3. Agenda
• What is DirectAccess?
• What are the Benefits of DirectAccess?
• What’s New in Windows Server 2012 DirectAccess
• DirectAccess Components
• Limitations of DirectAccess
• How DirectAccess Works
• Planning and Implementation
• Demonstration
• Security Considerations
4.
5. What Is DirectAccess?
Next Generation Remote Access
Always On
Seamless and Transparent
Bi-Directional Connectivity
NOT a VPN!
6. DirectAccess vs. Legacy VPN
• VPN
• Intrusive
• User Initiated
Remote User Connects to Corporate Network
• DirectAccess
• Seamless and Transparent
• No User Action Required
Extend Corporate Network to the User
7. DirectAccess Benefits
• Streamlined User Experience
End User • Familiar Access
• Increased Productivity
• Always Managed
Administrator • Improved Compliance
• Reduced Administration Costs
10. What’s New in Windows Server 2012
DirectAccess Integrated
Simplified Perimeter/DMZ
and RRAS No PKI Network Load
Deployment Deployment
Coexistence Balancing
Automated
Multi-Domain NAP OTP/Virtual IP-HTTPS
Force
Support Integration Smartcard Improvements
Tunneling
Monitoring and
Manage Out Multi-Site Server Core PowerShell
Reporting
13. DirectAccess Components
Windows Server 2012
Windows 8 Enterprise
*Windows 7 Ultimate/Enterprise
IPv6 and IPsec
Active Directory and
Group Policy
14. DirectAccess Components
• Certificates
• PKI is Optional (Strongly Recommended!)
• PKI Required for Windows 7 Clients
• Network Location Server (NLS)
• DNS64/NAT64
• Name Resolution Policy Table (NRPT)
• Windows Firewall w/Advanced Security
15.
16. IPv6 Transition Protocols
6to4 Teredo IP-HTTPS ISATAP
• Public Client • Private • 6to4/Teredo • Intranet
IP Address Client IP Not Manage Out
• IP Protocol Address Available • ISATAP
41 • UDP Port • SSL/TLS Router
3544 • DNS
17. A Word About ISATAP
• ISATAP Not Recommended
• Global In Scope
• Lower Layer Protocols Depend
On Upper Layer Protocols
• Lack of Monitoring and Management
• Deploy IPv6
• Restrict ISATAP to Specific Hosts
• Group Policy
• HOSTS File
18.
19. DirectAccess Limitations
Supported Clients Non-Supported Clients
• Windows 8 Enterprise • Windows 8 Professional
• Windows 7 Enterprise • Windows Vista
• Windows 7 Ultimate • Windows XP
• Domain-Joined • Non domain-joined
20. DirectAccess Limitations
Client Compatibility Issues
• Protocols with Embedded IPv4 Addresses
• Applications with Hard Coded IPv4
Addresses
21.
22. How DirectAccess Works
• Client Assumes it is Not Connected to the Intranet
• Establishes HTTPS Connection to NLS
• Domain WFAS Profile Activated
• NRPT Disabled
• No DirectAccess IPsec Tunnels
23. How DirectAccess Works
• Client Assumes it is Not Connected to the Intranet
• Fails to Establish HTTPS Connection to NLS
• Public or Private WFAS Profile Activated
• NRPT Enabled
• DirectAccess IPsec Tunnels Enabled
24.
25. Planning for DirectAccess
• Prerequisites
• Windows Server 2012
• Windows 8 Enterprise
• Windows 7 Enterprise/Ultimate
• Domain-joined
• Network Placement
• Edge
• Perimeter/DMZ
• High Availability and Redundancy
29. Thank You!
Richard Hicks
Microsoft MVP
FishNet Security
rich@richardhicks.com
richardhicks.com/connect
Notas do Editor
Remote access is a blessing and a curseFine line between enabling productive users and increasing exposure to risk.Corporate managed laptop leaves the network in a pristine state, never to be seen or heard from again. ;)What state is it in? Is it up to date? Users lament VPN because it is clunky! Name resolution challenges, password sync issues (cached credentials)Managing remote devices for BofA…
Legacy VPN is difficult to manage. Often requires manual client configuration, can be automated using CMAK (clunky). DirectAccess is configured automatically via group policy, which is much more efficient.
Password change via CTRL+ALT+DEL
IP-HTTPS improvements in interoperability and performance.