DOCSLIB.ORG

Directaccess for Windows Server 2008 R2 Design, Deployment, And

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Directaccess for Windows Server 2008 R2 Design, Deployment, And DirectAccess for Windows Server 2008 R2 Design, Deployment, and Troubleshooting Guides Microsoft Corporation Published: December 2009 Updated: September 2010 Author: Joe Davies Editor: Scott Somahano Abstract This document contains the Design Guide, Deployment Guide, and Troubleshooting Guide for DirectAccess in Windows Server 2008 R2. These guides help you to design and deploy DirectAccess servers, DirectAccess clients, and infrastructure servers on your intranet and troubleshoot common DirectAccess problems. Use the Design Guide to answer the “What,” “Why,” and “When” questions a deployment design team might ask before deploying DirectAccess in a production environment. Use the Deployment Guide to answer the “How” questions a deployment team might ask when implementing a DirectAccess design. Use the Troubleshooting Guide for task-oriented information to help you identify and resolve problems quickly and perform root-cause analysis of incidents and problems with the elements of a DirectAccess infrastructure. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. The DirectAccess Design, Deployment, and Troubleshooting Guides are for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Server, Windows Vista, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This white paper reflects content that was published on Microsoft TechNet as of September 1, 2010. The corresponding content published on TechNet after this date might contain changes. For the latest information, see the following documents: • DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkID=161985) • DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=166398) • DirectAccess Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=165904) Contents DirectAccess for Windows Server 2008 R2 .............................................................................. 1 Design, Deployment, and Troubleshooting Guides .................................................................. 1 Abstract ................................................................................................................................. 1 Contents .......................................................................................................................................... 3 DirectAccess Design Guide .......................................................................................................... 13 About this guide ......................................................................................................................... 13 Understanding the DirectAccess Design Process ......................................................................... 14 Identifying Your DirectAccess Deployment Goals ......................................................................... 15 Transparent and Automatic Remote Access for DirectAccess Clients .......................................... 16 Ongoing Management of Remote DirectAccess Clients ............................................................... 16 Efficient Routing of Intranet and Internet Traffic ............................................................................ 17 Reduction of Remote Access-based Servers in your Edge Network ............................................. 17 End-to-end Traffic Protection ........................................................................................................ 18 Multi-factor Credentials for Intranet Access ................................................................................... 18 Mapping Your Deployment Goals to a DirectAccess Design ......................................................... 19 Evaluating DirectAccess Design Examples ................................................................................... 20 Full Intranet Access Example ........................................................................................................ 20 Full Intranet Access with Smart Cards Example ........................................................................... 21 Selected Server Access Example ................................................................................................. 22 Using authentication with null encapsulation for selected server access ................................... 23 End-to-end Access Example ......................................................................................................... 24 Planning a DirectAccess Deployment Strategy ............................................................................. 25 Resources Available to DirectAccess Clients ................................................................................ 26 IPv6 resources on your intranet ................................................................................................. 26 IPv4-only resources on the intranet ........................................................................................... 27 Using an IPv4-only intranet ........................................................................................................ 28 Limiting connectivity to selected resources ................................................................................ 28 IPv6 resources on the IPv6 Internet ........................................................................................... 29 Choose an Intranet IPv6 Connectivity Design ............................................................................... 30 No existing IPv6 infrastructure ................................................................................................... 30 Existing ISATAP infrastructure ................................................................................................... 31 Existing native IPv6 infrastructure .............................................................................................. 31 Choose Solutions for IPv4-only Intranet Resources ...................................................................... 32 Choose an Access Model .............................................................................................................. 34 Full Intranet Access ....................................................................................................................... 34 Selected Server Access ................................................................................................................ 35 End-to-End Access ....................................................................................................................... 36 Choose a Configuration Method ................................................................................................... 37 DirectAccess Management Console .......................................................................................... 37 Custom configuration using the Network Shell (Netsh) command-line tool and Group Policy ... 37 Design for Remote Management .................................................................................................. 38 Design for Intranet Server Availability Prior to User Logon ........................................................... 39 Design Packet Filtering for DirectAccess ...................................................................................... 41 Packet Filters for Your Internet Firewall ......................................................................................... 41 Packet Filters for Your Intranet Firewall ......................................................................................... 43 Confining ICMPv6 Traffic to the Intranet ....................................................................................... 43 Packet filters for Teredo Connectivity ...........................................................................................
