In addition, DirectAccess includes the following security features:
• DirectAccess is built on a foundation of standards-based technologies: IPSec and IPv6.
• DirectAccess uses IPSec to authenticate both the computer and user. If you want, you can require a smart card for user authentication.
• DirectAccess also uses IPSec to provide encryption for communications across the Internet.
Understanding DirectAccess and IPv6 Transition Technologies
DirectAccess clients must have globally routable IPv6 addresses. For organizations that are already using a native IPv6 infrastructure, DirectAccess can easily extend this existing
infrastructure to DirectAccess client computers. These client computers can also still access Internet resources by using IPv4.
For organizations that have not yet begun deploying IPv6, a number of IPv6 transition technologies are available to begin IPv6 deployment without requiring an infrastructure
upgrade. These technologies are described in the next sections.
ISATAP
Intra-site Automatic Tunnel Addressing Protocol (ISATAP) is a tunneling protocol that allows an IPv6 network to communicate with an IPv4 network through an ISATAP router, as shown in Figure 6-14.
FIGURE 6-14 ISATAP routers allow IPv4-only and IPv6-only hosts to communicate with each other.
ISATAP allows IPv4 and IPv6 hosts to communicate by performing a type of address translation between IPv4 and IPv6. In this process, all ISATAP clients receive an address for an ISATAP interface. This address is composed of an IPv4 address encapsulated inside an IPv6 address. ISATAP is intended for use within a private network.
6to4
6to4 is a protocol that tunnels IPv6 traffic over IPv4 traffic through 6to4 routers. 6to4 clients have their router’s IPv4 address embedded in their IPv6 address and do not require an IPv4 address. Whereas ISATAP is intended primarily for intranets, 6to4 is intended to be used on the Internet. You can use 6to4 to connect to IPv6 portions of the Internet through a 6to4 relay even if your intranet or your ISP supports only IPv4. A sample 6to4 network is shown in Figure 6-15.
FIGURE 6-15 6to4 allows IPv6-only hosts to communicate over the Internet.
Teredo
Teredo is a tunneling protocol that allows clients located behind an IPv4 NAT device to use IPv6 over the Internet. Teredo is used only when no other IPv6 transition technology
(such as 6to4) is available. Teredo relies on an infrastructure, illustrated in Figure 6-16, that includes Teredo clients, Teredo servers, Teredo relays, and Teredo host-specific relays.
FIGURE 6-16 Teredo allows hosts located behind a router performing IPv4 NAT to use IPv6 over the Internet to communicate with each other or with IPv6-only hosts.
■ Teredo client
A Teredo client is a computer that is enabled with both IPv6 and IPv4 and that is located behind a router performing IPv4 NAT. The Teredo client creates a Teredo tunneling interface and configures a routable IPv6 address with the help of a Teredo server. Through this interface, Teredo clients communicate with other Teredo clients or with hosts on the IPv6 Internet (through a Teredo relay).
■ Teredo server
A Teredo server is a public server connected both to the IPv4 Internet and to the IPv6 Internet. The Teredo server helps perform the address configuration of the Teredo client and facilitates initial communication either between two Teredo clients or between a Teredo client and an IPv6 host. To facilitate communication among Windows-based Teredo client computers, Microsoft has deployed Teredo servers on the IPv4 Internet.
■ Teredo relay
A Teredo relay is a Teredo tunnel endpoint. It is an IPv6/IPv4 router that can forward packets between Teredo clients on the IPv4 Internet and IPv6-only hosts.
■ Teredo host-specific relay
A Teredo host-specific relay is a host that is enabled with both IPv4 and IPv6 and that acts as its own Teredo relay. A Teredo host-specific relay essentially enables a Teredo client that has a global IPv6 address to tunnel through the IPv4 Internet and communicate directly with hosts connected to the IPv6 Internet.
IP-HTTPS
IP-HTTPS is a new protocol developed by Microsoft for Windows 7 and Windows Server 2008 R2. It enables hosts located behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based Hypertext Transfer Protocol Secure (HTTPS) session. HTTPS is used instead of HTTP so that Web proxy servers do not attempt to examine the data stream and terminate the connection. IP-HTTPS is used as the fallback technology for DirectAccess clients when neither 6to4 nor Teredo is available.
