Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.

2. DirectAccess Technical Drilldown Part 2Putting it all together John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SVR402

3. Part1: Internet to Intranet 6to4Host/Router 6to4Relay NAT Device Teredoserver & relay TeredoHost Internet Corporateintranet IPHTTPSserver IPHTTPSHost NAT Device

4. Part1: IPv6/IPv4 Intranet IPv6 ISATAP Router Native IPv6 IPv6 NAT-PTor NAT64 IPv4 IPv6Pv4 IPv4 IPv6Pv4

5. What’s Left? Internet Corporate Intranet  Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4  Internet tunnelling selection based on client location – Internet, NAT, firewall Encryption/authentication of Internet traffic (end-to-edge/end-to-end) PKI required Client location detection: Internet or corporate intranet

6. Don’t Give Up Now Part 1 IPv6 Intro Transition Technologies End-to-end connectivity Part 2 IPsec Configuring Direct Access Network location and name resolution policies It all works – just like that!

7. Demo Environment EX1 DC1 DNS DC, DNS,CA NAT1 DA1 Home Corporate intranet Internet IIS for CRLdistribution APP1 WIN7 WIN7 WIN7 All servers Windows 2008 R2

8. Securing the Tunnel Internet Corporate Intranet DirectAccess uses IPsec to secure network traffic Traffic over the Internet is encrypted and authenticated Access via IPHTTPs is double encrypted Encrypted IPv6 within HTTPS

9. IPsec to the Rescue IPsec is managed through Windows Firewall with Advanced Security Best deployed through group policy Connection rules create: IPsec tunnels (authenticated and encrypted) Authenticated connects (computer and user authentication Inbound / outbound rules set requirements for encryption

10. Traffic Profile Traffic profile: <Protocol><source IP> <destination IP><source port> <destination port> Rules are based on a traffic profile Connection Security Rule Authenticate all TCP traffic between A & B on ports W & X Inbound/Outbound Rule Encrypt authenticated TCP traffic between A & B on ports W & X

11. IPsec Primer Main modesecurity association Key life configurable Default: 8 hours Create shared secret between hosts AuthIP AuthIP Uses Diffie-Hellman Authenticate over secure channel AuthIP AuthIP Kerberos / certificatesComputer and/or user authentication AuthIP Establish IPSec session Keys Quick mode: IPsec SAKey life configurable Default 1 hour/100 MB Drops after 3 Mins of inactivity AuthIP AuthIP Create Security Association for session IPsec SA IPsec SA Integrity or Integrity + encryption Exchange data

12. Main Mode Association

13. Quick Mode Association

14. Data Exchange Protocol ID 51 Authentication Header (AH) contains: Protocol ID of payload (TCP/UDP/ICMP…) Sequence number – prevents replay Security Parameters Index – Identifies IPsec SA Integrity Check value (ICV) calculated with SHA1 or MD5 Signed - ignoring ICV field andfields that change in transport Protocol ID 50 Encrypted signed IP Header IP payload AH Encrypted Security Protocol ESP headers contain: Protocol ID of payload (TCP/UDP/ICMP…) Sequence number – prevents replay Security Parameters Index – Identifies IPsec SA Integrity Check value (ICV) IP Header ESP IP payload ESP ICV When you just want integrity through NAT use ESP-Null

15. Negotiated Security Options Do not authenticate Request inbound and outbound A host responds to both IPsec and unauthenticated (non-IPsec) requests It initiates communications with IPsec, and if that fails, falls back to unauthenticated communications Require inbound and request outbound A host responds to inbound traffic secured by IPsec, and ignores unauthenticated requests It initiates communications with IPsec, and if that fails, falls back to unauthenticated communications Require inbound and require outbound A host requires IPsec-secured communications for both inbound and outgoing requests Require inbound and clear outbound

