Direct Access 2012.ppt

1、Direct Access 2012,Chad Duffey and Tristan Kington Microsoft Premier Field Engineering,WSV333,Premier Field Engineering,We work with Microsoft Premier Support customersHelp identify IT health risks before they become disastersRun workshops to build skills and learn troubleshooting techniquesand help

2、 fix things when they break,DirectAccess in Action,What does Direct Access do?,Connects you to your Corporate Office no matter where you are If you have Internet, you have corporate network accessNo visible VPN clientNo reverse proxying/link translation/AAMs/app settings!,How does it do it?,Combines

3、 multiple networking technologies IPSEC IPv6 IPHTTPS NAT64/DNS64 Domain member configuration Tunnels Kerberos proxy or Certificates,Direct Access History,Version 1: Windows Server 2008 R2,Version 1.5: Windows Server 2008 R2 + UAG,Version 2: Windows Server 2012,Direct Access Improvements for Server 2

4、012,Deploy without internal IPv6 Connectivity PKI deployment is not needed New Kerberos Proxy and IP-HTTPS improvements Support for External NAT for DA Edge Support for Server Core,What you will see in this Demonstration,Simplified Administrator Configuration Improved User Experience,Internet,Corpor

5、ate,Public IPv4 Addressing,Private IPv4 Addressing,DA Wizard Creates Group Policies,DA Policy is applied to client,Try to contact Internal Server (NLS),IPv4 Query for External DA Server IP,Establish Direct Access Tunnel,Demonstration,Simplified Direct Access Configuration & Improved Client Experienc

6、e,Notes from the Demonstration,Windows 8 clients (only) in this simplified deployment IPHTTPS as only client-side transition technology Easily extended to support Windows 7 Easily scaled with NLB from inside the console OTP/token authentication or PKI can be added later,Deploy Without IPv6*,Direct A

7、ccess is an IPv6 Technology NAT64/DNS64 provided out of the box,PKI is no longer a prerequisite,Windows 2008 R2 DirectAccess used two IPsec AuthIP policies to authenticate and secure traffic Windows 2012 overcomes the PKI requirement using Kerberos Proxy Client authentication requests are sent to a

8、KDC Proxy Server service running on the DirectAccess server Kerberos proxy sends Kerberos requests to DCs on behalf of the client,Kerberos Proxy,Getting Started wizard configures KDC Proxy automatically DA now uses a single external IPv4 address and has the following requirements: TCP port 443 NATte

9、d or allowed to DA Edge (on firewall) DirectAccess server must have a server authentication certificate for TLS Will be trusted by clients (forcibly through Group Policy if necessary) Self-signed cert used automatically for IPHTTPS/KDC Proxy,Support for NAT,DirectAccess server can now run behind NAT

10、 with single network interface or multiple interfacesNo need for two consecutive public IPv4 addresses!Setup Wizard probes whether DirectAccess server is located behind a NAT If so, only IP-HTTPS will be deployed,IP-HTTPS Improvements,The key performance issue in Windows 2008 R2: Data is encrypted b

11、y IPSec as well as by SSL, so the data is encrypted twiceWindows Server 2012 DirectAccess improves IP-HTTPS: Allows IP-HTTPS clients to obtain proxy configuration information Optimizations include: changes to batched send behavior and receive buffers, reduced lock contention, and the option to imple

12、ment SSL with NULL encryption Can configure IP-HTTPS to work when behind authenticating proxyIP-HTTPS is now preferred transport,Additional Killer Feature!,Offline Provisioning of Direct Access Clients With Windows Server 2012, DirectAccess can provide a remote connection for domain joining and prov

13、isioningIf a laptop is lost, destroyed or offsite we can send a provisioning package to automate the configuration of domain join and DirectAccess for a new PCUses DJOIN.EXE utility, which is updated in Server 2012,What you will see in this Demonstration,Important Company Executive has poured coffee

14、 on their laptop the day before the big presentation They are miles from the nearest corporate office There is a local computer shop with one laptop left The hotel has an Internet caf where the executive can access their email,Offline Provisioning of Direct Access Client,DJOIN.exe,Introduced in Wind