Load more

Recommended publications
  • CIS Microsoft Windows Server 2012 Benchmarkv1.0.0
    CIS Microsoft Windows Server 2012 Benchmarkv1.0.0 01-31-2013 The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics, suggestions, and recommendations (the “SB Products”) as a public service to Internet users worldwide. Downloading or using SB Products in any way signifies and confirms your acceptance of and your binding agreement to these CIS Security Benchmarks Terms of Use. CIS SECURITY BENCHMARKS TERMS OF USE BOTH CIS SECURITY BENCHMARKS DIVISION MEMBERS AND NON-MEMBERS MAY: Download, install, and use each of the SB Products on a single computer, and/or Print one or more copies of any SB Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, but only if each such copy is printed in its entirety and is kept intact, including without limitation the text of these CIS Security Benchmarks Terms of Use. UNDER THE FOLLOWING TERMS AND CONDITIONS: SB Products Provided As Is. CIS is providing the SB Products “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty regarding: (a) the effect or lack of effect of any SB Product on the operation or the security of any network, system, software, hardware, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any SB Product); or (2) the responsibility to make or notify you of any corrections, updates, upgrades, or fixes. Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any SB Product, and full title and all ownership rights to the SB Products remain the exclusive property of CIS.
    [Show full text]
  • [MS-WPO]: Windows Protocols Overview
    [MS-WPO]: Windows Protocols Overview This document provides an overview of the Windows Protocols Overview Protocol Family. It is intended for use in conjunction with the Microsoft Protocol Technical Documents, publicly available standard specifications, network programming art, and Microsoft Windows distributed systems concepts. It assumes that the reader is either familiar with the aforementioned material or has immediate access to it. A Protocol System Document does not require the use of Microsoft programming tools or programming environments in order to implement the Protocols in the System. Developers who have access to Microsoft programming tools and environments are free to take advantage of them. Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications.
    [Show full text]
  • [MS-OXGLOS]: Exchange Server Protocols Master Glossary
    [MS-OXGLOS]: Exchange Server Protocols Master Glossary Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL’s, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected]. Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights.
    [Show full text]
  • 8.1. Network Location Profile
    8.1. Network Location Profile A network location profile is a classification assigned to a network connection that identifies the connection type. Security settings, firewall settings, and enabled services can then be automatically configured on the connection based on the profile (or location) type. Both Windows Vista/7/10 and Windows Server 2008/2012/2016 support network profiles. The following table lists the network profile types. Location Description The Domain network location is used automatically when the Domain computer is connected to an Active Directory domain. Security settings are controlled through Group Policy. A Public network is an untrusted network (such as when you are in an airport or library). Default settings keep your computer from being visible (Network Discovery is turned off) or sharing files. When connecting to a public network, consider the following: To avoid viruses, malicious hackers, and unwanted software, you should have up‐to‐date firewall and antivirus software installed Public and running on your computer. When you connect to an unsecured wireless network, all that you do on the Internet can be monitored by someone with the correct equipment, including: o Web sites you visit. o Online documents you work on. o Usernames and passwords you use. A Private network is a trusted local area network, such as a home or office network. Network Discovery is enabled by default. Even in a Private private network situation you should have up‐to‐date firewall and antivirus software enabled on your computer. Windows automatically assigns the profile type for a connection, and you can manually specify the profile or control it through the local security policy or Group Policy.
