Seminar: Transparant werken met Direct Access.
Het nieuwe werken. Thuis, onderweg, bij een klant of op de zaak. Overal waar u bent wilt u dezelfde gebruikerservaring hebben. Met Direct Access is uw laptop met internetvoorziening altijd onderdeel van uw bedrijfsnetwerk. Zo kunt u altijd bij uw bestanden en behoort de complexiteit van VPN connecties tot het grijze verleden! Deze oplossing is perfect voor iedere bedrijfsgrootte, van klein-MKB tot grote enterprise ondernemingen.
Microsoft Windows Server 2012
Windows Server 2012Direct Access
Marco SapComputrain | Twice | Broekhuis
Deze presentatie laat zien wat de nieuwe mogelijkheden van Direct Access zijn in Windows Server 2012
Agenda Windows Server 2012 Trends and Challenges Direct Access Get Started: Advies en Doen!
Windows Server 2012
Identity
Virtualization
Data
Development Management
The Cloud OS
Modern platform for the world’s apps
Transforms datacenter Enables modern apps Unlocks insights on any data Empowers people-centric IT
One platform for all segments
First Server
Automated Virtualization
& Management
, Private Cloud
Virtualization Management
Enterprise
Small Business
Windows Server
• Enables small businesses around the world
• Powers many of the world’s largest datacenters
• Delivers value to organizations of all sizes
Virtualization
Automated Virtualization
& Management
Mid-market
System Center
Industry trends and challenges
(How) do I embrace the Cloud? Public and Private?
How do I simultaneously increase the availability in my datacenter and lower the costs?
How do I deliver next-generation client/mobile apps with scalable, available back-end services?
How do I enable modern work styles; BYOD, Consumerization of IT…
Device proliferation Data explosion
Cloud computing
New apps
Direct Access
Transparent network access to the end user from any Internet connection
Flexible deployment scenarios
Simple to deploy and manage centrally
Seamless Remote Access with DirectAccess
9
Unified management experience
Support for multiple sites
Easy-deployment wizard
Support for Windows PowerShell for client and server
Built-in support for IPv6 translation technology
Site-to-site tunneling
Let’s talk concepts….
Remote Access Solutions
PPTP L2TP SSTP Direct Access
User-based
Computer-based
What does Direct Access do?
Connects you to your Corporate Office no matter where you are if you have Internet, you have corporate network access
No visible VPN client
How does it do it?
Combines multiple networking technologies IPSEC IPv6 IPHTTPS NAT64/DNS64
Domain member configuration Tunnels Kerberos proxy or Certificates
Direct Access Improvements
Deploy without internal IPv6 Connectivity
PKI deployment is not needed
New Kerberos Proxy and IP-HTTPS improvements
Support for External NAT for DA Edge
Support for Server Core
Deploy Without IPv6*
Direct Access is an IPv6 Technology
NAT64/DNS64 provided out of the box
PKI is no longer a prerequisite
Windows 2008 R2 DirectAccess used two IPsec AuthIP policies to authenticate and secure traffic
Windows 2012 overcomes the PKI requirement using Kerberos Proxy
Client authentication requests are sent to a KDC Proxy Server service running on the DirectAccess server
Kerberos proxy sends Kerberos requests to DCs on behalf of the client
Kerberos Proxy Getting Started wizard configures KDC Proxy automatically
DA now uses a single external IPv4 address and has the following requirements: TCP port 443 NATted or allowed to DA Edge (on firewall) DirectAccess server must have a server authentication certificate for
TLS Will be trusted by clients (forcibly through Group Policy if necessary) Self-signed cert used automatically for IPHTTPS/KDC Proxy
Support for NAT
DirectAccess server can now run behind NAT with single network interface or multiple interfaces
No need for two consecutive public IPv4 addresses!
