DirectAccess serveri paigaldamine ja haldamine Windows Server operatsioonisüsteemis: Difference between revisions
Created page with 'Artur Kulikov' |
No edit summary |
||
Line 1: | Line 1: | ||
Artur Kulikov | Artur Kulikov | ||
'''DirectAccess''' is a new feature in [[Windows 7]] (Ultimate and Enterprise editions only) and [[Windows Server 2008 R2]] that provides seamless [[intranet]] connectivity to DirectAccess client computers when they are connected to the Internet. Unlike most traditional [[virtual private network|VPN]] connections<!--NetMotion allows an automatic connection, this statement is not always true--><!--Ben Ari: the previous comment is irrelevant, as the text says 'most', not all-->, which must be initiated and terminated by explicit user action, DirectAccess connections is designed to connect automatically as soon as the computer connects to the internet. In 2010, [[Microsoft Forefront Unified Access Gateway]] was released, which simplifies<ref>[http://www.microsoft.com/UAG Microsoft Forefront Unified Access Gateway 2010]</ref><ref name="UAGNOTREQUIRED">[http://blogs.technet.com/windowsserver/archive/2009/07/15/got-directaccess-get-uag.aspx Windows Server Division WebLog]</ref><ref>[http://www.portcullissystems.com Portcullis Systems UAG DirectAccess Appliance]</ref> the deployment of DirectAccess, and includes additional components that make it easier to integrate without the need to deploy [[IPv6]] on the network. | |||
==Technology== | |||
DirectAccess establishes [[IPSec]] tunnels from the client to the DirectAccess server, and uses [[IPv6]] to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still relies on IPv4 traffic. A DirectAccess client can use one of several tunnelling technologies, depending on the configuration of the network the client is connected to. The client can use [[6to4]], [[Teredo tunneling]], or [[IP-HTTPS]], provided the server is configured correctly to be able to use them. For example, a client that is connected to the internet directly will use 6to4, but if it is inside a [[NAT]]ed network, it will use Teredo instead. | |||
DirectAccess in UAG provides enterprise features for a DirectAccess solution, such as centralized management, high availability, and enhanced security (UAG contains a EAL4+ Certified firewall, so it can be used on the edge of your network). UAG also provides a [[NAT64]] and [[DNS64]], allowing you to provide DirectAccess clients with access to IPv4-only resources on your network. | |||
==Requirements== | |||
DirectAccess requires: | |||
*one or more DirectAccess servers running [[Windows Server 2008 R2]] with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet. | |||
*on the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet. | |||
*DirectAccess clients running [[Windows 7]] (Ultimate and Enterprise editions only). | |||
*at least one [[domain controller]] and [[Domain Name System]] (DNS) server running Windows Server 2008 SP2 or Windows Server 2008 R2. | |||
*[[public key infrastructure]] (PKI) to issue computer certificates. | |||
<!-- If it's "optional," by definition it isn't a requirement. This is why these have been separated out of the above list, and this may even warrant its own section. --> | |||
Smart card certificates, and health certificates for [[Network Access Protection]] may be used along with PKI. | |||
A third-party [[NAT64]] device may be used to provide access to IPv4-only resources to DirectAccess clients.<ref name="DIRECTACCESSREQ">[http://technet.microsoft.com/en-us/library/dd637797(WS.10).aspx DirectAccess Requirements]</ref> | |||
==References== | |||
<references/> | |||
==External links== | |||
*[http://www.microsoft.com/servers/directaccess.mspx Microsoft's DirectAccess Getting Started page] | |||
*[http://technet.microsoft.com/en-us/network/dd420463.aspx Microsoft's DirectAccess TechNet page] | |||
*[http://msdn.microsoft.com/en-us/library/dd358571%28PROT.13%29.aspx MS-IPHTTPS on MSDN]: includes PDF with specification. | |||
*[http://refraction.co.uk/blog/2009/07/23/directaccess-ipv6-and-ipv4-networks/ Blogger's posting on DirectAccess] | |||
{{DEFAULTSORT:Directaccess}} | |||
[[Category:Network protocols]] | |||
[[Category:Virtual private networks]] | |||
[[Category:IPv6]] | |||
[[ru:DirectAccess]] |
Revision as of 16:59, 28 March 2011
Artur Kulikov
DirectAccess is a new feature in Windows 7 (Ultimate and Enterprise editions only) and Windows Server 2008 R2 that provides seamless intranet connectivity to DirectAccess client computers when they are connected to the Internet. Unlike most traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections is designed to connect automatically as soon as the computer connects to the internet. In 2010, Microsoft Forefront Unified Access Gateway was released, which simplifies[1][2][3] the deployment of DirectAccess, and includes additional components that make it easier to integrate without the need to deploy IPv6 on the network.
Technology
DirectAccess establishes IPSec tunnels from the client to the DirectAccess server, and uses IPv6 to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still relies on IPv4 traffic. A DirectAccess client can use one of several tunnelling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the internet directly will use 6to4, but if it is inside a NATed network, it will use Teredo instead.
DirectAccess in UAG provides enterprise features for a DirectAccess solution, such as centralized management, high availability, and enhanced security (UAG contains a EAL4+ Certified firewall, so it can be used on the edge of your network). UAG also provides a NAT64 and DNS64, allowing you to provide DirectAccess clients with access to IPv4-only resources on your network.
Requirements
DirectAccess requires:
- one or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet.
- on the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.
- DirectAccess clients running Windows 7 (Ultimate and Enterprise editions only).
- at least one domain controller and Domain Name System (DNS) server running Windows Server 2008 SP2 or Windows Server 2008 R2.
- public key infrastructure (PKI) to issue computer certificates.
Smart card certificates, and health certificates for Network Access Protection may be used along with PKI.
A third-party NAT64 device may be used to provide access to IPv4-only resources to DirectAccess clients.[4]
References
External links
- Microsoft's DirectAccess Getting Started page
- Microsoft's DirectAccess TechNet page
- MS-IPHTTPS on MSDN: includes PDF with specification.
- Blogger's posting on DirectAccess