IPv6/IPv4 NAT
Some NAT routers are able to provide connectivity between global IPv6 addresses and private IPv4 addresses. To perform this function, these devices typically conform to the Network Address Translation/Protocol Translation (NAT-PT) standard or the Network Address Port Translation + Protocol Translation (NAPT-PT) standard, as defined in RFC 2766. Although these two technologies are still available on some networks, they have been deprecated by the Internet Engineering Task Force (IETF) because of technical problems. NAT64 is the name of another mechanism to perform this same function in the future.
NOTE
CONFIGURING IPv6 SETTINGS IN GROUP POLICY
You can configure client settings for IPv6 transition technologies in Local Computer Policy or Group Policy. You can find these settings in a GPO by navigating to Computer Configuration\Policies\Administrative Templates\Network\TCPIPSettings\IPv6 Transition Technologies.
Understanding DirectAccess Infrastructure Features
Figure 6-17 shows the primary features of a DirectAccess infrastructure.
These features include general network infrastructure requirements such as a PKI (including a certification authority and CRL distribution points), domain controllers, IPv6 transition technologies, and DNS servers. A DirectAccess infrastructure also has the elements that form the core of the DirectAccess solution, including DirectAccess clients, DirectAccess servers, and a network location server. These elements of a DirectAccess infrastructure are described in more detail in the following section.
FIGURE 6-17 A DirectAccess infrastructure
DirectAccess Server
At least one domain-joined server must be running Windows Server 2008 R2 so it can act as the DirectAccess server. This server typically resides on your perimeter network and acts as both a relay for IPv6 traffic and an IPSec gateway. The server can accept connections from DirectAccess clients and (like a VPN server) facilitate communication with intranet resources.
The DirectAccess server needs to be configured with two physical network adapters and at least two consecutive, publicly-addressable IPv4 addresses that can be externally resolved
through the Internet DNS.
To create a DirectAccess server, use Server Manager to add the DirectAccess Management Console feature in Windows Server 2008 R2. Then use the DirectAccess Setup Wizard in this console to configure the server.
DirectAccess Client
Client computers must be domain-joined and running Windows 7 Enterprise or Ultimate to use DirectAccess. To perform the initial configuration of computers as DirectAccess clients, add them to a Windows group, and then specify this group when you run the DirectAccess Setup Wizard on the DirectAccess server.
To allow DirectAccess clients to separate Internet traffic from intranet traffic, Windows 7 and Windows Server 2008 R2 include the Name Resolution Policy Table (NRPT). The NRPT is applied to clients only through Local Computer Policy or Group Policy—it cannot be configured locally on the client. To locate NRPT settings in a GPO, navigate to Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
NOTE
WHAT IS THE NRPT?
The NRPT is a new feature that allows a client to assign a DNS server address to particular namespaces rather than to particular interfaces. The NRPT essentially stores a list of name resolution rules that are applied to clients through Group Policy. Each rule defines a DNS namespace and DNS client behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared against the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. The settings determine the DNS servers to which each request will be sent.
If a name query request does not match a namespace listed in the NRPT, it is sent to the DNS servers configured in the TCP/IP settings for the specified network interface.
Network Location Server
A network location server is a Web server accessed by a DirectAccess client to determine whether the client is located on the intranet or Internet. The DirectAccess server can act as the
network location server, but it is preferable to use a separate, high-availability Web server for the network location server instead. This separate Web server does not have to be dedicated as a network location server. You can configure network location server settings in Local Computer Policy or Group Policy. To find the settings in a GPO, navigate to Computer Configuration\ Policies\Administrative Templates\Network\Network Connectivity Status Indicator.
Domain Controllers
An AD DS infrastructure is required for DirectAccess. At least one domain controller in the domain needs to be running Windows Server 2008 or later.
IPv6-capable Network
DirectAccess uses IPv6 to enable remote client computers to maintain connectivity with intranet resources over an Internet connection. Because most of the public Internet currently uses IPv4, however, DirectAccess clients use IPv6 transition technologies when no IPv6 connectivity is available. The order of connection methods attempted by DirectAccess clients is as follows:
1. Native IPv6
This method is used if the DirectAccess client is assigned a globally routable IPv6 address.
2. 6to4
This method is used if the DirectAccess client is assigned a public IPv4 address.
