Working remote: what to consider,
technology evolution
Session Agenda
• Remote access: do we need it?
• Remote access: what are the options?
• Microsoft’s strategy for remote access
– The vision: seamless, secure, ubiquitous
– Making it real: DirectAccess & Unified Access
Gateway
• Q&A
Information Worker’s World Has
Been Changing…
CENTRAL
OFFICE
REMOTE
WORK
BRANCH
OFFICES
MOBILE & DISTRIBUTED
WORKFORCE
In 2008, mobile workers will represent 26.8% of the total workforce, and that number
will increase to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813)
Remote Access Needs
Internal & External
Users
Managed and
Unmanaged devices
Home PC
Financial
Partner or Field
Agent
Kiosk
Logistics Partner
Project Manager
Employee
Corporate Managed
Laptop
Unmanaged
Partner PC
Remote
Technician
Employee
Changing threat environment
IT governance
Regulatory compliance
Internal Resources
Remote Access Options
•
Dialup? too costly, limited user experience
•
Reverse Proxy? Only Web apps
•
Terminal Services? Not from everywhere, TCO considerations
•
Traditional VPN based on IPSec – most popular
•
•
•
•
•
SSL VPN
•
•
•
Limited functionality from firewalled or NAT’ed networks / Not very user friendly
Client becomes difficult to roll out / Managed devices only
Requires administrative installation
Potential security exposure by extending network
In office experience from anywhere
Granular policy control
Next-Gen IPSec VPN
•
•
•
User friendly: no more FW/NAT problems; seamless access from everywhere
Built into client OSs
Granular policy control
DirectAccess
Providing seamless, secure access to enterprise
resources from anywhere
−
−
−
−
−
Provides seamless, always-on, secure connectivity to on-premise and remote users alike
Eliminates the need to connect explicitly to corpnet while remote
Facilitates secure, end-to-end communication and collaboration
Leverages a policy-based network access approach
Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the
network
Benefits Of DirectAccess
More productivity
Always-on access to
corpnet while roaming
No explicit user action
required – it just works
Same user experience
on premise and off
More secure
Healthy, trustable host
regardless of network
Fine grain per
app/server policy
control
Richer policy control
near assets
Ability to extend
regulatory compliance
to roaming assets
Incremental
deployment path
toward IPv6
More manageable
and cost effective
Simplified remote
management of mobile
resources as if they were
on the LAN
Lower total cost of
ownership (TCO) with an
“always managed”
infrastructure
Unified secure access
across all scenarios and
networks
Integrated
administration
of all connectivity
mechanisms
DirectAccess Technologies
•
•
•
•
•
Microsoft Windows 7 clients
Microsoft Windows Server 2008 DirectAccess Server
IPv6
IPSec v6
Internet
Tunneling protocols
– 6to4
– Teredo
– IP-HTTPS
• NAT-PT devices
Compliant
Client
Tunnel over IPv4 UDP, HTTPS, etc.
DirectAccess
Server
Intranet
User
Enterprise
Network
Intranet
User
Assume the underlying network
is always insecure
Redefine CORPNET edge to
insulate the datacenter and
business critical resources
Security policies based on
identity, not location
Making It Real
• Extend access to line of business servers with IPv4only support?
• Access for down level and non Windows clients?
• Scalability and management?
• Deployment and administration?
• Hardened Edge Solution?
UAG & DA Solution Architecture
MANAGED
Windows7
Windows7
UAG and DirectAccess better together:
1. Extends access to line of business servers with IPv4 support
2. Access for down level and non Windows clients
3. Enhances scalability and management
4. Simplifies deployment and administration
5. Hardened Edge Solution
Always On
DirectAccess
IPv6
IPv6
UNMANAGED
Vista
XP
Non
Windows
PDA
Extend support
to IPv4 servers
SSL VPN
DirectAccess
Server
+
IPv4
IPv4
IPv4
UAG History and Evolution
Protection
Access
UAG Product "Stack"
Application Access
Reverse Proxy
Intelligent URL
rewriting and
manipulation
engine to simplify
publishing
Policy and Security
SSL VPN
Tunneling +DA
Application
Intelligence
End Point
Detection
Multiple tunnels
providing access
for non web
applications
Optimizers for
core, common,
scenarios enabling
security and
functionality
Client and deep
policies for
security health
assessment
Management
Wizard driven configuration for
core scenarios allowing easy
implementation and
enforcement of granular
policies. Web based monitoring
and control across arrays.
