Windows Server: The Power of Integration
Windows provides even greater value when you can combine features across the client and server platforms to form a complete solution.
Windows as a desktop OS powers our PCs and helps us get the most out of modern technology. The features in Windows 7 support tasks like networking connectivity that delivers the Internet to our desktop; running applications that empower information workers to capture and share knowledge, analyze business data, and communicate with partners, customers and colleagues in real time.
Windows is also a robust server OS that makes up the backbone of so many datacenters. Windows Server does everything from file and print services to virtualization with Hyper-V to powering Web sites with IIS.
The greatest value Windows provides, however, often comes when features across the client and server platforms combine to form a complete solution to a business problem. There are several complete solutions you can build with existing components of the Windows client and server platforms. There are also valuable resources to help guide you through the process of building out these solutions.
DirectAccess with Network Access Protection (NAP) provides a robust, practical solution that builds on the integration of various Windows components. DirectAccess connects client computers to intranet resources without the complexity of a virtual private network (VPN). Connectivity is seamless; and provides simple, streamlined remote connectivity while maintaining the security necessary to protect internal resources.
DirectAccess with NAP also provides ongoing health checks for remote computers (not just when the remote computer upon which it tries to establish a connection, as you might see in a VPN solution). It also enforces health compliance prior to allowing remote user connectivity.
DirectAccess clients use a computer certificate for Internet Protocol security (IPsec) peer authentication, by default. With DirectAccess and NAP, the authentication certificate for intranet access is a health certificate. This health certificate validates the identity of the DirectAccess client computer and certifies that the DirectAccess client complies with system health requirements.
The DirectAccess with NAP solution leverages a number of Windows infrastructure components to provide this functionality (see Figure 1). These components include:
- Active Directory Domain Services (AD DS): Provides domain membership for DirectAccess clients and servers, authentication of computer and user credentials, and distributes Group Policy settings to DirectAccess clients
- Public key infrastructure (PKI): Distributes digital certificates to DirectAccess clients, DirectAccess servers and Web servers For DirectAccess with NAP, one certification authority (CA) issues computer certificates and a separate Windows-based CA—known as a NAP CA—issues health certificates
- DirectAccess server: A computer running Windows Server 2008 R2 hosts DirectAccess connections
- Network location server: A computer typically running Windows Server 2008 or later, and IIS in order to host a secure Web site, so DirectAccess clients can determine whether they’re connected to the intranet
- NAP health policy server: A computer running Windows Server 2008 or later and Network Policy Server (NPS) performs system health validation and logging
- Health Registration Authority (HRA): A computer running Windows Server 2008 or later and IIS that obtains digital certificates from a NAP CA for compliant DirectAccess clients
- Remediation servers: Computers that provide the updates or resources that non-compliant DirectAccess clients need in order to meet system health requirements Examples include Windows Software Update Services (WSUS) servers and anti-malware signature distribution servers
Figure 1 Infrastructure components of the DirectAccess with NAP solution.
With those infrastructure components in mind, let’s briefly walk through how the DirectAccess with NAP solution works. When the DirectAccess client starts, it logs on to the AD DS domain and sends its current health state information to the HRA. The HRA then sends the DirectAccess client’s health state information to the NAP health policy server.
The NAP health policy server evaluates the health state of the DirectAccess client, determines whether it’s compliant, and sends the results to the HRA. If the DirectAccess client is not compliant, the results include health remediation instructions.
If the health state is compliant, the HRA obtains a health certificate from the PKI and sends it to the DirectAccess client. The DirectAccess client can now create the intranet tunnel with the DirectAccess server.
If the health state is not compliant, the HRA won’t issue a health certificate. The DirectAccess client can’t create the intranet tunnel with the DirectAccess server, so access is effectively blocked. However, the DirectAccess client can access remediation servers to correct its health state.
The DirectAccess client contacts the remediation servers to receive the required updates for compliance, if needed. Once that process is complete, the DirectAccess client updates its health state information and sends it to the HRA. The HRA sends the updated health state information to the NAP health policy server. Assuming all the required updates were made, the NAP health policy server determines that the DirectAccess client is compliant and sends that results to the HRA.
The HRA then obtains a health certificate from the NAP CA and sends the health certificate to the DirectAccess client. The DirectAccess client can now use the health certificate for authentication to access the intranet through the DirectAccess server.
The result—based on a combination of Windows components—is a mobile workforce. They can now seamlessly access internal resources, while preserving the security and integrity of the internal network.
For more information on the DirectAccess with NAP solution, see the complete Solution Guide available in the TechNet Library. There are also DirectAccess with NAP Test Lab Guides available. These Test Lab Guides detail and document the all the steps required to create a working lab environment so you can demonstrate and experiment with this solution.
Build Integrated Solutions
There are also Test Lab Guides available for a number of other Windows infrastructure solutions. For example, there are Test Lab Guides for alternate configurations of the DirectAccess with NAP solution, including using the Forefront Unified Access Gateway with DirectAccess and NAP.
Start with the Base Configuration test lab, which helps you establish a baseline configuration upon which you can experiment with new solutions in a controlled environment. There are additional Test Lab Guides available based on this base configuration.
With the base configuration in place, you can explore other integrated solutions. Other test labs explore the new networking protocols IPv6 and DHCPv6. IPv6 is designed to resolve many of the problems with the current version of the Internet Protocol (known as IPv4) such as address depletion, security, auto-configuration and extensibility.
The IPv6 Test Lab Guide walks you through a demonstration of the following scenarios:
- The default behavior of IPv6 and connectivity on an IPv4-only intranet
- IPv6-based intranet connectivity using the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
- IPv6-based intranet connectivity using native IPv6 addressing
- IPv6 connectivity across a simulated IPv4-only Internet using 6to4
Once you’re feeling comfortable with IPv6, the DHCPv6 lab extension will take you step-by-step through the process of dynamically issuing and managing IPv6 addresses.
The Test Lab Guides are published on the TechNet Social platform, so they’re open to community authoring and extension. Take a look at the VPN Remote Access Test Lab for Windows Server 2008 R2 as an example. Not every organization is in a position to deploy the DirectAccess solution discussed earlier. This Test Lab Guide will walk you through deploying a more traditional VPN so remote users can establish on-demand, secured internal network connections.
The Test Lab Guide has been extended by community contributors to demonstrate the use of the Connection Manager Administration Kit (CMAK) with the VPN solution, the use of VPN Reconnect and more. Finally, expanding beyond the scope of solutions based solely on core Windows infrastructure components, there are Test Lab Guides available for a number of other infrastructure products, including System Center Service Manager 2010, Forefront Identity Manager 2010, SQL Server 2008 R2 and more.
Building integrated solutions by combining the Windows client and server platforms helps you unlock hidden potential in your existing technology investment. For more guidance on building integrated Windows solutions, visit the Test Lab Guide blog at blogs.technet.com/b/tlgs.
Joshua Hoffmanis the former editor in chief of TechNet Magazine*. He’s now an independent author and consultant, advising clients on technology and audience-oriented marketing. Hoffman also serves as editor in chief of ResearchAccess.com, a site devoted to growing and enriching the market research community. He lives in New York City.*