Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access SolutionBen Bernstein, Program Manager, UAG DirectAccessTom Shinder, Knowledge Engineer, UAG DirectAccess Microsoft Corporation

SESSION CODE: SIA310

What’s on Tap?No DirectAccess marketingTechnical Discussion of DirectAccess

Define DirectAccess DirectAccess Infrastructure TechnologiesDeploying DirectAccess

AssumptionsYou’ve heard of IPsec and maybe read a little about itYou’re comfortable with IPv4 TCP/IP networkingYou’ve worked with Active Directory authentication and AuthN protocolsYou’ve worked with Active Directory Group PolicyYou’ve heard of NLBYou’ve worked with DNSYou’ve worked with certificates (PKI)You don’t know anything about IPv6You want to know more about the technologies that underlie a DirectAccess solution

Define DirectAccess – 30,000 Foot DescriptionAlways on – bidirectional connection

Not a VPN!Extends intranet management to all corporate computersMakes “always managed” a reality

Core requirementsWindows 7 Enterprise or UltimateWindows Server 2008 R2 for the DirectAccess ServerDirectAccess Client and Server are domain members

Two “flavors” of DirectAccess Vanilla – Windows DirectAccess Vanilla Chocolate Swirl – Forefront UAG DirectAccess

DirectAccess is an Enterprise Solution:No support for Windows 7 Professional

Requires two consecutive public IP addressesCannot NAT to the DirectAccess server

Value depends on enterprise management infrastructure

Define DirectAccess – Windows DA and UAG DA Windows DirectAccess

Windows Server 2008 SP2 or 2008 R2 DC requiredWindows Server 2008 SP2 or 2008 R2 DNS requiredIPv6 capable intranet resource access only (for all practical purposes)Limited HA

UAG DirectAccess Only the UAG DirectAccess server must be Windows Server 2008 R2Can have mix of IPv4/IPv6 intranet resourcesBuilt-in HA with UAG DirectAccess arrays and NLB

Today’s focus is UAG DirectAccess

Define DirectAccess – Always-On EmployeesEmployee on Corpnet

Turn on laptop and connects to intranet stuffEmployee at home

Turn on laptop and connect to intranet stuffEmployee at Hotel or Conference Center

Turn on laptop and connect to intranet stuffUser experience is the same regardless of locationWhen on intranet – connect over local interfaceWhen on Internet – connect over DirectAccessInternet access method might differ

Define DirectAccess – Always-on ITLaptop on the intranet– Always Managed

Group Policy updatesApplication installationRemote assistance initiated by ITPassword changes CTRL+ALT+DEL

Laptop on the Internet – Always Managed

Group Policy updateApplication installationRemote assistance initiated by ITPassword change CTRL+ALT+DEL

Internal or External – no difference

DirectAccess – Infrastructure TechnologiesIPv6 and related technologiesIPsec and Windows Firewall with Advanced Security (WFAS)Name Resolution Policy Table (NRPT)Network Location Detection

IPv6 Internet

IPv4 Internet

Teredo Relay

6to4Router

Remote Host

CorporateNetwork

(IPv4 infrastructure)

IPsec DoS

Protection

Server

TeredoServer

IP-TLS

HTTPProxy

HTTPProxy

NAT

ISATAPRouter

IPsec Gateway

IPsec Gateway Corporate

Network(IPv6 infrastructure)

Server

Server

Possible IPv4 Connection

RemoteHost

Webresponder

Infrastructure Technologies – IPv6Why-oh-why IPv6?

Solves IPv4 address depletion problemAddressing method of the futureNew IPv6 transition technologies in Windows Server 2008+ and Windows 7 actually makes IPv6 usableProvides globally unique addresses (prevents the “hotel has the same network ID as the office” scenario) for all nodesEnables true end-to-end connectivity and security

Infrastructure Technologies – IPv6 Transition TechnologiesGetting IPv6 over the IPv4 Internet

6to4TeredoIP-HTTPS

Getting IPv6 over the IPv4 intranetIntra-site Automatic Tunnel Addressing Protocol (ISATAP)

Infrastructure Technologies – 6to46to4 encapsulates IPv6 packets in an IPv4 header (Protocol 41)Requires that IP Protocol 41 be open between DirectAccess client and DirectAccess server

Used when the DirectAccess client has a public IP addressConnects the DirectAccess client to the 6to4 relay (automatically installed on the UAG DirectAccess server)6to4 address *is* an IPv6 address

DirectAccess client registers this address with corporate DNSInternal hosts can reach the 6to4 enabled DirectAccess client using the 6to4 IPv6 address6to4 hosts can communicate with one another (potential security consideration, discussed later)

