Upload
haruko
View
91
Download
0
Embed Size (px)
DESCRIPTION
WSV403. How to Troubleshoot DirectAccess. John Craddock ([email protected]) Infrastructure and Security Architect XTSeminars Ltd. DirectAccess a VPN on Steroids. Corporate Network. Pre log on. Patch management, health check and GPOs. Always On. - PowerPoint PPT Presentation
Citation preview
How to Troubleshoot DirectAccess
John Craddock ([email protected])Infrastructure and Security Architect XTSeminars Ltd
WSV403
DirectAccess a VPN on Steroids
Corporate Network
Always On
Automaticallyconnects throughNAT and firewalls
Patch management, health check and GPOsPre log on
Network level computer/user authentication and encryption
DirectAccess extends the network to the remote computer and userVPNs connect the user to the network
End-to-End IPv6
Not all applications will be IPv6 compatible
Corporate intranetInternet
IPV6 IPV6
Client app Server app
Client and Server applications must be IPv6 compatible
Simple?
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required
Client location detection: Internet or corporate intranet
Corporate intranetInternet
May Be Not
Home Corporate intranetInternet
DC1
APP1
NAT1
DA1
DC, DNS,CAIIS for CRLdistribution
EX1DNS
WIN7WIN7
WIN7
UAG
Troubleshooting Environment
IPv4 Only Resources
Applications that are not IPv6 capable will need to be reached via an IPv6/IPv4 translation device such and NAT64 and DNS64Examples of IPv4 only resources
Windows 2000Built-in applications and services running on Windows XP and Server 2003
Check with the vendor for IPv6 capabilitiesUpgrade where possible
Connectivity Summary
6to4 tunnel
Teredo tunnelNAT
IPHTTPS tunnel
IPv4 Internet
UDP port 3544 blocked
IPv6 in UDP port 3544
IPv6 in IPv4 protocol 41
IPv6 in HTTPS
Native IPv6
ISATAP
IPv6 in IPv4 protocol 41
IPv4NAT64
DNS64
Corporate Network
Forefront Unified Access Gateway (UAG)
NAT
Securing the Tunnelsintranet
Infrastructure Tunnel
Intranet Tunnel
1St Auth
Computer certor health cert
Computer cert
Secured with IP Sec2nd Auth
Computer accountcredentials
User / Smartcard
Integrity / encryption / authentication
IPsec Primer
AuthIP AuthIPCreate shared secret between hostsUses Diffie-Hellman
Main modesecurity associationKey life configurableDefault: 1 hour
Quick mode:IPsec SAKey life configurableDefault 1 hour/100 MBDrops after 3 Minsof inactivity
Exchange data
Integrityor
Integrity + encryption
IPsec SAIPsec SA Create Security Association for session
AuthIP AuthIPEstablish IPSec session Keys
AuthIP AuthIPAuthenticate over secure channelKerberos / certificates
Computer and/or user authentication
Main Mode Association
Quick Mode Association
DirectAccess Wizard
UAG Wizard
UAGServer
GPM
IPsec Rules
Configuration fortransition Technologies:6to4TeredoIPHTTPSISATAPDNS64NAT64
IPsec RulesGPO creation
Configuration fortransition Technologies:6to4TeredoIPHTTPS
GPO(s)For end-point serversif required
GPOGPO
NRPT Rules
Identification of certificates
IPHTTPS Root or intermediate tovalidate client certs
Troubleshooting
No SA = No IPsecICMPv6 is exempt from IPsec
Check connectivity using IPv6 pingUse Netsh to check:
Transition tunnelsIPv6 configurationIPsec statusEverything
NETSH, IT’S YOUR NEW BEST FRIEND
Corporate intranetInternet
DC1
APP1
DA1
DC, DNS,CAIIS for CRLdistribution
EX1DNS
WIN7
UAG
Demo:
Windows 7 client cannot connect to intranet resources
A Helping Hand
DirectAccess Connectivity AssistantDownload from Microsoft
Install the MSI on the Direct Access clientCopy the .admx file to
%systemroot%\PolicyDefinitions.Copy the .adml file to
