SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
Download as PPTX, PDF0 likes1,039 views
This document discusses the technical aspects of implementing DirectAccess in a network environment, focusing on the integration of IPv6 and tunneling technologies over IPv4. It outlines key elements such as IPsec for secure traffic, name resolution policies for corporate intranet access, and the setup requirements for DirectAccess servers. The content is structured around configuring various network components to ensure secure and efficient connectivity between the internet and corporate intranet.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
- 2. DirectAccess Technical Drilldown Part 2Putting it all togetherJohn CraddockInfrastructure & Security ArchitectXTSeminars LtdSession Code: SVR402
- 3. Part1: Internet to Intranet 6to4Host/Router6to4RelayNAT DeviceTeredoserver & relayTeredoHostInternetCorporateintranetIPHTTPSserverIPHTTPSHostNAT Device
- 4. Part1: IPv6/IPv4 IntranetIPv6ISATAP RouterNative IPv6IPv6NAT-PTor NAT64IPv4IPv6\IPv4IPv4IPv6\IPv4
- 5. What’s Left?InternetCorporate IntranetTunnelling technologies for the Internet and Intranet to support IPv6 over IPv4Internet tunnelling selection based on client location – Internet, NAT, firewallEncryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required Client location detection: Internet or corporate intranet
- 6. Don’t Give Up NowPart 1IPv6 IntroTransition TechnologiesEnd-to-end connectivityPart 2IPsecConfiguring Direct AccessNetwork location and name resolution policiesIt all works – just like that!
- 7. Demo EnvironmentEX1DC1DNSDC, DNS,CANAT1DA1HomeCorporate intranetInternetIIS for CRLdistributionAPP1WIN7WIN7WIN7All servers Windows 2008 R2
- 8. Securing the TunnelInternetCorporate IntranetDirectAccess uses IPsec to secure network trafficTraffic over the Internet is encrypted and authenticatedAccess via IPHTTPs is double encryptedEncrypted IPv6 within HTTPS
- 9. IPsec to the RescueIPsec is managed through Windows Firewall with Advanced SecurityBest deployed through group policyConnection rules create:IPsec tunnels (authenticated and encrypted)Authenticated connects (computer and user authenticationInbound / outbound rules set requirements for encryption
- 10. Traffic ProfileTraffic profile: <Protocol><source IP> <destination IP><source port> <destination port>Rules are based on a traffic profileConnection Security RuleAuthenticate all TCP traffic between A & B on ports W & XInbound/Outbound RuleEncrypt authenticated TCP traffic between A & B on ports W & X
- 11. IPsec PrimerMain modesecurity associationKey life configurableDefault: 8 hoursCreate shared secret between hostsAuthIPAuthIPUses Diffie-HellmanAuthenticate over secure channelAuthIPAuthIPKerberos / certificatesComputer and/or user authentication AuthIPEstablish IPSec session KeysQuick mode:IPsec SAKey life configurableDefault 1 hour/100 MBDrops after 3 Minsof inactivityAuthIPAuthIPCreate Security Association for sessionIPsec SAIPsec SAIntegrityorIntegrity + encryptionExchange data
- 14. Data ExchangeProtocol ID 51Authentication Header (AH) contains:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV) calculated with SHA1 or MD5Signed - ignoring ICV field andfields that change in transportProtocol ID 50EncryptedsignedIP HeaderIP payloadAHEncrypted Security ProtocolESP headers contain:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV)IP HeaderESPIP payloadESPICVWhen you just want integrity through NAT use ESP-Null
- 15. Negotiated Security OptionsDo not authenticateRequest inbound and outboundA host responds to both IPsec and unauthenticated (non-IPsec) requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communicationsRequire inbound and request outboundA host responds to inbound traffic secured by IPsec, and ignores unauthenticated requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communicationsRequire inbound and require outboundA host requires IPsec-secured communications for both inbound and outgoing requestsRequire inbound and clear outbound
- 16. IntranetIntegrity / encryption / authentication IPsec TunnelEnd points can be single host or act as a gatewayThe gateway acts as the end-point for integrity encryption and authenticationTraffic on the Intranet is not protected by IPsec IPsec Gateway includes IPsec DoS PreventionReduces DoS attacks from key management protocols IKE & AuthIP
- 17. IPsec Access OptionsIntranetIntegrity / encryption / authentication Tunnel 1: Machine AuthTunnel 2: Machine & User AuthESP NULL (transport mode) machine and user auth to intranet serverSelective authentication onto endpoint serversESP (transport mode) encryption and authentication to intranet server
