More info on http://techdays.be.

1. Implementing DirectAccess in
Windows Server 2012
Richard Hicks – Microsoft MVP
FishNet Security

3. Agenda
• What is DirectAccess?
• What are the Benefits of DirectAccess?
• What’s New in Windows Server 2012 DirectAccess
• DirectAccess Components
• Limitations of DirectAccess
• How DirectAccess Works
• Planning and Implementation
• Demonstration
• Security Considerations

5. What Is DirectAccess?
Next Generation Remote Access
Always On
Seamless and Transparent
Bi-Directional Connectivity
NOT a VPN!

6. DirectAccess vs. Legacy VPN
• VPN
• Intrusive
• User Initiated
Remote User Connects to Corporate Network
• DirectAccess
• Seamless and Transparent
• No User Action Required
Extend Corporate Network to the User

7. DirectAccess Benefits
• Streamlined User Experience
End User • Familiar Access
• Increased Productivity
• Always Managed
Administrator • Improved Compliance
• Reduced Administration Costs

8. Evolution of DirectAccess

10. What’s New in Windows Server 2012
DirectAccess Integrated
Simplified Perimeter/DMZ
and RRAS No PKI Network Load
Deployment Deployment
Coexistence Balancing
Automated
Multi-Domain NAP OTP/Virtual IP-HTTPS
Force
Support Integration Smartcard Improvements
Tunneling
Monitoring and
Manage Out Multi-Site Server Core PowerShell
Reporting

11. New Feature Highlights
• Easier to Deploy
• Simplified Deployment
• Flexible Network Placement
• Performs Better
• IP-HTTPS Improvements
• Scalable Solution
• Load Balancing
• Multi-Site
• More Manageable
• Monitoring, Accounting, Reporting, Diagnostics
• PowerShell

13. DirectAccess Components
Windows Server 2012
Windows 8 Enterprise
*Windows 7 Ultimate/Enterprise
IPv6 and IPsec
Active Directory and
Group Policy

14. DirectAccess Components
• Certificates
• PKI is Optional (Strongly Recommended!)
• PKI Required for Windows 7 Clients
• Network Location Server (NLS)
• DNS64/NAT64
• Name Resolution Policy Table (NRPT)
• Windows Firewall w/Advanced Security

16. IPv6 Transition Protocols
6to4 Teredo IP-HTTPS ISATAP
• Public Client • Private • 6to4/Teredo • Intranet
IP Address Client IP Not Manage Out
• IP Protocol Address Available • ISATAP
41 • UDP Port • SSL/TLS Router
3544 • DNS

17. A Word About ISATAP
• ISATAP Not Recommended
• Global In Scope
• Lower Layer Protocols Depend
On Upper Layer Protocols
• Lack of Monitoring and Management
• Deploy IPv6
• Restrict ISATAP to Specific Hosts
• Group Policy
• HOSTS File

19. DirectAccess Limitations
Supported Clients Non-Supported Clients
• Windows 8 Enterprise • Windows 8 Professional
• Windows 7 Enterprise • Windows Vista
• Windows 7 Ultimate • Windows XP
• Domain-Joined • Non domain-joined

20. DirectAccess Limitations
Client Compatibility Issues
• Protocols with Embedded IPv4 Addresses
• Applications with Hard Coded IPv4
Addresses

22. How DirectAccess Works
• Client Assumes it is Not Connected to the Intranet
• Establishes HTTPS Connection to NLS
• Domain WFAS Profile Activated
• NRPT Disabled
• No DirectAccess IPsec Tunnels

23. How DirectAccess Works
• Client Assumes it is Not Connected to the Intranet
• Fails to Establish HTTPS Connection to NLS
• Public or Private WFAS Profile Activated
• NRPT Enabled
• DirectAccess IPsec Tunnels Enabled

25. Planning for DirectAccess
• Prerequisites
• Windows Server 2012
• Windows 8 Enterprise
• Windows 7 Enterprise/Ultimate
• Domain-joined
• Network Placement
• Edge
• Perimeter/DMZ
• High Availability and Redundancy

26. Implementing DirectAccess
• Install RemoteAccess Feature
• GUI
• PowerShell
• Configure RemoteAccess
• Simplified Deployment
• Complex Deployment

28. Security Considerations
Authentication Endpoint Infrastructure
• Password Policy • Whole Disk • NAP Integration
• SmartCards Encryption • Remote Content
• Dynamic • Boot PIN Filtering
Passwords (OTP) • Anti-Virus • Disable Computer
Account
for Lost/Stolen
Machines

29. Thank You!
Richard Hicks
Microsoft MVP
FishNet Security
rich@richardhicks.com
richardhicks.com/connect