Entries tagged with network access protection - TechNet Edge

Windows 7 DirectAccess Explained

yung — Fri, 20 Nov 2009 08:01:00 GMT

The Windows® 7 and Windows Server® 2008 R2 operating systems introduce DirectAccess, a new solution that provides users with the same experience working remotely as they would have when working in the office.

With DirectAccess, remote users can access corporate file shares, Web sites, and applications without connecting to a virtual private network (VPN), as shown in Windows 7 DirectAccess User Experience. Further, DirectAccess separates intranet traffic from Internet traffic, as shown on the left, and reduces unnecessary traffic on the corporate network.

DirectAccess requirements include:

DirectAccess Server: This is a Windows Server 2008 R2 server with the server feature, DirectAccess Management Console, added. A DirectAccess server must be joined to an Active Directory® domain and cannot be behind a Network Address Translation, or NAT, device. In addition, a DirectAccess server must have two network adapters: one connected to the Intranet, and the other to the Internet with at least two, consecutive, public, IPv4 addresses.
DirectAccess Client: Windows 7 is the supported client OS.
At least one domain controller and Domain Name System (DNS) server is Windows Server 2008 SP2 or Windows Server 2008 R2.
A Public Key Infrastructure (PKI) for issuing computer certificates, smart card certificates, and, for Network Access Protection (NAP), health certificates
IPsec policies to specify protection for traffic
IPv6 transition technologies, i.e. ISATAP (RFC 4214), Teredo (RFC 4380), and 6to4 (RFC 3056), for DirectAccess server
Optionally, a non-Microsoft NAT-PT (RFC 2766) device to provide access to IPv4-only resources for DirectAccess clients

Here’s how DirectAccess works:

A DirectAccess client computer boots and detects a network connection.
The DirectAccess client computer attempts to connect to an intranet-only web site specified in DirectAccess configuration. If the web site is available, the DirectAccess client determines that it is connected to the intranet, and the DirectAccess connection process stops. The effective DNS Name Resolution Policy revealed by the command, netsh name show effectivepolicy, should indicate DirectAccess is turned off, if the client is in the intranet. On the other hand, if the Web site is not available, the DirectAccess client determines that it is connected to the Internet and the DirectAccess connection process continues. The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a native IPv6 network isn’t available, the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the DirectAccess server, the client automatically attempts to connect using the IP-HTTPS protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity as shown below.
As part of establishing the IPsec session, the DirectAccess client and server authenticate each other using computer certificates for authentication. Two types of IPsec protection: end-to-end and end-to-edge are available for a DirectAccess client to connect to intranet resources.
By validating Active Directory® group memberships, the DirectAccess server verifies that the computer is authorized to connect with DirectAccess. To mitigate the risk of denial of service (DoS) attacks, IPsec on the DirectAccess server de-prioritizes key negotiation traffic using Differentiated Services Code Points (DSCPs).
If Network Access Protection (NAP) is enabled and configured for health validation, the DirectAccess client obtains a health certificate from a Health Registration Authority (HRA), located on the Internet, prior to connecting to the DirectAccess server. The HRA forwards the DirectAccess client’s health status information to a NAP health policy server. The NAP health policy server processes the policies defined within the Network Policy Server (NPS) and determines whether the client is compliant with system health requirements. If so, the HRA obtains a health certificate for the DirectAccess client. When the DirectAccess client connects to the DirectAccess server, it submits its health certificate for authentication.
The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access.

Notice the DirectAccess connection process happens automatically once a DirectAccess client boots up without requiring a user to log on.

Windows 7 DirectAccess User Experience

yung — Thu, 19 Nov 2009 02:50:00 GMT

This is a follow-up posting with Windows 7 DirectAccess Explained. Here, I configured a simple infrastructure with my Hyper-V-enabled laptop to demonstrate the user's experience in accessing corporate resources with DirectAccess including:

dc.contoso.com

DC/DNS/DHCP/CA

da.contoso.com

DirectAccess server with 2 network adapters and 2 consecutive Ipv4 addresses assigned to the one connected to the Internet

app.contoso.com

An internal only application server

win7-client.contoso.com

A Windows 7 machine configured as a DirectAccess client

The demonstration shows with DirectAccess a user can securely access authorized corporate resources with the same experience working remotely without connecting to a virtual private network (VPN) as one would have when working in the office.

Forefront Integration Kit for Network Access Protection Demo

System — Thu, 26 Mar 2009 20:14:00 GMT

Forefront Integration Kit for Network Access Protection Demo, Tom Cloward

Introducing the Forefront Integration Kit for Network Access Protection

System — Thu, 26 Mar 2009 20:14:00 GMT

Introducing the Forefront Integration Kit for Network Access Protection, Tom Cloward and Shurti Kala

Screencast: Network Access Protection Part 2

Jeff Alexander — Mon, 01 Sep 2008 01:20:00 GMT

Hello again,

In my previous post on Network Access Protection I showed you how to configure the server and get the switch going for 802.1x authentication. In this Screencast I'm going to look at what happens at the client end so you can see how to configure a Windows Vista client and then look at some of the events that get logged when a client moves in and out of health.

Enjoy!

Screencast: Network Access Protection with 802.1x (Part 1)

Jeff Alexander — Wed, 20 Aug 2008 07:01:00 GMT

One of the most important features of Windows Server 2008 is Network Access Protection. In it’s simplest terms NAPThese guys have done some pretty impressive stuff. The NAP team worked with a list of partners as long as your arm to make sure NAP will play nicely with whatever switch hardware you've invested in. Brent shares some impressive sizing guidelines for implementing NAP: Microsoft turned reporting and deferred enforcement on 120,000 machines worldwide, using a very small number of servers. Very small. Less than 3. Total help desk calls as a result? Also a very small number. Oh, and he did that deployment using beta builds of Longhorn Server 2008.
(this video was originally posted to Channel9 back before Edge existed, but since it's really IT content, not dev, I wanted to put it up over where it belongs)