensure that machines both on the network and off are

always healthy, managed, and up-to-date.– Provides administrators with the ability to update Group Policy

settings and distribute software updates any time a remote computer has Internet connectivity, even if the user is not logged on.

– Helps ensure that organizations can meet regulatory and privacy mandates for security and data protection for assets that must roam beyond the corporate network.

DEMODirect Access Benefits

Direct Access complex?

Direct Access Basics• Authentication

– DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.

• Encryption – DirectAccess uses IPsec to provide encryption for communications

across the Internet.• Access Control

– IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.

Direct Access Basics (cont’d)• IT Simplification and Cost Reduction

– DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server

DirectAccess a VPN on Steroids

Corporate Network

Always On

Automaticallyconnects throughNAT and firewalls

Patch management, health check and GPOsPre log on

Network level computer/user authentication and encryption

DirectAccess extends the network to the remote computer and user

VPNs connect the user to the network

End-to-End IPv6

Are all you applications IPv6 compatible?

Corporate intranetInternet

IPV6 IPV6

Client app

Server app

Client and Server applications must be IPv6 compatible

Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4

Internet tunnelling selection based on client location – Internet, NAT, firewall

Encryption/authentication of Internet traffic (end-to-edge/end-to-end)

Client location detection: Internet or corporate intranet

Corporate intranetInternet

May Be NotSimple?

Connectivity Summary

6to4 tunnel

Teredo tunnelNAT

IPHTTPS tunnel

IPv4 Internet

UDP port 3544 blocked

IPv6 in UDP port 3544

IPv6 in IPv4 protocol 41

IPv6 in HTTPS

Native IPv6

ISATAP

IPv6 in IPv4 protocol 41

IPv4NAT64

DNS64 Corporate Network

Forefront Unified Access Gateway (UAG)

NAT

What is 6to4• 6to4 is an Internet transition mechanism for migrating from IPv4 to

IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.

What is Teredo• Teredo is a transition technology that gives full IPv6 connectivity for

IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers.

What is IPHTTPS• The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to

be established using a secure HTTP connection.

What is ISATAP• ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6

transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

• ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4

Connectivity Summary

6to4 tunnel

Teredo tunnelNAT

IPHTTPS tunnel

IPv4 Internet

UDP port 3544 blocked

IPv6 in UDP port 3544

IPv6 in IPv4 protocol 41

IPv6 in HTTPS

Native IPv6

ISATAP

IPv6 in IPv4 protocol 41

IPv4NAT64

DNS64 Corporate Network

Forefront Unified Access Gateway (UAG)

NAT

DEMODirect Access

Internet

Client Location

• To resolve names on the Internet– DirectAccess host queries DNS 1

• To resolve names on the intranet– DirectAccess host queries DNS 2

Corporate intranet

corp.example.com zoneDNS 1 DNS 2IP configured

DNS address

For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup

End-to-Edge Access Model

For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.

End-to-Edge End-to-End IPSec Model

With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.

End-to-End IPSec Access Model

Steps• Enable IPv6 internally (ISATAP)• Network Location Server• Client Groups• Firewall Settings on clients• Certificate Auto Enrollment• Direct Access Server• Finalize• Test

DirectAccess Server(Server 2008 R2)

Line of Business Applications

IPv6 IPv4 IPv6

Windows Server 2008/R2

1: Enabling IPv6 in the Enterprise

On all internal DCs: Dnscmd /config /globalqueryblocklist wpad

Using ISATAP

2: Configuring NLS• Any INTERNAL server running Web services• Create a DNS name (like nls.yourdomain.com)• Associate this new NLS DNS name to an IP Address of an Internal Web

serverNLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***

3: Create Group(s) for the DA Clients

• Create a security group (Global or Universal)• Add Win7 client systems into this groupRemember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.

4: Windows Firewall for DA• Allow inbound and outbound ICMPv6 Echo Request messages• Create a Group Policy or configure each system individually

5: Configuring the NLS• Enroll the server with a certificate and configure for SSL access

6: Certificate Auto-Enrollment• Make sure all systems in the Direct Access group of client systems

have a valid client authentication certificate

7: Install & Config Direct Access

• Add a certificate to the DirectAccess server• Add the DirectAccess feature on the server• Run the DirectAccess setup

8: Finalizing Configurations• Run Gpupdate / force on all systems to make sure new policies have

been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies)

• Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard

• Use ping (ipaddress) -6 to make sure you can ping servers and systems internally

9: Testing DA: Internal• With the client system

internal, run IPConfig and check to make sure you have a local address

10: Testing DirectAccess (External)• With the client

system external, run IPConfig and check to make sure you have an external IP address

• Access a file on a fileserver or SharePoint using an internal http(s) connection

11: Testing DA: IPHTTPS

• Step 10 tested external access using the automatically generated Teredo 2001: address

• Now to verify that external access is working using IP-HTTPS, disable Teredo:– Netsh interface teredo set state disable– Netsh interface httpstunnel show interfaces

• Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS

IPv6

IPv6Always On

Windows7

IPv4

IPv4

IPv4

DA Server

Extend support to IPv4 servers

1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution

MANAGED

VistaXP

UNMANAGED

Non Windows

PDA

DirectAccess

SSL VPN

+

Windows7