How UAG works
Allowed device?
Web Applications
Authenticated user?
Allowed application?
Allowed request?
Legacy Applications
“Good” URL?
Client-side caching?
Secure
Connection
Client-Server
Applications
UAG Networking Options
SSL VPN Options
HTTP(S) apps
SSL port fwd (SSL Wrapper)
Client
SSL socket fwd (Socket Forwarder)
SSL Network Tunneling
SSTP
Next-gen IPSec VPN
Direct Access
Endpoint Detection
Client Trace Utility
Session Clean-up
LSP
NSP
Socket Forwarder
SSL Wrapper
Component Manager
Quarantine Enforcement
Network Connector
SSL Wrapper (Java Applet)
UAG Client Components
Dynamic User Session
Each user session is determined by access policies that
relate to the user, the device, and the resources
Financial
Partner or
Field Agent
Home PC
Logistics
Partner
Kiosk
Project Manager
Employee
Corporate
Laptop
Remote
Technician
Employee
Unmanaged
Partner PC
Limited Intranet
Webmail
Tech Support App
User Experience – UAG Portals
Endpoint Security
• It uses client-side scripting for detection to generate variables that describe
client properties
–
–
–
–
–
–
AV running/AV up-to-date
Personal Firewall
Host IDS running
Processes running/not running
Registry entries
Custom
• The variables are uploaded as a chunk of XML data, and ASP policy
expressions are evaluated on the UAG
• Results are stored in the UAG Session Manager service
• Various components in UAG query the Session Manager
– The filter web site (for download/upload/restricted zones blocking functionality)
– The PortalHomePage (to decide which links to display/gray out etc.)
User Authentication
• Front-end authentication
– Most authentication services supported OOB
•
•
•
•
•
Active Directory
Other LDAP (Novell,Sun, IBM, …)
RADIUS/TACACS
ADFS
Custom
– Multiple auth services can be used to control access
• At logon
• On the fly (application access)
User Authentication
• Back-end authentication
– SSO
• Credential replay
• KCD
• Custom
Coarse-grained authorization
• User-based
– Access to each application can be granted to selected
users/groups
– Users and groups defined in external authentication
services
Fine-grained Authorization
• Policy-based
– Application functionalities enabled/disabled according to
output from endpoint security check
• Sending email with attachments through OWA not allowed if AV not running
• Downlaoding documents from SharePoint not permitted if client is not “certified”
• Enabled by “Application Intelligence”
– Built-in application knowledge
–
–
–
–
–
–
MS Sharepoint, Outlook Web Access, Dynamics CRM…
SAP Enterprise Portal
Lotus Notes (iNotes, Nativ, DOLS)
Lotus SameTime
Documentum eRoom
…other
Session clean-up
•
UAG wipes session data when session ends
− Transparent to end users
− Application Optimizer: application-specific modules allow wiping
additional data outside browser’s cache
− Application-based (Citrix Bitmap Cache, Lotus Notes…)
− Extensible via custom scripts
•
What can be wiped
− Files and html pages downloaded
− Cookies, History information, User credential
•
When it can be executed
− User logoff, Inactivity timeout
− Crash, browser closed by user
− Shutdown
Browser support
• Windows OSs
–
–
–
–
Internet Explorer
Netscape Navigator
FireFox
Safari
• Linux
– Netscape Navigator
– FireFox
• MAC OS (10.3 and up)
– Safari
Seamless, Secure, Ubiquitous
DMZ Network
Internet
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Mobile
Home / Friend /
Kiosk
Layer3 VPN
Internet
Data Center / Corporate Network
HTTPS (443)
Terminal /
Remote Desktop
Services
DirectAccess
Non web
Business Partners /
Sub-Contractors
AD, ADFS,
RADIUS, LDAP….
NPS, ILM
Employees Managed
Machines
Q&A