10. Always On
Patch management, health check and GPOs
Corporate
Netw. Lvl. computer/user authentication and encryption
Network
Automatically
connects through
NAT and firewalls
VPNs connect the user to the network
DirectAccess extends the network to the remote
computer and user
11. Client Client and Server applications must be IPv6 compatible Server
app app
IPV6 IPV6
Internet Corporate intranet
12. Internet Corporate intranet
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewa
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)
Client location detection: Internet or corporate intranet
13. Forefront
Native IPv6
Unified
Access
IPv4 Internet Gateway ISATAP
6to4 tunnel (UAG)
IPv6 in IPv4 protocol 41
IPv6 in IPv4 protocol 41
Corporate Network
Teredo tunnel DNS64
NAT
IPv6 in UDP port 3544
NAT64 IPv4
IPHTTPS tunnel
NAT
IPv6 in HTTPS
UDP port 3544 blocked
21. For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec
gateway server (which by default is the same computer as the DirectAccess server). The
IPsec gateway server then forwards unprotected traffic, shown in red, to application
servers on the intranet. This architecture works with any IPv6-capable application server
but does not require that server to run IPsec, simplifying the configuration and setup
22. For end-to-edge with End to End IPSec protection, DirectAccess clients
establish an IPsec session to an IPsec gateway server, and that IPSec traffic
continues all the way to the Intranet server for end to end IPSec protection.
This architecture provides better security than just the End to Edge model.
23. With end-to-end IPSec protection, DirectAccess clients establish an IPsec
session through the DirectAccess server to each application server to which
they connect. This provides the highest level of security because you can
configure access control on the DirectAccess server and extend IPSec all the
way to the internal server. This architecture requires that application servers
run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6
and IPsec.
24.
25. DirectAccess Server Line of Business
(Server 2008 R2) Using ISATAP Applications
IPv6 IPv4 IPv6
On all internal DCs: Dnscmd /config /globalqueryblocklist wpad
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36. MANAGED 1. Extends access to line of business servers with IPv4 support
2. Access for down level and non Windows clients IPv6
3. Enhances scalability and management
Windows7
4. Simplifies deployment and administration
5. Hardened Edge Solution
IPv6
DirectAccess Always On
Windows7
UNMANAGED
Vista Extend support IPv4
XP SSL VPN
to IPv4 servers
Non
DA Server IPv4
Windows +
PDA IPv4