Shulou(Shulou.com)06/01 Report--

Recently, I tried to learn about Microsoft's new generation of × × technology DirectAccess (in fact, it is not new, it has been available since WIN2K8R2), read some materials, and now write some summaries to enhance understanding and memory. If there is a mistake, you are welcome to correct it!

**********************

The working process of DirectAcces will go through two stages of establishing contact with the intranet. The first stage is to establish contact with intranet DNS and DC. The second stage is to establish contact with the intranet resources to be accessed. The key differences between DirectAccess and other × × solutions are:

1. As long as the client is connected to the Internet, it will automatically initiate contact with the intranet DNS and DC, so that the system administrator can manage the client roaming outside at any time. A typical application scenario is that as long as the roaming client is connected to the Internet, you can get GPO, patches and so on pushed by the intranet.

two。 Name Resolution Policy Table (name Resolution Policy Table) technology is adopted to realize the separation of intranet and Internet traffic access.

Back to the difference between 1Jing, how can we automatically initiate the contact with the intranet DNS and DC? First of all, we need a discovery mechanism. For this reason, the concept of Network Location Server is introduced here. NLS is a Web server in the intranet. The client first tries to get in touch with NLS, and if it can, it means that DirectAccess is already working. If you can't get in touch with NLS, start the two-stage process of connecting with the intranet. That is, the role of NLS is reflected in step 2 of the following figure.

After the discovery of the mechanism, there are two stages of the process of establishing contact with the intranet. The process of establishing contact involves the establishment of traffic channels and authentication. In the first stage, the verification object is the client computer, which requires the PKI architecture implementation of the intranet to issue certificates to the client. The second stage of authentication is the double authentication of the client computer and the user, which not only verifies the computer certificate, but also authenticates the credentials of the domain user (that is, the set of authentication when the domain user logs in).

PS: the following pictures are taken from http://wenku.baidu.com/view/108a09e704a1b0717fd5dd85

PS2: online found the previous experiment "how to build a Direct Access environment within the enterprise" http://wenku.baidu.com/link?url=jqQ_xzlSAT9I5zoJ_OFjOqN_gGAVSrSY68ItRzKvICceQLpLbewgaXeTrEzNyjnNIUksLiBj_xPzXFtQN6pIyrB2Ov5wc-RQykD16PKjdLW

At first I was reading English books, and I was a little dizzy, so I went to search the Chinese materials above. If you understand Chinese, you will find it easier to understand if you read the English explanation. Now post the English ones as a reference.

This general process can be broken down into the following specific steps:

1. The DirectAccess client computer running Windows 8, Windows 7 Enterprise, or

Windows 7 Ultimate detects that it is connected to a network.

2. The DirectAccess client computer determines whether it is connected to the intranet. If

The client is connected to the intranet, it does not use DirectAccess.

3. The DirectAccess client connects to the DirectAccess server by using IPv6 and IPsec.

4. If the client is not using IPv6, it will try to use 6to4 or Teredo tunneling to send

IPv4-encapsulated IPv6 traffic.

5. If the client cannot reach the DirectAccess server using 6to4 or Teredo tunneling, the

Client tries to connect using the Internet Protocol over Hypertext Transfer Protocol Secure

(IP-HTTPS) protocol. IP-HTTPS uses a Secure Sockets Layer (SSL) connection to

Encapsulate IPv6 traffic.

6. As part of establishing the IPsec session for the tunnel to reach the intranet DNS server

And domain controller, the DirectAccess client and server authenticate each other using

Computer certificates for authentication.

7. If Network Access Protection (NAP) is enabled and configured for health validation, the

Network Policy Server (NPS) determines whether the client is compliant with system

Health requirements. If it is compliant, the client receives a health certificate, which is

Submitted to the DirectAccess server for authentication.

8. When the user logs on, the DirectAccess client establishes a second IPsec tunnel to access

The resources of the intranet. The DirectAccess client and server authenticate each other

Using a combination of computer and user credentials.

9. The DirectAccess server forwards traffic between the DirectAccess client and the intranet

Resources to which the user has been granted access.

The Name Resolution Policy Table (NRPT) is used to determine the behavior of the DNS

Clients when issuing queries and processing so that internal resources are not exposed to the

Public via the Internet and to separate traffic that isn't DirectAccess Internet traffic from

DirectAccess Internet traffic. By using the NRPT, the DirectAccess clients use the intranet

DNS servers for internal resources and Internet DNS for name resolution of other resources.

The NRPT is managed using group policies, specifically, Computer Configuration\ Policies\

Windows Settings\ Name Resolution Policy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.