Connect Remotely Using Windows® 7 Direct Access
-
Upload
microsoft-technet -
Category
Technology
-
view
12.047 -
download
0
description
Transcript of Connect Remotely Using Windows® 7 Direct Access
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
CLI-307
Welcome
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
TechNet goes virtual
Connect Remotely Using Windows® 7 DirectAccessLevel 300
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
What Will We Cover?
• The Value and Benefits of DirectAccess
• Configuring DirectAccess• Using Network Access Protection
(NAP) and DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Agenda
• DirectAccess Capabilities • Configuring DirectAccess on Windows
Server 2008 R2• Configuring and Connecting Clients to
DirectAccess Server• Configuring NAP on Windows Server 2008
R2• Connecting Windows 7 Clients to NAP
Servers through DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
DirectAccess: Benefits
Simplified remote management of mobile resources as if they were on the LANLower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networksIntegrated administration of all connectivity mechanisms
More manageable and cost effective
Always-on access to corporate network while roamingNo explicit user action required – it just worksSame user experience on premises and off
More productivity More secure
Healthy, trustable host regardless of networkFine grain per app/server policy controlRicher policy control near assetsAbility to extend regulatory compliance to roaming assetsIncremental deployment path toward IPv6
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
DirectAccess: Advantages
• DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network.
• DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPSec) and Internet Protocol version 6 (IPv6).
DirectAccessserver
DirectAccessclient
Application servers
Domain controller /DNS server
Intranet
Internet
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Agenda
• DirectAccess Capabilities • Configuring DirectAccess on Windows
Server 2008 R2• Configuring and Connecting Clients to
DirectAccess Server• Configuring NAP on Windows Server 2008
R2• Connecting Windows 7 Clients to NAP
Servers through DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Deploying DirectAccess
Client
Server
– Receives configuration while directly connectedto corporate network (provisioning) via Group Policy
– NAP used to check configuration and healthwhen remotely connected (not required)
– DirectAccess wizard to set up DirectAccess server(s)
– Policies controlled via Group Policy
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
DirectAccess on Windows Server 2008 R2
Authentication
Encryption
Access Control
Integration with NAP
Split-Tunnel Routing
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
DirectAccess Deployment Requirements
• Client/Server– Windows 7 clients– Windows Server 2008 R2
• Application Servers – Windows Server 2008 (for native IPv6 support)– Exception: When Windows Firewall Authentication policy
is used, application servers must be Windows Server 2008 R2
• DC/DNS Servers– Windows Server 2008 SP2 or Windows Server 2008 R2
• NAT-PT Server if IPv4 Access Is Desired
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Deployment Scenario : End-to-Edge Authentication
Trusted, compliant,healthy machine
Windows 7 client
Corporate Network
Application Servers
DC & DNS(Win 2008)
Internet
Optional NATPT
DirectAccess server
IPSec ESP tunnel using machine cert (DC/DNS access)
IPSec ESP tunnel using machine cert and user credentials (App server access)
Domain clients
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Deployment Scenario: End-to-End Authentication
Trusted, compliant,healthy machine
Windows 7 client
Corporate Network
Application Servers
DC & DNS(Win 2008)
Internet
Optional NATPT
DirectAccess server
IPSec ESP tunnel using machine cert and user credentials (App server access)
Domain clients
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Demonstration Environment
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
• Configure DirectAccess Server
• Connect a Windows 7 Client Using DirectAccess
• Manage a Windows 7 Remote Client Using DirectAccess
Demonstration: Introducing DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Agenda
• DirectAccess Capabilities • Configuring DirectAccess on Windows
Server 2008 R2• Configuring and Connecting Clients to
DirectAccess Server• Configuring NAP on Windows Server 2008
R2• Connecting Windows 7 Clients to NAP
Servers through DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
DirectAccess in Windows 7
Network connection
The client detects the network connection
Is client on intranet?
If client is on intranet, DirectAccess connection stops
If not on intranet, use DirectAccess
The client attempts to use various methods to connect to DirectAccess server
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Verify name resolution and IPv6
access to the domain controller
Configuring Windows 7 for DirectAccess
Set client as an ISATAP Host
Verify certificateAdd Client to
DirectAccess Security Group
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Agenda
• DirectAccess Capabilities • Configuring DirectAccess on Windows
Server 2008 R2• Configuring and Connecting Clients to
DirectAccess Server• Configuring NAP on Windows Server 2008
R2• Connecting Windows 7 Clients to NAP
Servers through DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Configuring NAP
Factors in configuring NAP
• Reporting mode• Deferred enforcement• Full enforcement
Staging strategy
A NAP server infrastructure includes NAP health policy servers and NAP enforcement points
Server placement
You must define which client configuration will be considered compliant and which will be considered noncompliant with health requirements
System health and compliance
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
• Create Connection Request Policy
• Configure the Windows Security Health Validators
• Create Health Policies
Demonstration: Configuring Network Policy and Access Services
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Agenda
• DirectAccess Capabilities • Configuring DirectAccess on Windows
Server 2008 R2• Configuring and Connecting Clients to
DirectAccess Server• Configuring NAP on Windows Server 2008
R2• Connecting Windows 7 Clients to NAP
Servers through DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Windows 7, DirectAccess, and NAP
NAP on the Client
WindowsClient
NAP Policy Servers
DirectAccess server
Corporate Network
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
• Configure DirectAccess IPSec Rules
• Configure DirectAccess Client for NAP
• Enforce NAP Protection through DirectAccess
Demonstration: Integrating NAP with DirectAccess
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Session Summary
• Configuring DirectAccess on Windows Server 2008 R2
• Configuring Windows 7 to Use DirectAccess
• Adding a NAP Server to Your DirectAccess Topology
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Where to Find More Information?
Visit TechNet at technet.microsoft.com
Also check out TechNet Edge
edge.technet.com
Or just visit http://go.microsoft.com/?
linkid=9662639
for additional information on this
session.
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
For more titles, visithttp://go.microsoft.com/?linkid=9662639
Supporting Publications
©2009 Microsoft Corporation. All Rights Reserved.
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Course ID Title
6289A First Look: Windows 7 Beta for IT
Professionals
6290A First Look: Windows 7 Beta for IT
Professionals Hands-on Lab
For more training information http://go.microsoft.com/?linkid=9662636http://www.microsoft.com/directaccess
Training Resources
©2009 Microsoft Corporation. All Rights Reserved.
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Become a Microsoft Certified Professional
• What Are MCP Certifications?– Validation in performing critical IT functions.
• Why Certify?– Worldwide recognition of skills gained via
experience.– More effective deployments with reduced costs
• What Certifications Are There for IT Pros?– MCTS, MCITP.
www.microsoft.com/certification
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.
Microsoft TechNet Plus
TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.
Evaluate & Learn Plan & DeploySupport & Maintain
Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training
Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager
2 complimentary Professional Support incidents for use 24/7 (20% discount on additional incidents)
Access over 100 managed newsgroups and get next business day response--guaranteed
Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities
Get all these resources and more with a TechNet Plus subscription.For more information visit: technet.microsoft.com/subscriptions
Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.
Try out all the latest betas before public release
Keep your skills current with quarterly training resources including select Microsoft E-Learning courses
Click to edit Master title style
TechNet goes virtual©2009 Microsoft Corporation. All Rights Reserved.