Windows Server 2008 R2 Unleashed (169 page)

ensure confidentiality: data encryption and data integrity. IPSec uses an authentication

header (AH) to provide source authentication and integrity without encryption and the

Encapsulating Security Payload (ESP) to provide authentication and integrity along with

encryption. With IPSec, only the sender and recipient know the security key. If the

ptg

authentication data is valid, the recipient knows that the communication came from the

sender and that it was not changed in transit.

IP

UDP

L2TP

PPP

PPP

HEADER

HEADER

HEADER

HEADER

PAYLOAD

IPSEC

IP

UDP

L2TP

PPP

IPSEC

IPSEC

PPP

ESP

HEADER

HEADER

HEADER

HEADER

ESP

AUTH

PAYLOAD

HEADER

TRAILER

TRAILER

ENCRYPTED BY IPSEC

FIGURE 24.7

Structure and architecture of the IPSec packet.

NOTE

IPSec also plays a key role in another remote access technology, the new Windows

Server 2008 R2 DirectAccess.

DirectAccess in Windows Server 2008 R2

863

Secure Socket Tunneling Protocol

Introduced in Windows Server 2008, SSTP was specifically developed to get around the

difficulties of setting up VPN tunnels through corporate firewalls, which block many of

the ports and protocols used by PPTP and L2TP. The SSTP tunnel uses the HTTP over SSL

(HTTPS) protocol, which is widely supported for secure web traffic. SSTP uses port 443 for

24

the connection.

The tunneling protocol functions by encapsulating the original IP packet with a PPP

header and then an SSTP header. The SSTP header, the PPP header, and the original IP

packet are all encrypted by the SSL session. Finally, an IP header is added to the packet

and it is routed to the destination. The structure of the packet is shown in Figure 24.8.

ENCRYPTED BY SSL

IP

TCP

SSTP

PPP

PPP

HEADER

HEADER

HEADER

HEADER

PAYLOAD

PPP FRAME

ptg

FIGURE 24.8

Structure and architecture of the SSTP packet.

NOTE

Interestingly, even though SSTP is based on the HTTPS web protocol, the VPN server

does not have to be configured with IIS. The RRAS VPN server listens for SSTP connec-

tions on the uniform resource identifier (URI) /sra_{BA195980-CD49-458b-9E23-

C84EE0ADCD75}/. This does not conflict with or require IIS, so IIS can be installed if

needed for other purposes.

Unfortunately, SSTP does not support tunneling through web proxies that require authen-

tication. Another limitation of SSTP is that it does not support site-to-site connections in

Windows Server 2008 R2, which both PPTP and L2TP do.

DirectAccess in Windows Server 2008 R2

DirectAccess is a new remote access protocol in Windows Server 2008 R2 that provides

network node connectivity to remote systems without any user login requirements.

DirectAccess addresses several challenges with traditional VPN, including the following:

. The need for the user to manually connect to the VPN.

. The delay the user experiences when connecting to the VPN while health checks are

completed during the connection process.

864

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

. The need for the user to reconnect manually if an established VPN connection is lost.

. The slow performance when all traffic (intranet and Internet) is routed through the

VPN connection.

These challenges can cause users to limit the use of traditional VPN solutions. DirectAccess

has been designed from the ground up to address those challenges. DirectAccess hides all

the connection processes from the users and intelligently routes intranet versus Internet

traffic, thereby alleviating the challenges of traditional VPNs. It connects as soon as the

computer starts up and conducts the health checks, rather than when the user is logging

in. The connection process is transparent to the user and the user never needs to explicitly

connect to DirectAccess. Finally, DirectAccess has built-in options to control how DNS

requests are handled, effectively bifurcating the Internet and intranet traffic to avoid

burdening the remote access connection and improving performance.

DirectAccess creates an encrypted point-to-point tunnel from a remote user—in this case,

specifically a remote user on Windows 7—to the internal “enterprise” network. The differ-

ence is that the connection is transparent to the user. Once configured, the computer will

automatically connect to the office from any available Internet connection. The user expe-

rience is almost identical to being in the office. In addition, through the use of the

Windows Server 2008 R2 NPS server, remote-connected clients can be securely managed

similarly to internal client systems.

ptg

NOTE

Although positioned as an alternative to a VPN, the DirectAccess technology has all the

elements of a VPN. It establishes a secure private tunnel through public networks

using IPSec and certificates, with an end result functionally not much different from

L2TP. The differences are mainly administrative rather than technical.

DirectAccess uses IPv6, IPSec, and certificates to establish secure connections from the

DirectAccess clients to intranet resources via the DirectAccess server. To traverse public IPv4

networks, DirectAccess uses IPv6 transition technologies such as ISATAP, Teredo, and 6to4.

DirectAccess has some specific requirements, as follows:

. The server running Windows Server 2008 R2 needs to have two network cards: one

attached to the intranet and one attached to the Internet.

. The Internet network card must have two consecutive public IPv4 addresses.

. The Intranet resources and applications must support IPv6.

. The DirectAccess clients need to be running Windows 7; older clients are not

supported.

DirectAccess in Windows Server 2008 R2

865

. A domain controller and DNS server that the systems are connected to need to be

running Windows Server 2008 SP2 or Windows Server 2008 R2.

. A PKI needs to be available to issue certificates with a published Internet available

certificate revocation list (CRL).

These requirements are somewhat stringent and might prevent many organizations from

24

deploying DirectAccess. However, for an organization with an up-to-date infrastructure,

servers, and clients, DirectAccess can be an excellent solution.

DirectAccess and IPv6

DirectAccess is designed on top of IPv6 and requires that all endpoint devices support

IPv6. It is one of the first services to require this modern protocol.