%systemroot%\PolicyDefinititions\<language>
Group Policy for DCA
To get DCA functioningAdd settings for the Dynamic Tunnel End pointsIdentify CorporateResources to test
PING:da-app1.corp.example.comHTTP:http://da-app1.corp.example.comFILE:\\da-app1.corm.example.com\data\test.txt
Corporate intranetInternet
DC1
APP1
DA1
DC, DNS,CAIIS for CRLdistribution
EX1DNS
WIN7
UAG
Demo:
Configuring DCA
Tunnel IPv6 in HTTPSIPv6
intranet
Certificate requirements
IPHTTPSHost IPv4 Internet
IPv6 Host
NAT Device
UAGserver
Certificate
XXX
Web server with CRL
URL of CRL distribution point published in certificate
Corporate intranetInternet
DC1
APP1
DA1
DC, DNS,CAIIS for CRLdistribution
EX1DNS
WIN7
UAG
Demo:
Troubleshooting IPHTTPS
Wizard Step 2
Root certificate of client certificate
HTTPS certificate
The root certificate must be installed on the client
Corporate intranetInternet
DC1
APP1
DA1
DC, DNS,CAIIS for CRLdistribution
EX1DNS
WIN7
UAG
Demo:
Troubleshooting IPHTTPS
Internet
Client Location
To resolve names on the InternetDirectAccess host queries DNS 1
To resolve names on the intranetDirectAccess host queries DNS 2
Corporate intranet
corp.example.com zone
DNS 1 DNS 2IP configuredDNS address
How Does It Do that?
Name Resolution Policy Table (NRPT) to the rescueNRPT allows the definitions of which DNS servers to query based on the namespace to be resolved
The NRPT can point DNS queries for corp.example.com to the intranet DNS serverAll other DNS queries are sent to the DNS server address configured in the client IP settings
NRPT
There is a special entry in the table to direct DNS queries for an internal HTTPS website to the DNS servers configured in the client IP settingsFor example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet
Internet Corporate intranet
corp.example.com zoneDNS 1 DNS 2IP configured
DNS addressnls.corp.example.com
NRPT:corp.example.com: query DNS 2All other name spaces query DNS server configured in client IP settings
No NRPT
Viewing the NRPT
NRPT Inside/Outside
NRPT enabled by defaultIf the client can access an internal HTTPS website (https://nls.corp.example.com)
Considered to be on the intranet NRPT disabled
No access to secure website Considered to be on the Internet NRPT remains enabled
Home
Demo: Troubleshooting DNS
Corporate intranetInternet
DC1
APP1
NAT1 UAG
DC, DNS,CA
IIS for CRLdistribution
EX1DNS
WIN7
WIN7
DirectAccess running
Branch
Home
Where Next?
Corporate intranetInternet
DC1
APP1
NAT1 DA1
RT1
DC, DNS,CA
IIS for CRLdistribution
EX1DNS
WIN7WIN7
WIN7
WIN7
Create a test lab
More on IPv6 and DirectAccess
XTSeminars one-day event:MICROSOFT WINDOWS SERVER 2008 R2 AND WINDOWS 7 DIRECTACCESS
All you need to know about IPv6, IPsec, DirectAccess and more…
[email protected] for more informationGet your local Microsoft subsidiary to run the event!
Consulting Services on Request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
Related Content
SIM316 | Troubleshoot Microsoft Forefront Unified Access Gateway (UAG) DirectAccess in 45 Minutes Flat!WSV404 | DirectAccess Implementation and Integration Deep Dive
WSV272-INT | End-to-End Remote Connectivity with DirectAccess
WSV288-HOL | Windows Server 2008 R2: Implementing DirectAccess
Related Content
SIM316 | Troubleshoot Microsoft Forefront Unified Access Gateway (UAG) DirectAccess in 45 Minutes Flat!
Speaker(s): Tom Shinder Wednesday, May 18 | 1:30 PM - 2:45 PM | Room: B313
Product Demo Stations (demo station title and location)
Related Certification Exam
Find Me Later At…
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile