Windows Server 2008 R2 Unleashed (170 page)

and policies. In contrast, other VPN solutions typically have users authenticating using

cached credentials against the local machine and then establishing the remote access

connection.

End-to-Edge DirectAccess Model

The end-to-edge model of DirectAccess has the DirectAccess client establish an IPSec

tunnel to the DirectAccess server. The DirectAccess server then forwards unprotected

traffic to the intranet resources. This is the most common form of DirectAccess and closely

follows a standard remote access methodology.

Figure 24.12 shows the end-to-edge connection model. Note that there is a single

protected (solid line) connection through the tunnel to the DirectAccess server, which

then is forwarded to each of the application servers in three separate unprotected (dashed

line) connections.

ptg

Web

Virus

Hacker

Corporate

Internet

Network

Tunnel

Database

Mobile

Worm

DirectAccess

User

Mail

Server

Protected Traffic

Unprotected Traffic

FIGURE 24.12

End-to-edge DirectAccess.

The end-to-edge model requires no IPSec support within the intranet, although the

intranet resources still need to support IPv6.

End-to-End DirectAccess Model

The end-to-end model of DirectAccess has the DirectAccess client establish an IPSec tunnel

with each application server that they connect to. This ensures that traffic is protected end

to end (hence the name) by the IPSec encryption, including while traversing the intranet.

Figure 24.13 shows the end-to-end connection model. Note that there is a protected (solid

line) connection through the tunnel and the DirectAccess server to each of the application

servers. This indicates that there are separate IPSec connections to each server, which are

protected by encryption not only through the Internet but also through the intranet.

The end-to-end model requires that each application server run on Windows Server 2008

or Windows Server 2008 R2, as well as use IPv6 and IPSec. There is also some additional

overhead for the IPSec connections.

DirectAccess in Windows Server 2008 R2

869

Web

Virus

Hacker

Corporate

Internet

Network

Tunnel

Database

Mobile

Worm

24

DirectAccess

User

Mail

Server

Protected Traffic

Unprotected Traffic

FIGURE 24.13

End-to-end DirectAccess.

The requirement that all application servers be Windows Server 2008 or higher is a diffi-

cult hurdle to overcome in today’s heterogeneous IT environments. This makes the end-

to-end model of DirectAccess less common than the end-to-edge model.

Internet Versus Intranet Traffic with DirectAccess

One of the benefits of DirectAccess is the ability to separate the intranet traffic (destined

for internal servers) from the Internet traffic (destined for external servers). This conserves

the corporate bandwidth for access to corporate resources. By specifying the domains and

ptg

subdomains for which the DirectAccess server provides access, traffic for those domains is

directed through the DirectAccess connection. Other traffic is routed through the default

routes and bypasses the DirectAccess connection. This is the highest performance configu-

ration and is the default mode of operation.

However, in some cases, administrators might want to have all traffic route through the

DirectAccess connection. Examples of this include organizations that want to control or

monitor their client communications or prevent access to certain Internet sites. In these

cases, the DirectAccess client can be configured to route all traffic through the

DirectAccess connection.

DirectAccess Components

DirectAccess leverages IPv6 technology along with PKI to provide a seamless secure

connection to the enterprise network. DirectAccess runs at boot and connects as soon as

Internet connectivity is established. There’s no need for a user to configure a VPN client or

logon. From an administrative perspective, this technology allows system administrators

to manage and monitor remote systems through tools like Microsoft System Center

Configuration Manager (SCCM) and Group Policy. DirectAccess finally puts remote

workers on equal ground with traditional office employees.

The following list depicts the components found in a DirectAccess deployment:

.
DirectAccess server—
This is the server that connects to the internal network and

the Internet. It has to be running Windows Server 2008 R2 with two physical inter-

faces: one on the public Internet and one for the internal network. The public inter-

face must have two consecutive public IP addresses assigned.

870

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

.
DirectAccess client—
This is a computer running Windows 7. It must be a domain

member with a certificate.

.
Corporate IPv6 network—
The IPv6 network to which DirectAccess clients will be

connecting remotely.

.
Certificate server—
This server issues the certificates that support the tunnel

creation, authentication, and security. This certificate server must have a published

certificate revocation list (CRL) that is available internally and externally.

.
Network Location Server (NLS)—
This is an HTTPS site that serves as the indicator

to the DirectAccess client if it is connected to the Internet or the intranet.

.
Active Directory and DNS server—
This server must be running Windows Server

2008 SP2 or Windows Server 2008 R2. The AD and DNS role can be separate servers,

although most organizations will have these services on the same server.

Figure 24.14 shows the components and their connections.

Public Internet

ptg

DirectAccess

DirectAccess

Server

Client

Corporate

IPv6

NLS

Certificate

AD and DNS

Server

Server

Server

FIGURE 24.14

DirectAccess components.

Smart cards or NAP protection can also be implemented for additional security if desired.

In its most simple configuration, DirectAccess requires each client to have a valid

computer certificate for authentication to the internal network. This takes the place of a

traditional username and password.

DirectAccess requires IPv6 on the internal enterprise network. It leverages conversion tech-

nology like Teredo, 6to4, and also the new IP-HTTPS for remote clients using IPv4 to

DirectAccess in Windows Server 2008 R2

871

connect to the IPv6 enterprise network. These new technologies are described in the

following list:

. Teredo is the most common method for DirectAccess. It allows IPv6 traffic to pass

through NAT devices that transition out to an IPv4 public network. A good example

is many “hot spot” connections at coffee shops and many home networks.

24

. 6to4 directly translates IPv6 addresses into IPv4 addresses. If remote clients are

directly connected to the Internet and have only IPv4 public IP addresses, 6to4 is the

preferred method for connectivity.

. IP-HTTPS is a new protocol in Windows 7 and Windows Server 2008 R2. It tunnels

IPv6 traffic over an IPv4 HTTPS tunnel between a DirectAccess client and a

DirectAccess server. Although this might seem like the simplest option, it comes at

a large performance cost due to network overhead and should be used only as a

last resort.

The DirectAccess protocol is very robust and will transparently attempt multiple methods

of access to establish a connection.

ptg

Network Location Service

The Network Location Service (NLS) is a critical component for the DirectAccess architec-

ture. This is a website that clients attempt to connect to determine if they are currently

connected to the Internet or to the intranet. It is the URL of a highly available website in

the corporate intranet.

There are two behaviors that would be experienced for the DirectAccess client system.

They are as follows:

. If the DirectAccess client can reach the NLS URL, it assumes that it is connected to

the corporate network and no further action is necessary.

. If the DirectAccess client cannot reach the NLS URL, it assumes that it is not connect-

ed to the corporate network and then begins the DirectAccess connection process.

The NLS service is normally a highly available website, such as servers in a Network Load

Balanced (NLB) cluster or a Windows cluster.

NOTE

As you can see, if the NLS website is down, this can result in the disastrous situation

of all the DirectAccess clients suddenly thinking they are on the Internet, even though

they are really in the intranet. They would all then begin the DirectAccess connection

process. That’s why the NLS website must be highly available.

872

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

DirectAccess Connection Process

The DirectAccess client is very robust and will try a variety of methods to connect to the

corporate network. The connection process is started when the DirectAccess client detects

that it is connected to a network—that is, a network transition such as the connection to

a LAN, wireless access point, or other connection becomes active.

The DirectAccess client goes through the following connection process when it detects

that it is connected to a network:

1. The DirectAccess client attempts to connect to the NLS website. If it can reach the

site, it determines that it is connected to the intranet and stops the DirectAccess

process. If it cannot reach the NLS website, it determines that it is connected to the

Internet and continues with the DirectAccess process.

2. The DirectAccess client establishes an IPSec tunnel to the DirectAccess server using

IPv6. If there is an intervening IPv4 network, the client uses the Teredo or 6to4

protocols to tunnel IPv6 over IPv4.

3. If the DirectAccess client is unable to connect using the Teredo or 6to4 protocols,

the client will attempt to connect using the IP-HTTPS protocol.

4. The DirectAccess client establishes an IPSec tunnel to the DirectAccess server using

ptg

IPv6. The DirectAccess client and the DirectAccess server mutually authenticate

using certificates in the process of setting up the IPSec computer tunnel.

5. The DirectAccess client contacts the domain controller and obtains the computer

group policy.

NOTE

The user does not have to be logged on to the computer for this process to complete

to this point in the process.

6. The DirectAccess user logs on or the logged-on credentials are used in conjunction

with the certificates to establish the IPSec user tunnel. The user group policy is

applied to the DirectAccess client.

7. The DirectAccess server begins forwarding traffic from the DirectAccess client to

authorized intranet resources.

This entire process is transparent to the user and requires no user interaction. In the event

of an interruption in network connectivity, the DirectAccess client will reestablish the

connection through this process when it detects network connectivity again.

Choosing Between Traditional VPN Technologies and DirectAccess

873

Choosing Between Traditional VPN Technologies

and DirectAccess

One of the choices to make when you’re deploying Windows Server 2008 R2-based remote

access is the choice between a traditional VPN technology and the new DirectAccess.

24

Within the VPNs technologies are a number of choices, primarily whether to use

L2TP/IPSec or PPTP.

Advantages of L2TP/IPSec

Although PPTP users significantly outnumber L2TP/IPSec users, because of a higher level

of security in L2TP/IPSec as well as several other benefits of L2TP/IPSec, organizations that

are seeking to improve secured remote connectivity are beginning to implement

L2TP/IPSec VPN as their remote and mobile access standard. The following are the advan-

tages of using L2TP/IPSec over PPTP:

. IPSec provides per-packet data authentication (proof that the data was sent by the

authorized user), data integrity (proof that the data was not modified in transit),

replay protection (prevention from resending a stream of captured packets), and data

confidentiality (prevention from interpreting captured packets without the encryp-

ptg

tion key). PPTP provides only per-packet data confidentiality.

. L2TP/IPSec connections provide stronger authentication by requiring both

computer-level authentication through certificates and user-level authentication

through a PPP authentication protocol.

. PPP packets exchanged during user-level authentication are never sent unencrypted

because the PPP connection process for L2TP/IPSec occurs after the IPSec security

associations are established. If intercepted, the PPP authentication exchange for

some types of PPP authentication protocols can be used to perform offline dictionary

Other books

Cop Job by Chris Knopf
Motorworld by Jeremy Clarkson
Persistence of Vision by John Varley
Apocalypsis 1.01 Demons by Giordano, Mario
Deathstalker Destiny by Simon R. Green
Magic Study by Maria V. Snyder
The Christmas Ball by Susan Macatee