working remote: what to consider, technology evolution
TRANSCRIPT
Working remote: what to consider, technology evolution
Session Agenda
• Remote access: do we need it?• Remote access: what are the options?• Microsoft’s strategy for remote access– The vision: seamless, secure, ubiquitous– Making it real: DirectAccess & Unified Access
Gateway• Q & A
Information Worker’s World Has Been Changing…
MOBILE & DISTRIBUTED WORKFORCE
CENTRAL OFFICE
BRANCH OFFICES
REMOTE WORK
In 2008, mobile workers will represent 26.8% of the total workforce, and that number will increase to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813)
Remote Access NeedsInternal & External
Users
Financial Partner or Field
Agent
Project Manager Employee
Logistics Partner
Remote Technician Employee
Corporate Managed Laptop
Home PC
Unmanaged Partner PC
Kiosk
Managed and Unmanaged devices
Internal Resources
Changing threat environment
IT governance
Regulatory compliance
Remote Access Options• Dialup? too costly, limited user experience
• Reverse Proxy? Only Web apps
• Terminal Services? Not from everywhere, TCO considerations
• Traditional VPN based on IPSec – most popular• Limited functionality from firewalled or NAT’ed networks / Not very user friendly• Client becomes difficult to roll out / Managed devices only• Requires administrative installation• Potential security exposure by extending network
• SSL VPN• In office experience from anywhere• Granular policy control
• Next-Gen IPSec VPN• User friendly: no more FW/NAT problems; seamless access from everywhere• Built into client OSs• Granular policy control
DirectAccessProviding seamless, secure access to enterprise
resources from anywhere
− Provides seamless, always-on, secure connectivity to on-premise and remote users alike− Eliminates the need to connect explicitly to corpnet while remote− Facilitates secure, end-to-end communication and collaboration− Leverages a policy-based network access approach − Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the
network
Benefits Of DirectAccess
Always-on access to corpnet while roamingNo explicit user action required – it just worksSame user experience on premise and off
Simplified remote management of mobile resources as if they were on the LANLower total cost of ownership (TCO) with an
“always managed” infrastructure Unified secure access across all scenarios and networksIntegrated administration of all connectivity mechanisms
More productivity More secureMore manageable and cost effective
Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6
• Microsoft Windows 7 clients• Microsoft Windows Server 2008 DirectAccess Server• IPv6• IPSec v6• Tunneling protocols
– 6to4– Teredo– IP-HTTPS
• NAT-PT devices
DirectAccess Technologies
DirectAccess Server
Compliant Client
IPsec/IPv6
Internet
Intranet UserEnterprise
Network
Intranet User
IPsec/IPv6
IPsec/IPv6
Assume the underlying network is always insecure
Redefine CORPNET edge to insulate the datacenter and business critical resources
Tunnel over IPv4 UDP, HTTPS, etc.
Security policies based on identity, not location
Making It Real• Extend access to line of business servers with IPv4-
only support?• Access for down level and non Windows clients?• Scalability and management?• Deployment and administration?• Hardened Edge Solution?
IPv6
IPv6Always On
Windows7
IPv4
IPv4
IPv4
DirectAccessServer
Extend support to IPv4 servers
UAG and DirectAccess better together: 1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution
MANAGED
VistaXP
UNMANAGED
Non Windows
PDA
DirectAccess
SSL VPN
+
Windows7
UAG & DA Solution Architecture
UAG History and Evolution
Integrated and comprehensive protection from Internet-based
threats
Unified platform for all enterprise remote access needs
Protection
Access
UAG Product "Stack"
Application Access Management
Wizard driven configuration for core scenarios allowing easy
implementation and enforcement of granular
policies. Web based monitoring and control across arrays.
Reverse Proxy Intelligent URL rewriting and manipulation
engine to simplify publishing
SSL VPN Tunneling +DAMultiple tunnels providing access
for non web applications
Policy and Security
Application Intelligence
Optimizers for core, common,
scenarios enabling security and functionality
End Point Detection
Client and deep policies for
security health assessment
How UAG works
Web Applications
Legacy Applications
Client-Server Applications
Authenticated user?
Allowed application?
Allowed device?
Allowed request?
Secure Connection
Client-side caching?
“Good” URL?
UAG Networking OptionsCl
ient
Direct Access
HTTP(S) apps
SSL port fwd (SSL Wrapper)
SSL socket fwd (Socket Forwarder)
SSL Network Tunneling
SSTP
SSL VPN Options
Next-gen IPSec VPN
UAG Client Components
Component Manager
Sess
ion
Clea
n-up
Clie
nt T
race
Util
ity
Endp
oint
Det
ectio
n
SSL Wrapper SSL
Wra
pper
(Ja
va A
pple
t)
Socket Forwarder
LSP
NSP
Net
wor
k Co
nnec
tor
Qua
ranti
ne E
nfor
cem
ent
Dynamic User Session
FinancialPartner or Field Agent
Project ManagerEmployee
LogisticsPartner
CorporateLaptop
Home PC
Kiosk
Full Intranet
Payroll & HR
Legacy Apps
Custom Financials
Supply Chain
File Access
Remote TechnicianEmployee
Unmanaged Partner PC Webmail Tech Support App
Limited Webmail: no attachments
Limited Intranet
Each user session is determined by access policies that relate to the user, the device, and the resources
User Experience – UAG Portals
Endpoint Security• It uses client-side scripting for detection to generate variables that describe
client properties– AV running/AV up-to-date– Personal Firewall– Host IDS running– Processes running/not running– Registry entries– Custom
• The variables are uploaded as a chunk of XML data, and ASP policy expressions are evaluated on the UAG
• Results are stored in the UAG Session Manager service• Various components in UAG query the Session Manager
– The filter web site (for download/upload/restricted zones blocking functionality)– The PortalHomePage (to decide which links to display/gray out etc.)
User Authentication• Front-end authentication– Most authentication services supported OOB
• Active Directory• Other LDAP (Novell,Sun, IBM, …)• RADIUS/TACACS• ADFS• Custom
– Multiple auth services can be used to control access• At logon• On the fly (application access)
User Authentication• Back-end authentication– SSO
• Credential replay• KCD• Custom
Coarse-grained authorization
• User-based– Access to each application can be granted to selected
users/groups– Users and groups defined in external authentication
services
Fine-grained Authorization• Policy-based– Application functionalities enabled/disabled according to
output from endpoint security check• Sending email with attachments through OWA not allowed if AV not running• Downlaoding documents from SharePoint not permitted if client is not “certified”
• Enabled by “Application Intelligence”– Built-in application knowledge
– MS Sharepoint, Outlook Web Access, Dynamics CRM…– SAP Enterprise Portal– Lotus Notes (iNotes, Nativ, DOLS)– Lotus SameTime– Documentum eRoom– …other
Session clean-up• UAG wipes session data when session ends
− Transparent to end users− Application Optimizer: application-specific modules allow wiping
additional data outside browser’s cache− Application-based (Citrix Bitmap Cache, Lotus Notes…)− Extensible via custom scripts
• What can be wiped− Files and html pages downloaded− Cookies, History information, User credential
• When it can be executed− User logoff, Inactivity timeout− Crash, browser closed by user− Shutdown
Browser support
• Windows OSs−Internet Explorer−Netscape Navigator−FireFox−Safari
• Linux−Netscape Navigator−FireFox
• MAC OS (10.3 and up)−Safari
Seamless, Secure, Ubiquitous
LDAP, RADIUS
DirectAccess
HTTPS (443)
Layer3 VPN
Data Center / Corporate Network
Business Partners /Sub-Contractors
AD, ADFS, RADIUS, LDAP….
Home / Friend / Kiosk
Employees Managed Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Terminal / Remote Desktop Services
Non web
T
HTTPS /
HTTP
NPS, ILM
InternetRDP
Telnet, RPC,…
DMZ NetworkInternet
Q & A