    [Show full text]
  • Security and Safety Features New to Windows Vista - Wikipedia, the Free Encyclopedia
    Security and safety features new to Windows Vista - Wikipedia, the free encyclopedia Security and safety features new to Windows Vista From Wikipedia, the free encyclopedia There are a number of security and safety features new to Windows Vista, most of which are not available in This article is part any prior Microsoft Windows operating system release. of a series on Beginning in early 2002 with Microsoft's announcement of their Trustworthy Computing initiative, a great deal of Windows Vista work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "Security Development Lifecycle"[1] with the underlying ethos of, "Secure by design, secure New features by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and Overview all existing code was reviewed and refactored to improve security. Technical and core system Security and safety Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Networking technologies Control, parental controls, Network Access Protection, a built-in anti-malware tool, and new digital content I/O technologies protection mechanisms. Management and administration Removed features Other articles Editions Contents Development history Criticism 1 User Account Control Mojave Experiment 2 Bitlocker Drive Encryption 3 Windows Firewall 4 Windows Defender 5 Windows Parental controls 6 Encrypting File System 7 Preventing exploits 8 Data Execution Prevention 9 Digital Rights Management 10 Application isolation 11 Windows Service Hardening 12 Authentication and logon 13 Cryptography 14 Network Access Protection 15 Other TCP/IP stack security features 16 x86-64 -specific features 17 Other features and changes 18 See also 19 References 20 External links User Account Control User Account Control is a new infrastructure that requires user consent before allowing any action that requires administrative privileges.
    [Show full text]
  • Intel Ethernet Server Adapters and Microsoft Windows Server 2008
    Technical.white paper. IP.Security.features. Intel®.Ethernet.Server.Adapters.and. Microsoft®.windows.Server®.2008 TablE.Of contents Network security is an increasingly crucial issue for network administrators. Attacks from outside – and from within the data-center network – must be thwarted Introduction................................ 2 to protect service levels, prevent loss of intellectual property, avoid theft of sensi- The.Basics.of.IPsec..................... 3 tive client data, meet regulatory compliance, and mitigate corporate liability. Internet Protocol Security (IPsec) provides network administrators with a suite Server.and.Domain.. Isolation.(S&DI).......................... 4 of tools to create a robust defense against network attacks from any source. Network.Access.. This white paper provides an introductory overview of IPsec as implemented in Protection.(NAP)........................ 6 Microsoft® Windows Server® 2008. Additionally, the role of new-generation Intel® DirectAccess (DA) ................................9 Ethernet Server Adapters and Ethernet controllers is discussed in terms of how they offload IPsec processing onto silicon to enhance security while maintaining The Challenges with VPNs ...................9 line-rate network throughput. Intel®.Ethernet.Server.Adapters.. with.IPsec.Offload...................... 10 Conclusion................................. 12 For More Information ...........................12 Technical White paper IP Security Features – Intel® EThErNET SErver AdapterS and MicroSoft® Windows SErver® 2008 Introduction IPsec provides the ability to Attacks on networks – both from outside and from within the network – continue to be a challenge for network admin- implement customizable security for istrators and a potentially costly liability for enterprises. protecting communication among Malicious attacks, such as viruses and Denial of Service and between workgroups, local area (DoS), cause loss of time and business and require use of valuable resources to resolve.
    [Show full text]
  • CIS Microsoft Windows Server 2008 Benchmarkv2.1.0 - 12-03-2013
    CIS Microsoft Windows Server 2008 Benchmarkv2.1.0 - 12-03-2013 http://benchmarks.cisecurity.org The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics, suggestions, and recommendations (the “SB Products”) as a public service to Internet users worldwide. Downloading or using SB Products in any way signifies and confirms your acceptance of and your binding agreement to these CIS Security Benchmarks Terms of Use. CIS SECURITY BENCHMARKS TERMS OF USE BOTH CIS SECURITY BENCHMARKS DIVISION MEMBERS AND NON-MEMBERS MAY: Download, install, and use each of the SB Products on a single computer, and/or Print one or more copies of any SB Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, but only if each such copy is printed in its entirety and is kept intact, including without limitation the text of these CIS Security Benchmarks Terms of Use. UNDER THE FOLLOWING TERMS AND CONDITIONS: SB Products Provided As Is. CIS is providing the SB Products “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty regarding: (a) the effect or lack of effect of any SB Product on the operation or the security of any network, system, software, hardware, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any SB Product); or (2) the responsibility to make or notify you of any corrections, updates, upgrades, or fixes. Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any SB Product, and full title and all ownership rights to the SB Products remain the exclusive property of CIS.
    [Show full text]