Seminar: Transparant werken met Direct Access.

Het nieuwe werken. Thuis, onderweg, bij een klant of op de zaak. Overal waar u bent wilt u dezelfde gebruikerservaring hebben. Met Direct Access is uw laptop met internetvoorziening altijd onderdeel van uw bedrijfsnetwerk. Zo kunt u altijd bij uw bestanden en behoort de complexiteit van VPN connecties tot het grijze verleden! Deze oplossing is perfect voor iedere bedrijfsgrootte, van klein-MKB tot grote enterprise ondernemingen.

Microsoft Windows Server 2012

Windows Server 2012Direct Access

Marco SapComputrain | Twice | Broekhuis

Deze presentatie laat zien wat de nieuwe mogelijkheden van Direct Access zijn in Windows Server 2012

Agenda Windows Server 2012 Trends and Challenges Direct Access Get Started: Advies en Doen!

Windows Server 2012

Identity

Virtualization

Data

Development Management

The Cloud OS

Modern platform for the world’s apps

Transforms datacenter Enables modern apps Unlocks insights on any data Empowers people-centric IT

One platform for all segments

First Server

Automated Virtualization

& Management

, Private Cloud

Virtualization Management

Enterprise

Small Business

Windows Server

• Enables small businesses around the world

• Powers many of the world’s largest datacenters

• Delivers value to organizations of all sizes

Virtualization

Automated Virtualization

& Management

Mid-market

System Center

Industry trends and challenges

(How) do I embrace the Cloud? Public and Private?

How do I simultaneously increase the availability in my datacenter and lower the costs?

How do I deliver next-generation client/mobile apps with scalable, available back-end services?

How do I enable modern work styles; BYOD, Consumerization of IT…

Device proliferation Data explosion

Cloud computing

New apps

Direct Access

Transparent network access to the end user from any Internet connection

Flexible deployment scenarios

Simple to deploy and manage centrally

Seamless Remote Access with DirectAccess

9

Unified management experience

Support for multiple sites

Easy-deployment wizard

Support for Windows PowerShell for client and server

Built-in support for IPv6 translation technology

Site-to-site tunneling

Let’s talk concepts….

Remote Access Solutions

PPTP L2TP SSTP Direct Access

User-based

Computer-based

What does Direct Access do?

Connects you to your Corporate Office no matter where you are if you have Internet, you have corporate network access

No visible VPN client

How does it do it?

Combines multiple networking technologies IPSEC IPv6 IPHTTPS NAT64/DNS64

Domain member configuration Tunnels Kerberos proxy or Certificates

Direct Access Improvements

Deploy without internal IPv6 Connectivity

PKI deployment is not needed

New Kerberos Proxy and IP-HTTPS improvements

Support for External NAT for DA Edge

Support for Server Core

Deploy Without IPv6*

Direct Access is an IPv6 Technology

NAT64/DNS64 provided out of the box

PKI is no longer a prerequisite

Windows 2008 R2 DirectAccess used two IPsec AuthIP policies to authenticate and secure traffic

Windows 2012 overcomes the PKI requirement using Kerberos Proxy

Client authentication requests are sent to a KDC Proxy Server service running on the DirectAccess server

Kerberos proxy sends Kerberos requests to DCs on behalf of the client

Kerberos Proxy Getting Started wizard configures KDC Proxy automatically

DA now uses a single external IPv4 address and has the following requirements: TCP port 443 NATted or allowed to DA Edge (on firewall) DirectAccess server must have a server authentication certificate for

TLS Will be trusted by clients (forcibly through Group Policy if necessary) Self-signed cert used automatically for IPHTTPS/KDC Proxy

Support for NAT

DirectAccess server can now run behind NAT with single network interface or multiple interfaces

No need for two consecutive public IPv4 addresses!

Setup Wizard probes whether DirectAccess server is located behind a NAT

If so, only IP-HTTPS will be deployed

IP-HTTPS Improvements

The key performance issue in Windows 2008 R2:Data is encrypted by IPSec as well as by SSL, so the data is encrypted twice

Windows Server 2012 DirectAccess improves IP-HTTPS:

Allows IP-HTTPS clients to obtain proxy configuration informationOptimizations include: changes to batched send behavior and receive buffers, reduced lock contention, and the option to implement SSL with NULL encryptionCan configure IP-HTTPS to work when behind authenticating proxy

IP-HTTPS is now preferred transport

Direct Access client flow1. Client attempts to locate Network Location Service server

DNS Query for DirectAccess-NLS.corp.domain.com

2. If NLS not found, assume Direct Access required HTTP Probe to check for availability

3. Resolve external DA name with external DNS IPv4 (A) DNS Query for da.domain.com

4. Establish IPSEC tunnel to DA endpoint Connect to external IP Address of the Direct Access Server, validate certificates

5. Authenticate client computer Either using Kerberos or Certificate based Authentication

Technical Detail: NAT64/DNS64NAT64/DNS64 is the reason DA works on IPv4 Networks

IPv6 Network IPv4 Network

IPv6 Clientfd00:fefe:1::bef1:2002

NAT64/DNS64 gateway (DA)

172.16.0.20IPv4-only ServerNative IPv4 traffic

Native IPv6 traffic

DNS Server 172.16.0.2

IPv6 Prefix - fd00:fefe:2::/96IPv4 Internal Address – 172.16.0.100

NAT64 device configured with /96 IPv6 prefix and IPv4 address pool

1. IPv6 Client sends DNS AAAA query for IPv4-only Server2. NAT64 device forwards DNS AAAA query to authoritative DNS Server

3. DNS Server informs that no AAAA record exists for Server4. NAT64 device sends DNS A query for Server5. DNS Server replies with Server’s IPv4 address

SERVER IN A 172.16.0.20s

6. DNS64 converts DNS A IPv4 response to an IPv6 AAAA one, adding IPv6 /96 prefix

SERVER IN AAAA FD00:FEFE:2::172.16.0.20

7. IPv6 Client sends connection packet to IPv6 address associated to the IPv4 receiver

8. NAT64 gateway translates the IPv6 packet to IPv4, dynamically associating the source IPv6 address with an IPv4 address from the pool

9. IPv4-only Server replies to the dynamic IPv4 address used by the NAT64 gateway

9. NAT64 gateway translates the IPv4 packet to IPv6 using the information in the translation table

fd00:fefe:2::172.16.0.20TCP port 80

fd00:fefe:1::bef1:2002, TCP port 1025

172.16.0.101

TCP port 1060

172.16.0.20TCP port 80

Demo Simplified

Administrator Configuration

Improved User Experience

Internet Corporate

Public IPv4 Addressing

Private IPv4 Addressing

DA Server Domain Controller

File Server

Public ISP

NAT

Private IPv4 Addressing

NAT Router

PKI required Windows 7 Kerberos client does not support Kerberos

proxy

Original IPHTTPS client does not include performance enhancements

IPHTTPS is the only transport technology for NAT deployments

No built-in connection status UI

Limited troubleshooting tools compared to Windows 8

Windows 7 Client Considerations

Windows to Go

Windows on a Stick“Bring your on Device”

Always connected with DACheap “Remote Access

Client”

Additional Killer Feature!Offline Provisioning of Direct Access Clients

With Windows Server 2012, DirectAccess can provide a remote connection for domain joining and provisioning

If a laptop is lost, destroyed or offsite we can send a provisioning package to automate the configuration of domain join and DirectAccess for a new PC

Uses DJOIN.EXE utility, which is updated in Server 2012

DJOIN.exe

Now includes selected Group Policy object in the ‘blob’ allowing new clients to be remotely joined to computer accounts (via DA)

Djoin /provision /machine CLIENT1 /domain corp /policynames "DirectAccess Client Settings" /rootcacerts /savefile c:\files\provision.txt /reuse

In Summary…..

Get started

Download Windows Server 2012

Learn

Act

MCSA: Windows Server 2012

Find a Learning Partner

+

Administering Windows Server 2012

5

Administering Windows Server 2012

Configuring Advanced Windows Server 2012 Services

Configuring Advanced Windows Server 2012 Services

5EX

AM411

+ =EX

AM41

2M

OC

20411

MO

C

20412

Installing and Configuring Windows Server 2012

EX

AM41

0

Installing and Configuring Windows Server 2012

5

MO

C

20410

MCSA: Windows Server 2012

MCSE: Server Infrastructure

Find a Learning Partner

+

Designing and Implementing a Server Infrastructure

5

Designing and Implementing a Server Infrastructure

Implementing an Advanced Server Infrastructure

Implementing an Advanced Server Infrastructure

5

EX

AM41

3+ =E

XA

M414

MO

C20413

MO

C

20414

MCSE: Server Infrastructure

* Requires recertification

Windows Server 2012

MCSE: Desktop Infrastructure

Find a Learning Partner

+

Implementing a Desktop Infrastructure

5

Implementing a Desktop Infrastructure

Implementing Desktop Application Environments

Implementing Desktop Application Environments

5

EX

AM41

5+ =E

XA

M416

MO

C20415

MO

C

20416

MCSE: Desktop Infrastructure

* Requires recertification

Windows Server 2012

Upgrade paths

Desktop Infrastructure

Windows Server 2012

Upgrading Your Skills to MCSA Windows Server 2012

417

Any of the following certifications qualify:

• MCSA: Windows Server 2008*• MCITP: Virtualization Administrator • MCITP: Enterprise Messaging

Administrator• MCITP: Lync Server Administrator• MCITP: SharePoint Administrator• MCITP: Enterprise Desktop Administrator

Server Infrastructure

+

Designing and Implementing a Server Infrastructure

413 +Implementing an Advanced Server Infrastructure

414

+

=

Implementing a Desktop Infrastructure

415 +Implementing Desktop Application Environments

416 =

Either or Both