Infrastructure Technologies - TeredoTeredo encapsulates IPv6 packets in IPv4 header (UDP transport)

Used when DirectAccess client behind a NAT (assigned private address)Requires UDP port 3544 be open between DirectAccess client and serverConnects to corporate resources through Teredo server and Teredo relay (automatically configured on UAG DirectAccess server)

Teredo server – enables Teredo client address configurationTeredo relay – enables access to the resources on intranet

Teredo address *is* an IPv6 addressDirectAccess client registers this address with corporate DNSInternal hosts can reach the Teredo enabled DirectAccess client using the Teredo addressTeredo hosts can communicate with one another (potential security consideration, discussed later)

Infrastructure Technologies – IP-HTTPSIP-HTTPS encapsulates IPv6 in IPv4, TCP and HTTP headers (and TLS encryption of HTTP)IPv6 Transition Technology of “last resort”IP-HTTPS used when 6to4 and Teredo connectivity not availableUAG DirectAccess wizard configures DirectAccess server as IP-HTTPS server

Requires web site certificate for IP-HTTPS Listener (public/private)Typically used when DirectAccess client is behind a port restricted firewall or web proxy

web proxy must not force authenticationNetsh command required to inform DirectAccess client web proxy address

netsh winhttp import proxy source=ie

Required for “Force Tunneling”High encryption (IPsec/HTTPS) and protocol overhead reduces performance

Infrastructure Technologies - ISATAPUsed on intranet to tunnel IPv6 messages over IPv4 network (IP Protocol 41)Address assignment via ISATAP router

UAG DirectAccess server configured as ISATAP router by UAG DirectAccess wizardYou enable IASTAP queries and create ISATAP entry in DNSWindows Vista+/2008+ clients automatically configured as ISATAP hosts

ISATAP addresses registered in DNSDirectAccess clients on Internet connect to intranet ISATAP IPv6 addressesTIP: Do not disable IPv6 on ISATAP hosts

Infrastructure Technologies – NAT64/DNS64 (1/3)

NAT-PT/DNS-ALG gone – deprecated – not available NAT64 and DNS64 are the current IPv6/IPv4 Translation TechnologiesEnables access to IPv4-only resources

Server OS might be IPv4-only (Windows 2000/2003 [sort of])Server application might be IPv4-only (IPv4-only service on a IPv6 capable OS)

Extends DirectAccess client reach to:Native IPv6 networksIPv6 capable networks (non-native IPv6, but ISATAP capable/some native)IPv4-only network or IPv4 servers, services or segments

Available with UAG only!

Infrastructure Technologies – NAT64/DNS64 (2/3)

DirectAccess client always uses IPv6 to communicate with DirectAccess serverNAT64/DNS64 translates the IPv6 communications to IPv4 communicationsNAT64/DNS64 translates IPv4 responses to IPv6 responsesNo reverse NAT

Management stations cannot initiate connections to DirectAccess clients over NAT64/DNS64 (reduces “manage out” capabilities a bit)Like other NAT solutions, protocols that imbed addresses in the application layer protocol can be problematic (OCS client)

Enables scenarios where the UAG DirectAccess server is the only Windows Server 2008 R2 server on the network

Infrastructure Technologies – NAT64/DNS64 (3/3)

Infrastructure Technologies: Summary of IPv6 and Related Technologies

Windows DirectAccess requires IPv6 from end to endUAG DirectAccess with NAT64/DNS64 enables DirectAccess clients to connect to IPv4 resources through IPv6/IPv4 protocol translationDirectAccess client always uses IPv6 to communicate with DirectAccess serverDirectAccess client can use the following IPv6 transition technologies to tunnel IPv6 packets over the IPv4 Internet:

6to4 (when DirectAccess client has public IP address)Teredo (when DirectAccess client has private IP address)IP-HTTPS (when 6to4 or Teredo can’t be used)

ISATAP is used on the intranet to tunnel IPv6 messages over an IPv4 intranet

Infrastructure Technologies: IPsecIPsec support built into Windows since Windows 2000Works with both IPv4 and IPv6Supports two modes:

IPsec Transport Mode – protects packet payload from end to endIPsec Tunnel Mode – protects entire packet from client to gateway

DirectAccess uses IPsec to:Protect traffic between the DirectAccess client and DirectAccess server using IP sec tunnel modeProtect traffic end to end between DirectAccess client and destination intranet server using IPsec transport mode

Infrastructure Technologies: IPsec Configuration for DirectAccess Clients

Windows Firewall with Advanced Security (WFAS) consoleWFAS Group Policy and Group Policy snap-inWFAS Connection Security Rules