- 18. Client Locationcorp.example.com zoneDNS 2DNS 1IP configuredDNS addressCorporate IntranetInternetTo resolve names on the InternetDirectAccess host queries DNS 1To resolve names on the IntranetDirectAccess host queries DNS 2
- 19. How Does It Do that?Name Resolution Policy Table (NRPT) to the rescueNRPT allows the definitions of which DNS servers to query based on the namespace to be resolvedThe NRPT can point DNS queries for corp.example.com to the intranet DNS serverAll other DNS queries are sent to the DNS server address configured in the client IP settings
- 20. NRPTcorp.example.com zoneDNS 2nls.corp.example.comDNS 1IP configuredDNS addressInternetCorporate IntranetNo NRPTNRPT:corp.example.com: query DNS 2All other name spaces query DNS server configured in client IP settings There is a special entry in the table to direct DNS queries for an internal HTTPS website to the DNS servers configured in the client IP settings For example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet
- 21. Viewing the NRPT
- 22. NRPT Inside/OutsideNRPT enabled by defaultIf the client can access an internal HTTPS website (https://nls.corp.example.com)Considered to be on the intranet NRPT disabledNo access to secure website Considered to be on the Internet NRPT remains enabled
- 23. Putting it All Together6to4Host/Router6to4RelayISATAP RouterNAT DeviceTeredoserver & relayTeredoHostCorporateintranetInternetHTTPSserverIPHTTPSHostNAT DeviceDirectAccess Server
- 25. Before Running SetupDNS server requires isatap block to be removedComputer certificates must be issued to computersServer certificates must be issued to DA server with external DNS name in certificateNLS web server with nlsurl address in certificateCRL distribution should be configured in certificateCRL distribution location must be available on both the Internet and intranet
- 26. Authentication to Servers IPsec ESP NULL can be used for authentication to end-point servers Provides another layer of protectionCan control which servers are available from DA hostRequires 2008 end-point serversIPSEC does not work over IPv6 for Windows 2003Two factor authentication can be enabled for end-to-end authenticationRequires 2008 domain functional level
- 27. DirectAccess SetupConfigures on DA server6to4 relayTeredo server and relayIPHTTPS serverISATAPCreates group policy for IPSec rules forDA server IPsec TunnelDA client IPsec TunnelDA clients and servers requiring end point authentication
- 28. DirectAccess Setup (continued) Creates group policy for client configurationEnable and supply addresses for6to4 relayTeredo server and relay IPHTTPS serverEnable and configure NRPTEnable inside/outside probeDA server and DA clients must be members of the domain
- 29. Windows DirectAccessThe DA server represents a single point of failureFunctionality can be split across multiple servers for performanceFor HA, run DA server as VM in a Hyper-v clusterDoes not guarantee DA service availabilityLive Migration available in Windows 2008 R2Load balancing option available with UAG
- 30. All DoneInternetCorporate IntranetTunnelling technologies for the Internet and Intranet to support IPv6 over IPv4Internet tunnelling selection based on client location – Internet, NAT, firewallEncryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required Client location detection: Internet or corporate intranet
- 31. Required SlideSpeakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. www.microsoft.com/techedSessions On-Demand & Communitywww.microsoft.com/learningMicrosoft Certification & Training Resourceshttp://microsoft.com/technetResources for IT Professionalshttp://microsoft.com/msdnResources for DevelopersResources
- 32. Related ContentRequired SlideSpeakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.Breakout Sessions:SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and BeyondSVR315 IPv6 for the Reluctant: What to Know Before You Turn It OffInteractive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
- 33. My Sessions at TechEdRequired SlideSpeakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.Breakout Sessions:SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition TechnologiesSVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All TogetherInteractive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
- 34. Required SlideComplete an evaluation on CommNet and enter to win an Xbox 360 Elite!
- 36. Required Slide© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.