Direct Access Technology II: DA Architecture and principles

One, Direct Access Components

Such as

650) this.width=650; "title=" clip_image001 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image001 "src=" Http://s3.51cto.com/wyfs02/M00/7A/3E/wKioL1al7TKwY6KcAAF5Ok26wW0964.png "height=" 304 "/>

Description

1. Enterprise intranet PKI technology for Enterprise DirectAccess server, DirectAccess client and intranet server issue computer certificate.

2. DirectAccess servers are typically used to connect to the intranet and the Internet and act as gateways to DirectAccess clients on the Internet.

3. A network location server is a Web server that DirectAccess clients can access only when they are connected to the internal network.

4. External DirectAccess client has configuration Activity Name resolution Policy table (NRPT) Rules and connection security tunneling rules

5. When accessing intranet resources, connection security rules use IPV6 and IPSec traffic protection using IPSec tunneling or end-to-end

6. DirectAccess clients connected to the Internet can access intranet resources just like any other intranet computer.

Second, Direct Access architecture Technology

1. Name resolution Policy table (NRPT)

2. IPV6 Conversion Technology

3. Ipsec

4. Network location Server (NLS)

Name resolution Policy table (NRPT)

NRPT is a table that defines the appropriate DNS server and security settings for different namespaces, and the use of NRPT takes precedence over the network card DNS settings;

650) this.width=650; "title=" clip_image005 "border=" 0 "alt=" clip_image005 "src=" http://s3.51cto.com/wyfs02/M02/7A/ 3e/wkiol1al7toyf4xzaabssdz4hye240.png "height=" 165 "style=" border:0px;padding-top:0px;padding-left:0px; Padding-right:0px;background-image:none; "/>

Through NRPT you can:

• DNS servers can be defined for each DNS namespace, not for each interface;

• IPSec protection is available for DNS queries for a specific namespace

IPV6 Conversion Technology

• DirectAccess uses IPV6 and IPsec to create a secure connection between the DirectAccess client computer and the internal corporate network. However, DirectAccess does not necessarily require native IPV6 support connected to the IPV6 Internet or internal network.
  Instead, it automatically configures and uses IPV6 conversion technology to IPV4 traffic on the IPv4 Internet (by using 6to4, Teredo, or Ip-https) and on an Intranet that supports only NAT64 (by using ISATAP or IPV6) Tunnel transport

• Piercing (tunneling) is a mechanism used to connect IPV4 and IPV6.

• Automatic piercing (autotunneling) refers to the technology of the routing facility to automatically determine the tunnel endpoint, which includes the 6to4 piercing and Teredo.

• 6to4 uses the IPV6 41 protocol to encapsulate a tunnel endpoint that is determined by a remotely known IPV4 anycast address and embeds IPV4 address information into IPV6 on the local side.

• The Teredo uses a UDP-encapsulated piercing technique to span multiple NAT devices.

Ipsec

• IPSec introduces a complete security mechanism in the TCP/IP system, including data encryption, identity authentication and data tamper protection.

• If you use certificate-based IPSEC authentication, the DirectAccess server and client need to obtain a computer certificate. The simplest way to install a certificate is to configure automatic enrollment for computer certificates based on Group Policy.

• This certificate has the following requirements:

§ The certificate should contain client Authentication extension key usage (EKU).

§ The client certificate and the server certificate should be linked to the same root certificate. You must select the root certificate in the DirectAccess configuration settings.

Network location Server (NLS)

• The NLS is a Web site that detects whether the DirectAccess client is located on the corporate network. Clients in the corporate network do not use DirectAccess to access internal resources, instead they connect directly.

• You can host a network location server Web site on a DirectAccess server or on another server in your organization.

  
  If you host a network location server on a DirectAccess server, the Web site is created automatically when you install the Remote Access server role.
  If you host the NLS on another server running the Windows operating system in your organization, you must make sure that Internet information Services (IIS) is installed on that server and that the Web site has been created.

Third, Direct access client connection process

1) DirectAccess the client computer to connect to the network.

2) DirectAccess the client computer to determine whether it is connected to the enterprise intranet. If yes, the DirectAccess feature will not be used. If not, DirectAccess will be used.

3) DirectAccess client computers use IPV6 and IPSec to connect to the DirectAccess server. If the native IPV6 network is not available, the client uses 6to4 or Teredo to send IPv4 encapsulated IPV6 traffic.

4) If a firewall or proxy server blocks a Teredo client computer that has reached the DirectAccess server using 6to4 vs, the client will automatically attempt to connect using the Internet Protocol Secure Hypertext Transfer Protocol (IP-HTTPS) protocol. IP-HTTPS uses Secure Sockets Layer (SSL) to connect to the encapsulated IPV6 traffic.

5) as part of establishing an IPSec session tunnel to the intranet DNS server and domain controller, the DirectAccess client and server use computer certificates for mutual authentication.

6) When the user logs on, the DirectAccess client establishes a second IPSec tunnel to access the intranet resources. DirectAccess clients and servers use a combination of computer and user credentials to authenticate each other.

7) The DirectAccess server forwards traffic between the DA client and the authorized internal resources.

The DirectAccess connection process is automated and requires no user intervention.

Iv. implementation of DirectAccess prerequisites

650) this.width=650; "title=" clip_image007 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image007 "src=" http://s3.51cto.com/wyfs02/M01/7A/3E/wKiom1al7PLx_HrgAACnIKd7J64380.jpg "height=" 376 "/>

DA's detailed planning and design can be consulted:

Https://technet.microsoft.com/zh-cn/library/jj134148.aspx

Next we will look at the specific configuration of DA.

Direct Access Technology II: DA Architecture and principles