Source and destination addressAuthentication (Kerberos, NTLMv2, Certificates)Encryption (DES, 3DES, AES128, AES192, AES256

NEW! Dynamic tunnel endpointsCreate tunnel-mode Connection Security Rules that specify an address for only one endpoint of the tunnel

NEW! IPsec tunnel authorization with null encapsulation (AuthIP)Not the same as ESP-NULL

Infrastructure Technologies: IPsec and Access Models

DirectAccess Infrastructure Tunnel (IPsec tunnel mode/management servers/computer account (NTLMv2) + certificate)

DirectAccess Intranet Tunnel (IPsec tunnel mode/user account (Kerberos) + computer certificate)UAG DirectAccess Access Models

End to edgeEnd to end (referred to as Selected Server Access in Windows DirectAccess)

Infrastructure Technologies: Name Resolution Policy Table (NRPT) (1/2)

NEW! NRPT in Windows 7 and Windows Server 2008 R2Used to support both DirectAccess and DNSSECNRPT enables “policy based routing” for DNS queries – examples:

DNS queries for *.contoso.com go to UAG DirectAccess DNS proxyDNS queries for *.woodgrovebank.com go to UAG DirectAccess DNS proxyDNS queries for everything else, goes to locally configured DNS server

NRPT Exemption Rules - examples:DNS queries for nls.contoso.com go to locally configured DNS server (NLS server exemption)DNS queries for www.contoso.com to locally configured DNS server (split DNS infrastructure example)

Infrastructure Technologies: NRPT (2/2)

DirectAccess client speaks IPv6 only

DNS queries are for only AAAA records

Infrastructure Technologies: Network Location Detection (1/2)

Network Location Awareness/Domain DeterminationDetects if the client is connected to the intranetUses connectivity tests to a domain controller (any domain controller)Determines what WFAS Profile to use If intranet detected – Enable Domain WFAS ProfileIf intranet not detected – Enable either Public or Private Profile (user choice)DirectAccess firewall and Connection Security Rules are enabled by public or private WFAS profile – these turn on the infrastructure and intranet tunnels

Intranet DetectionConnect to SSL Web site (Network Location Server)Success turns off NRPT

Infrastructure Technologies: Network Location Detection (2/2)

DirectAccess client on the intranetAssumes not connected to intranetDetects domain controller and resolves Corporate DNS Probe Host NameEstablishes HTTPS connection to Network Location ServerRESULT: Domain WFAS Profile activated and NRPT disabled –No DA tunnels

DirectAccess client on the InternetAssumes not connected to intranetFails to detect domain controller and unable to resolve Corporate DNS Probe Host NameFails to establish HTTPS connection to Network Location ServerRESULT: Public or Private Profile activated and NRPT enabled – DA tunnels activated

DirectAccess DeploymentInfrastructure requirementsUAG DirectAccess solution requirementsService configuration before deploymentThe UAG DirectAccess Setup WizardThe UAG DirectAccess Options and AdvantagesDirectAccess Security Issues

UAG DirectAccess Deployment: Infrastructure Requirements (1/3)

Active Directory UAG DirectAccess server and DirectAccess clients must be domain membersDependencies on Group Policy and Active Directory Certificate mapping (DS Mapper for IP-HTTPS clients to enable mutual certificate authentication)Active Directory authentication (Certificate/NTLMv2/Kerberos)Windows Server 2008+ Active Directory not required

DNSAny DNS server – Windows or non-WindowsPrefer DNS server that can dynamically register IPv6 addresses, though not required

UAG DirectAccess Deployment: Infrastructure Requirements (2/3)

Public Key Infrastructure Assign computer certificates to DirectAccess clientsAssign web site certificate to Network Location ServerAssign web site certificate to IP-HTTPS listener on DirectAccess serverCRL for the CA must be accessible for NLS and IP-HTTPS certificates

UAG DirectAccess Deployment: Infrastructure Requirements (3/3)

Network Location ServerUsed for intranet detectionHighly available SSL Web siteResponsible for disabling the NRPT

UAG DirectAccess Server running on Windows Server 2008 R2Two consecutive public IP addresses on external NICComputer certificate for IPsec authentication/encryptionWeb site certificate (server authentication) for IP-HTTPS listener

DirectAccess clients running Windows 7 (Enterprise or Ultimate) or Windows Server 2008 R2 (branch office scenario)

Computer certificate for IPsec authentication/encryption (autoenrollment)