16. Intranet Integrity / encryption / authentication IPsec Tunnel End points can be single host or act as a gateway The gateway acts as the end-point for integrity encryption and authentication Traffic on the Intranet is not protected by IPsec IPsec Gateway includes IPsec DoS Prevention Reduces DoS attacks from key management protocols IKE & AuthIP

17. IPsec Access Options Intranet Integrity / encryption / authentication Tunnel 1: Machine Auth Tunnel 2: Machine & User Auth ESP NULL (transport mode) machine and user auth to intranet server Selective authentication onto endpoint servers ESP (transport mode) encryption and authentication to intranet server

18. Client Location corp.example.com zone DNS 2 DNS 1 IP configuredDNS address Corporate Intranet Internet To resolve names on the Internet DirectAccess host queries DNS 1 To resolve names on the Intranet DirectAccess host queries DNS 2

19. How Does It Do that? Name Resolution Policy Table (NRPT) to the rescue NRPT allows the definitions of which DNS servers to query based on the namespace to be resolved The NRPT can point DNS queries for corp.example.com to the intranet DNS server All other DNS queries are sent to the DNS server address configured in the client IP settings

20. NRPT corp.example.com zone DNS 2 nls.corp.example.com DNS 1 IP configuredDNS address Internet Corporate Intranet No NRPT NRPT: corp.example.com: query DNS 2 All other name spaces query DNS server configured in client IP settings There is a special entry in the table to direct DNS queries for an internal HTTPS website to the DNS servers configured in the client IP settings For example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet

21. Viewing the NRPT

22. NRPT Inside/Outside NRPT enabled by default If the client can access an internal HTTPS website (https://nls.corp.example.com) Considered to be on the intranet NRPT disabled No access to secure website Considered to be on the Internet NRPT remains enabled

23. Putting it All Together 6to4Host/Router 6to4Relay ISATAP Router NAT Device Teredoserver & relay TeredoHost Corporateintranet Internet HTTPSserver IPHTTPSHost NAT Device DirectAccess Server

24. DirectAccess Management Console

25. Before Running Setup DNS server requires isatap block to be removed Computer certificates must be issued to computers Server certificates must be issued to DA server with external DNS name in certificate NLS web server with nlsurl address in certificate CRL distribution should be configured in certificate CRL distribution location must be available on both the Internet and intranet

26. Authentication to Servers IPsec ESP NULL can be used for authentication to end-point servers Provides another layer of protection Can control which servers are available from DA host Requires 2008 end-point servers IPSEC does not work over IPv6 for Windows 2003 Two factor authentication can be enabled for end-to-end authentication Requires 2008 domain functional level

27. DirectAccess Setup Configures on DA server 6to4 relay Teredo server and relay IPHTTPS server ISATAP Creates group policy for IPSec rules for DA server IPsec Tunnel DA client IPsec Tunnel DA clients and servers requiring end point authentication

28. DirectAccess Setup (continued) Creates group policy for client configuration Enable and supply addresses for 6to4 relay Teredo server and relay IPHTTPS server Enable and configure NRPT Enable inside/outside probe DA server and DA clients must be members of the domain

29. Windows DirectAccess The DA server represents a single point of failure Functionality can be split across multiple servers for performance For HA, run DA server as VM in a Hyper-v cluster Does not guarantee DA service availability Live Migration available in Windows 2008 R2 Load balancing option available with UAG

30. All Done Internet Corporate Intranet  Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4  Internet tunnelling selection based on client location – Internet, NAT, firewall  Encryption/authentication of Internet traffic (end-to-edge/end-to-end) PKI required  Client location detection: Internet or corporate intranet

31. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers Resources

32. Related Content Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Breakout Sessions: SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and Beyond SVR315 IPv6 for the Reluctant: What to Know Before You Turn It Off Interactive Theater Sessions: SVR08-IS End-to-End Remote Connectivity with DirectAccess

33. My Sessions at TechEd Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Breakout Sessions: SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory? SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together Interactive Theater Sessions: SVR08-IS End-to-End Remote Connectivity with DirectAccess

34. Required Slide Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

36. Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.