15、ows Server 2008 R2 Now includes selected Group Policy object in the blob allowing new clients to be remotely joined to computer accounts (via DA),Djoin /provision /machine CLIENT1 /domain corp /policynames “DirectAccess Client Settings“ /rootcacerts /savefile c:filesprovision.txt /reuse,Technical De

16、tail,Direct Access FlowNAT64/DNS64,Direct Access client flow,Client attempts to locate Network Location Service serverIf NLS not found, assume Direct Access requiredResolve external DA name with external DNSEstablish IPSEC tunnel to DA endpointAuthenticate client computer,DNS Query for DirectAccess-

17、NLS,HTTP Probe to check for availability,IPv4 (A) DNS Query for ,Connect to external IP Address of the Direct Access Server, validate certificates,Either using Kerberos or Certificate based Authentication,Technical Detail: NAT64/DNS64,NAT64/DNS64 is the reason DA works on IPv4 Networks,IPv6 Network,

18、IPv4 Network,IPv6 Client fd00:fefe:1:bef1:2002,NAT64/DNS64 gateway (DA),172.16.0.20 IPv4-only Server,Native IPv4 traffic,Native IPv6 traffic,DNS Server 172.16.0.2,NAT64 device configured with /96 IPv6 prefix and IPv4 address pool,1. IPv6 Client sends DNS AAAA query for IPv4-only Server,2. NAT64 devi

19、ce forwards DNS AAAA query to authoritative DNS Server,3. DNS Server informs that no AAAA record exists for Server,4. NAT64 device sends DNS A query for Server,5. DNS Server replies with Servers IPv4 address,SERVER IN A 172.16.0.20s,6. DNS64 converts DNS A IPv4 response to an IPv6 AAAA one, adding I

20、Pv6 /96 prefix,SERVER IN AAAA FD00:FEFE:2:172.16.0.20,7. IPv6 Client sends connection packet to IPv6 address associated to the IPv4 receiver,8. NAT64 gateway translates the IPv6 packet to IPv4, dynamically associating the source IPv6 address with an IPv4 address from the pool,9. IPv4-only Server rep

21、lies to the dynamic IPv4 address used by the NAT64 gateway,9. NAT64 gateway translates the IPv4 packet to IPv6 using the information in the translation table,Advanced Configurations,Windows 7 client considerations Multi-Site Deployment,Windows 7 Client Considerations,PKI required Windows 7 Kerberos

22、client does not support Kerberos proxyOriginal IPHTTPS client does not include performance enhancements IPHTTPS is the only transport technology for NAT deployments No built-in connection status UI Limited troubleshooting tools compared to Windows 8,Extending Direct Access for Windows 7,Multi-Site D

23、eployment,Support built in to Server UI Most relevant connection is found via probe Manual failover available in Windows 8,Monitoring: Server,Monitoring: Clients,Real World Deployment Considerations,Internet,Perimeter,Corporate Network,External IPv4 DNS Record:Type: A D,Source Port 443 Destination:

24、 - Forward or - NAT To Internal Firewall,Source Port 443 Destination: “Non Web HTTPS rule” to internal IP of Direct Access Server,Lessons Learned from Early Deployments,Use Simple Deployment to test configuration first Helps to understand if firewalls are configured correctly Simple testing for int

25、ranet servers connectivity Initial troubleshooting is much easier Once L2/L3 connectivity is proven you implement your enterprise configuration: Windows 7 clients PKI Redundancy (Load Balancing) NLSWindows 8 Enterprise (not professional),Lessons Learned from Early Deployments 2,You probably dont wan

26、t to accept this default option,Lessons Learnt from Early Deployments 3,Beware Anti-Virus products that include network packet analysis or scanning Beware Network Card Teaming on Direct Access Server,Both of these caused failed deployment until corrected,Summary,Almost all of the original deployment

27、 blockers are gone! You dont need native IPv6DirectAccess server now works behind NAT DevicesIt is very simple to set up and monitor with new UIEven if you havent deployed Windows 8, use Windows 8 to test your network configuration first, 2012 Microsoft Corporation. All rights reserved. Microsoft, W

28、indows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Micr

29、osoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.,