3. Teredo
This method is used if the DirectAccess client is assigned a private IPv4 address.
4. IP-HTTPS
This method is attempted if the other methods fail.
For remote client computers to reach computers on the internal corporate network through DirectAccess, the internal computers must be fully IPv6-compatible. Computers on your IPv4 network are fully IPv6-compatible if any of the following is true:
■ The computers are running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.
■ You have deployed ISATAP on your intranet to enable internal servers and applications to be reachable by tunneling IPv6 traffic over your IPv4-only intranet.
■ You are using a NAT-PT device to translate traffic between your DirectAccess clients and your intranet computers that support only IPv4.
IPSec
DirectAccess uses IPSec to provide end-to-end security for remote client computers accessing resources on the internal corporate network. IPSec policies are used for authentication and encryption of all DirectAccess connections. These policies can be configured and applied to client computers using Group Policy.
PKI
A PKI is required to issue computer certificates for client and server authentication and also for issuing health certificates when NAP has been implemented. These certificates can be
issued by a CA on the internal network—they do not need to be issued by a public CA.
CRL Distribution Points (CDPs)
In a DirectAccess infrastructure, CDPs are the servers that provide access to the CRL that is published by the CA issuing certificates for DirectAccess. Separate CDPs should be published for clients internal to the corporate network and for external clients on the Internet.
Perimeter Firewall Exceptions
On your corporate network perimeter firewall, the following ports must be opened to support DirectAccess:
■ UDP port 3544 to enable inbound Teredo traffic
■ IPv4 protocol 41 to enable inbound 6to4 traffic
■ TCP port 443 to enable inbound IP-HTTPS traffic
If you need to support client computers that have native IPv6 addresses, the following exceptions will also need to be opened:
■ ICMPv6
■ IPv4 protocol 50
MORE INFO
DEPLOYING DirectAccess
For more information on deploying a DirectAccess solution for your organization, review the documentation found on the DirectAccess section of the Networking and Access
Technologies TechCenter on Microsoft TechNet at http://technet.microsoft.com/en-us/network/dd420463.aspx.
Configuring DirectAccess Client Settings for IPv6 Manually
Although DirectAccess clients normally are configured automatically when you run the DirectAccess Setup wizard on the DirectAccess server, you can configure client IPv6 settings
manually to help resolve connectivity problems. Use the information in Table 6-2 to configure remote clients with the proper IPv6 transition technology: Teredo, 6to4, or IP-HTTPS.
TABLE 6-2 Manual IPv6 Configuration for DirectAccess Clients
PURPOSE COMMAND GROUP POLICY SETTING
Configure the Teredo client as an enterprise client and configure theIPv4 address of the Teredo server(the Direct Access server). netsh interface Teredo set state type=enterprise client server name=First Public IPv4AddressOfDirectAccessServer Computer Configuration\ Policies\Administrative Templates\Network\TCPIP Settings\IPv6Transition Technologies\ Teredo State=Enterprise Client and Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\Teredo Server Name=First Public IPv4AddressOfDirectAccessServer
Configure the public IPv4address of the6to4 relay(the Direct Acces sserver). netsh interface 6to4 set relay name=First Public IPv4AddressOfDirectAccessServer Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\6to4 Relay Name=First Public IPv4AddressOfDirectAccessServer
Enable the IP-HTTPS client and configure the IP-HTTPS Uniform Resource Locator (URL). netsh interface https tunnel add interface clienthttps://FQDNofDirectAccessServer/IPHTTPS Computer Configuration\Policies\Administrative Templates\ Network\TCPIP Settings\Ipv6 transition Technologies\IP-HTTPS State set to Enabled and the IP-HTTPS URL ofhttps://SubjectOfIP-HPPTSCertificate:443/IPHTTPS
Configuring IPv6 Internet Features on the DirectAccess Server Manually
For troubleshooting purposes, you can configure your DirectAccess server manually for Teredo, 6to4, and IP-HTTPS. Use the features listed in Table 6-3 to help you perform these steps.