DirectAccess is most likely to be deployed in an IPv4 world, given the prevalence of IPv4

on the Internet today. This creates an IPv4 gap (shown in Figure 24.9) across which IPv6

devices like DirectAccess clients need to communicate.

?

IPv4 Network

?

ptg

Gap

IPv6 Device

IPv6 Device

FIGURE 24.9

The IPv4 gap between IPv6 devices.

Most organizations will need to use IPv6 transition technologies to bridge the IPv4 gap

from their IPv6 enlightened devices to communicate. This, in effect, routes the IPv6

communications through the IPv4 protocol stack, as shown in Figure 24.10. The packets

traveling down the IPv6 protocol stack take a sharp turn and move across the protocol

stack to the IPv4 protocol stack, allowing them to transit the IPv4 network. On the other

side, the same packets come in via the IPv4 protocol stack, but are routed to the IPv6 stack.

Application Layer

Application Layer

IPv4 Network

Transport Layer

Transport Layer

IPv4

IPv4

IPv6 Device

IPv6

IPv6

IPv6 Device

Network Layer

Network Layer

FIGURE 24.10

Bridging the IPv4 gap with transition technologies.

Communications between IPv6 devices like DirectAccess clients over IPv4 networks is

accomplished with IPv6 over IPv4 tunneling. In tunneling, the IPv6 packets are encapsu-

lated in an IPv4 packet by the source device and routed through the IPv4 network. When

866

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

the encapsulated packet arrives at the boundary between the IPv4 and IPv6 networks, the

IPv4 encapsulation is stripped off and the IPv6 packet continues on its way. The most

common tunneling protocols are ISATAP, 6to4, and Teredo.

For organizations, the IPv6 tunneling protocols are used for the following purposes:

.
ISATAP—
This protocol is used to automatically assign IPv6 addresses within the

organization’s IPv4 intranet.

.
6to4—
This protocol is used to automatically assign IPv6 addresses and route across

the public IPv4 Internet.

.
Teredo—
This protocol is used to automatically assign IPv6 addresses and route

across the public IPv4 Internet to devices behind Network Address Translation (NAT)

firewalls.

For organizations that have not deployed IPv6 natively, Microsoft Windows Server 2008

R2 and Windows 7 support ISATAP, 6to4, and Teredo transition protocols. However, even

while DirectAccess clients are using IPv6 transitional technologies like Teredo or 6to4, it is

ultimately communicating from IPv6 clients to IPv6 hosts.

Internally, DirectAccess can use Network Address Translation-Protocol Translation (NAT-PT)

ptg

devices, which can be used to provide access to IPv4 resources. Resources that don’t support

IPv6 natively can be accessed through the use of a Network Address Translation-Protocol

Translation (NAT-PT) device. Microsoft Windows Server 2008 R2 does not currently include

that capability, so a third-party device would be needed for this functionality.

NOTE

NAT-PT is covered in IETF RFC-2766 (http://tools.ietf.org/html/rfc2766), but was

reclassified from a Proposed Standard to Historic due to issues with the standard.

RFC4966 (http://tools.ietf.org/html/rfc4966) contains the details of these issues.

These include difficulty with integrity mechanisms, inability to redirect protocols that

lack demultiplexing capabilities, premature state timeouts, loss of information due to

IPv4 and IPv6 header incompatibilities, packet fragmentation issues, and an inability to

handle multicast traffic. NAT-PT devices are only recommended as a stop-gap measure

due to these issues.

For organizations that have not deployed IPv6, the deployment of DirectAccess is an

excellent project to test the IPv6 waters with. The infrastructure can be deployed in paral-

lel with existing remote access solutions and without impacting the existing IPv4 address-

ing scheme, providing IT personnel with a chance to learn IPv6 and its integration with

IPv4 in a low-impact production setting.

See Chapter 10, “Domain Name System and IPv6,” for a detailed discussion of the IPv6

protocol and the transition technologies needed to bridge the IPv4 gap.

DirectAccess in Windows Server 2008 R2

867

A Tale of Two Tunnels

The DirectAccess client establishes two tunnels, which are key to the versatility of this

method of remote access. These tunnels are IPSec Encapsulating Security Payload (ESP)

tunnels that are authenticated with certificates and encrypted to ensure the confidential-

ity. These tunnels are as follows:

24

.
Computer tunnel—
The computer tunnel is established first when the DirectAccess

client starts up. This tunnel is authenticated with the computer certificate only and

provides access to the intranet DNS and domain controllers. This tunnel is also used

to download the computer group policy and request user authentication.

.
User tunnel—
This tunnel is authenticated with the computer certificate and the

user credentials and provides access to the intranet resources. This tunnel is used to

download user group policy as well.

Both these tunnels are established transparently to the user. The user does not have to

present credentials above and beyond the normal Windows logon to establish remote

access. The two tunnels are shown in Figure 24.11.

ptg

unnel

Computer T

DirectAccess

unnel

Client

User T

DirectAccess

Server

Internal Network

NLS

Certificate

Active Directory

Server

Server

Server

FIGURE 24.11

The two DirectAccess tunnels.

These tunnels allow for the transparent establishment of remote access, essentially allow-

ing the computer to connect to the intranet even when no user is logged on. This allows

868

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

the DirectAccess client to receive Group Policy remotely and be managed by the manage-

ment servers in the intranet. When a user logs on, they are authenticating to the intranet

and, thus, ensuring that users are subject to the latest requirements, password changes,

Other books

Circuit Of Heaven by Danvers, Dennis
Out in the Country by Kate Hewitt
AgeofInnocence by Eliza Lloyd
Suspicion At Sea by Nichols, Amie
Dictation by Cynthia Ozick
A Triple Scoop of I Scream by Gabrielle Holly
Mad About the Earl by Brooke, Christina
McMansion by Justin Scott