Setup Wizard probes whether DirectAccess server is located behind a NAT
If so, only IP-HTTPS will be deployed
IP-HTTPS Improvements
The key performance issue in Windows 2008 R2:Data is encrypted by IPSec as well as by SSL, so the data is encrypted twice
Windows Server 2012 DirectAccess improves IP-HTTPS:
Allows IP-HTTPS clients to obtain proxy configuration informationOptimizations include: changes to batched send behavior and receive buffers, reduced lock contention, and the option to implement SSL with NULL encryptionCan configure IP-HTTPS to work when behind authenticating proxy
IP-HTTPS is now preferred transport
Direct Access client flow1. Client attempts to locate Network Location Service server
DNS Query for DirectAccess-NLS.corp.domain.com
2. If NLS not found, assume Direct Access required HTTP Probe to check for availability
3. Resolve external DA name with external DNS IPv4 (A) DNS Query for da.domain.com
4. Establish IPSEC tunnel to DA endpoint Connect to external IP Address of the Direct Access Server, validate certificates
5. Authenticate client computer Either using Kerberos or Certificate based Authentication
Technical Detail: NAT64/DNS64NAT64/DNS64 is the reason DA works on IPv4 Networks
IPv6 Network IPv4 Network
IPv6 Clientfd00:fefe:1::bef1:2002
NAT64/DNS64 gateway (DA)
172.16.0.20IPv4-only ServerNative IPv4 traffic
Native IPv6 traffic
DNS Server 172.16.0.2
IPv6 Prefix - fd00:fefe:2::/96IPv4 Internal Address – 172.16.0.100
NAT64 device configured with /96 IPv6 prefix and IPv4 address pool
1. IPv6 Client sends DNS AAAA query for IPv4-only Server2. NAT64 device forwards DNS AAAA query to authoritative DNS Server
3. DNS Server informs that no AAAA record exists for Server4. NAT64 device sends DNS A query for Server5. DNS Server replies with Server’s IPv4 address
SERVER IN A 172.16.0.20s
6. DNS64 converts DNS A IPv4 response to an IPv6 AAAA one, adding IPv6 /96 prefix
SERVER IN AAAA FD00:FEFE:2::172.16.0.20
7. IPv6 Client sends connection packet to IPv6 address associated to the IPv4 receiver
8. NAT64 gateway translates the IPv6 packet to IPv4, dynamically associating the source IPv6 address with an IPv4 address from the pool
9. IPv4-only Server replies to the dynamic IPv4 address used by the NAT64 gateway
9. NAT64 gateway translates the IPv4 packet to IPv6 using the information in the translation table
fd00:fefe:2::172.16.0.20TCP port 80
fd00:fefe:1::bef1:2002, TCP port 1025
172.16.0.101
TCP port 1060
172.16.0.20TCP port 80
Demo Simplified
Administrator Configuration
Improved User Experience
Internet Corporate
Public IPv4 Addressing
Private IPv4 Addressing
DA Server Domain Controller
File Server
Public ISP
NAT
Private IPv4 Addressing
NAT Router
PKI required Windows 7 Kerberos client does not support Kerberos
proxy
Original IPHTTPS client does not include performance enhancements
IPHTTPS is the only transport technology for NAT deployments
No built-in connection status UI
Limited troubleshooting tools compared to Windows 8
Windows 7 Client Considerations
Windows to Go
Windows on a Stick“Bring your on Device”
Always connected with DACheap “Remote Access
Client”
Additional Killer Feature!Offline Provisioning of Direct Access Clients
With Windows Server 2012, DirectAccess can provide a remote connection for domain joining and provisioning
If a laptop is lost, destroyed or offsite we can send a provisioning package to automate the configuration of domain join and DirectAccess for a new PC
Uses DJOIN.EXE utility, which is updated in Server 2012
DJOIN.exe
Now includes selected Group Policy object in the ‘blob’ allowing new clients to be remotely joined to computer accounts (via DA)
Djoin /provision /machine CLIENT1 /domain corp /policynames "DirectAccess Client Settings" /rootcacerts /savefile c:\files\provision.txt /reuse
In Summary…..
Get started
Download Windows Server 2012
Learn
Act
MCSA: Windows Server 2012
Find a Learning Partner
+
Administering Windows Server 2012
5
Administering Windows Server 2012
Configuring Advanced Windows Server 2012 Services
Configuring Advanced Windows Server 2012 Services
5EX
AM411
+ =EX
AM41
2M
OC
20411
MO
C
20412
Installing and Configuring Windows Server 2012
EX
AM41
0
Installing and Configuring Windows Server 2012
5
MO
C
20410
MCSA: Windows Server 2012
MCSE: Server Infrastructure
Find a Learning Partner
+
Designing and Implementing a Server Infrastructure
5
Designing and Implementing a Server Infrastructure
Implementing an Advanced Server Infrastructure
Implementing an Advanced Server Infrastructure
5
EX
AM41
3+ =E
XA
M414
MO
C20413
MO
C
20414
MCSE: Server Infrastructure
* Requires recertification
Windows Server 2012
MCSE: Desktop Infrastructure
Find a Learning Partner
+
Implementing a Desktop Infrastructure
5
Implementing a Desktop Infrastructure
Implementing Desktop Application Environments
Implementing Desktop Application Environments
5
EX
AM41
5+ =E
XA
M416
MO
C20415
MO
C
20416
MCSE: Desktop Infrastructure
* Requires recertification
Windows Server 2012
Upgrade paths
Desktop Infrastructure
Windows Server 2012
Upgrading Your Skills to MCSA Windows Server 2012
417
Any of the following certifications qualify:
• MCSA: Windows Server 2008*• MCITP: Virtualization Administrator • MCITP: Enterprise Messaging
Administrator• MCITP: Lync Server Administrator• MCITP: SharePoint Administrator• MCITP: Enterprise Desktop Administrator
Server Infrastructure
+
Designing and Implementing a Server Infrastructure
413 +Implementing an Advanced Server Infrastructure
414
+
=
Implementing a Desktop Infrastructure
415 +Implementing Desktop Application Environments
416 =
Either or Both