TABLE 6-3 Configuring DirectAccess Internet Features
FEATURE PURPOSE COMMAND
Teredo server Configure Teredo with the name or IPv4 address of the Teredo server netsh interface ipv6 set teredo serverFirstIPv4AddressOfDirectAccessServer
IPv6 interfaces Configure the IPv6 interfaces for the correct forwarding and advertising behavior Run the following command for the 6to4 and Teredo interfaces:
netsh interface ipv6 set interface Interface Index for warding=enabledIf a LAN interface is present with a native IPv6address, run the following command: netsh interface ipv6 set interface Interface Index forwarding=enabled For the IP-HTTPS interface, run the following command: netsh interface ipv6 set interface IPHTTPS Interface forwarding=enabled advertise=enabled
6to4 Enable 6to4 netsh interface 6to4 set state enabled
SSL certificates IP-HTTPS connections Configure the certificate binding Install the Secure Sockets Layer (SSL) certificate using manual enrollment. Use the netsh http add ssl cert command to configure the certificate binding.
IP-HTTPS interface Configure the IP-HTTPS interface netsh interface https tunnel add interface serverhttps://PublicIPv4AddressOrFQDN:443/iphttpsenabled certificates
IP-HTTPS routing Configure IPv6 routing for the IP-HTTPS interface netsh interface ipv6 add route IP-HTTPS Prefix ::/64IPHTTPSInterface publish=yes where IP-HTTPS Prefix is one of the following:
■ 6to4-basedPrefix :2 if you are using a6to4-based prefix based on the first publicIPv4 address assigned to the Internet interface of the Direct Access server.
■ Native Prefix: 5555 if you are using a 48-bitnative IPv6 prefix. 5555 is the Subnet ID value chosen by the Direct Access Setup Wizard.
Understanding the DirectAccess Connection Process
A DirectAccess connection to a target intranet resource is initiated when the DirectAccess client connects to the DirectAccess server through IPv6. IPSec is then negotiated between
the client and server. Finally, the connection is established between the DirectAccess client and the target resource.
This general process can be broken down into the following specific steps:
1. The DirectAccess client computer running Windows 7 detects that it is connected to a network.
2. The DirectAccess client computer attempts to connect to the network location server.
If the network location server is available, the Direct Access client determines that it is already connected to the intranet, and the DirectAccess connection process stops.
If the network location server is not available, the DirectAccess client determines that it is connected to the Internet and the DirectAccess connection process continues.
3. The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPSec.
If a native IPv6 network isn’t available, the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. The user does not have to be logged in for this step to complete.
4. If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the DirectAccess server, the client automatically attempts to connect using the IP-HTTPS protocol, which uses a SSL connection to ensure connectivity.
5. As part of establishing the IPSec session, the DirectAccess client and server authenticate each other using computer certificates for authentication.
6. By validating AD DS group memberships, the DirectAccess server verifies that the computer and user are authorized to connect using DirectAccess.
7. If NAP is enabled and configured for health validation, the DirectAccess client obtains a health certificate from a Health Registration Authority (HRA) located on the Internet prior to connecting to the DirectAccess server. The HRA forwards the DirectAccess client’s health status information to a NAP health policy server. The NAP health policy server processes the policies defined within the NPS and determines whether the client is compliant with system health requirements. If so, the HRA obtains a health certificate for the DirectAccess client. When the DirectAccess client connects to the DirectAccess server, it submits its health certificate for authentication.
8. The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access.
Troubleshooting DirectAccess Connections
The following list describes a number of areas in which a DirectAccess connection must be properly configured. You can use this list as a set of principles and procedures to help troubleshoot DirectAccess clients.
■ The DirectAccess client must have a global IPv6 address. (Global IPv6 addresses start with a 2 or 3.)
Use the Ipconfig /all command on the DirectAccess client.
If the DirectAccess client is assigned public IPv4 address, you should see an interface named Tunnel Adapter 6TO4 Adapter listed in the Ipconfig output. This interface should be configured with an address that starts with 2002. The Tunnel Adapter 6TO4 Adapter should also be assigned a default gateway.
If the DirectAccess client is assigned a private IPv4 address, you should see a listing for a Teredo interface, and this interface should be configured with an address that starts with 2001.
For IP-HTTPS, look for an interface named Tunnel Adapter Ip https interface. Unless you had a native IPv6 infrastructure in place prior to running the DirectAccess Setup
Wizard, the Tunnel Adapter Ip https interface should be configured with an address that starts with 2002. The Tunnel Adapter Ip https interface should also be assigned a default gateway.
No hay comentarios:
Publicar un comentario