UAG DirectAccess Deployment: Service ConfigurationCreate Global Groups for DirectAccess clients and “end to end” (Selected Server) destination serversRemove ISATAP from the DNS query block listConfigure computer certificate autoenrollmentConfigure intranet DNS with name of Network Location ServerConfigure intranet DNS with mapping for ISATAP (internal address of UAG DirectAccess server)Configure public DNS with name on IP-HTTPS certificateConfigure Internet and back-end firewall (as needed)Confirm internal network access to NLS certificate CA’s CRLConfirm external network access to IP-HTTPS certificate CA’s CRL

The UAG DirectAccess WizardBen BernsteinProgram Manager, UAG DA Microsoft

DEMO

Deploying DirectAccess: What did the Wizard Do? (1/2)

Create and (optionally) deploy a DirectAccess clients Group Policy ObjectConfigures IPv6 transition technologiesWFAS Firewall and Connection Security rulesSets NRPT entriesSets Network Location Server address

Creates and deploys a DirectAccess servers Group Policy ObjectWFAS Firewall and Connection Security rules

Creates and deploys an Application Servers Group Policy ObjectWFAS Firewall and Connection Security rules

Deploying DirectAccess: What did the Wizard Do? (2/2)

Configure the UAG DirectAccess server as a ISATAP routerConfigure the UAG DirectAccess server as a 6to4 relayConfigure the UAG DirectAccess server as a Teredo server and relayConfigure the UAG DirectAccess server as an IP-HTTPS serverConfigure the UAG DirectAccess server as a NAT64/DNS64 IPv6/IPv4 Protocol TranslatorConfigure the TMG firewall to support DirectAccess connectivityRegister the Corporate DNS Probe Host Name in DNSConfigure the HOSTS file (in an array deployment)

Deploying DirectAccess: UAG DirectAccess Advantages and Options (1/2)

Enables access to IPv4 only network, IPv4 only resources or IPv4 segmentsCourtesy of NAT64/DNS64

High AvailabilityBuilt-in support for using NLB with bidirectional affinityBuilt-in support for UAG DirectAccess arrays

Centralized configurationConfigure on the array managerAutomatically deploys configuration to other array members

Consolidate all remote access using a single solutionWeb portal/reverse proxySSL VPN (port/socket forwarding, Network Connector-not supported on DirectAccess server ) Network Level VPN (SSTP)DirectAccess

Deploying DirectAccess: UAG DirectAccess Options and Advantages (2/2)

Integrated support for Network Access Protocol (NAP)Requires built up internal NAP infrastructure – automatic integration

Integrated support for Smart Card two-factor authenticationRequires built up internal Smart Card infrastructure – automatic integration

Supports concurrent use for network level VPN connectionsHost the SSTP server on the UAG DirectAccess serverEnables support for incompatible applications (not IPv6 aware)When SSTP client connects – DirectAccess configuration disabled

VPN connection enables Domain ProfileTurns off the NRPTDisables the DirectAccess Connection Security Rules

Deploying DirectAccess: Security Considerations (1/2)

Default configuration is to enable split tunnelingConfigure “Force Tunneling” to disable split tunneling

ICMPv6 is exempted from IPsec protection by defaultCan configure ICMPv6 with IPsec protectionDisables Teredo client connectivity

Local Name Resolution enables NetBIOS and Local Link Multicast Name Resolution (LLMNR) when name is absent or DNS server is not available

Local name resolution configurable in UAG DirectAccess wizardDirectAccess clients on the Internet are able to communicate with each other without IPsec protection

Can configure Connection Security Rules to force IPsec protection

Deploying DirectAccess: Security Considerations (2/2)All mobile clients (DirectAccess enabled or not) need BitLocker

Boot PIN should also be requiredAll clients (DirectAccess enabled or not) need AV/AM protectionSmart card log on significantly improves DirectAccess securityStrong enterprise management is key to secure DirectAccess deploymentDisable computer account to prevent connections from stolen clients

Key ResourcesUAG DirectAccess Step by Step GuideUAG DirectAccess Design GuideUAG DirectAccess Deployment GuideDirectAccess Troubleshooting GuideDirectAccess Connectivity Assistant (DCA)TechNet DirectAccess Landing PageMega DirectAccess Design and Deployment Guide (WinDA)Infrastructure Planning and Design Guide for DirectAccess

Questionsand Answers

Related ContentSIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionSIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access SolutionSIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep DiveSIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection TechnologiesSIA325 | Secure Endpoint: Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access GatewaySIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager

SIA05-HOL | Microsoft Forefront Threat Management Gateway OverviewSIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active DirectorySIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together

Red SIA-3 | Microsoft Forefront Secure Endpoint Solution

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA