RE: Anyone using Forefront UAG and Direct Access
A few question on this topic: Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Are you using ForeFront UAG? My understanding what that the NAT64/DNS64 and Forefront UAG product complimented this so that you could access IPv4 only systems. In reviewing my email with Tom Shinder, over at the DA team, he mentions that an IPv6 only network can be used with only DA. However, IPv4 resources need the UAG to be reachable. This doesn't specifically contradict what you are saying, but I'd say it's doable. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. DNS works by IP. How can you reach the DNS servers if what you are saying above is true? Thanks! Jason -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, July 26, 2010 10:13 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope that makes sense... -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, July 23, 2010 17:43 To: NT System Admin Issues Subject: Re: Anyone using Forefront UAG and Direct Access O... Actual field experience! Did not know about the smart card requirement. That's good to know. What smart card technology are you using, if you can say? What kind of apps have you run into that don't play nice with it? Kurt On Fri, Jul 23, 2010 at 13:29, Malcolm Reitz malcolm.re...@live.com wrote: I won’t say DirectAccess is just another VPN, because it isn’t, but it is a VPN technology with pretty robust security. It isn’t an easy setup, as it requires working with IPv6 and certificates, however, once it is running, it is really slick in operation. Just connecting your laptop to the Internet and being instantly able to map corporate file shares and open intranet web apps or RDP sessions is great. Downsides to it are that not everything works with it, as not everything plays nice with IPv6, and the hardware requirements are more significant than for a traditional IPsec VPN. It also only works with Windows 7 clients. Microsoft has enhanced security on their DirectAccess implementation by requiring their people to use smart cards for DirectAccess authentication. We may do that as well. I can say that everyone using my DirectAccess POC setup is liking it so far. Because of its “always on” nature, I think it will be a great boon to our management of remote computers (they always be connected for patching, AV updates, inventory, etc.). -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 14:51 To: NT System Admin Issues Subject: Anyone using Forefront UAG and Direct Access Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736
RE: Anyone using Forefront UAG and Direct Access
First - There's more to it than just translating IPv4 addresses to IPv6 and back. Let me rephrase my statement and see if this works any better: Applications that depend on protocols implementations (such as the version of SIP used in MS Communicator) which don't work over IPv6 will not work over DirectAccess. In this case, you could have a completely IPv6-only local area network, with no DirectAccess involved, and Communicator will still not work. Second - DirectAccess clients are supplied with a Name Resolution Policy Table. In the NRPT, you tell the client if you are looking to resolve an *.internal.mycorp.com name, use these (internal) DNS servers and, by extension, route the traffic to that address across the secure intranet tunnel. So, by supplying the client with an name, you've given DirectAccess the information it needs to determine if the destination desired is through the intranet tunnel or to the outside world. If you only supply your client with an IP address, the lack of a name to resolve means the NRPT isn't consulted and DirectAccess assumes the destination to be in the outside world. The Cable Guy blog on TechNet has a lot of good discussion on these topics and DirectAccess in general. http://technet.microsoft.com/en-us/library/ff576611.aspx -Malcolm -Original Message- From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Tuesday, July 27, 2010 07:58 To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access A few question on this topic: Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Are you using ForeFront UAG? My understanding what that the NAT64/DNS64 and Forefront UAG product complimented this so that you could access IPv4 only systems. In reviewing my email with Tom Shinder, over at the DA team, he mentions that an IPv6 only network can be used with only DA. However, IPv4 resources need the UAG to be reachable. This doesn't specifically contradict what you are saying, but I'd say it's doable. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. DNS works by IP. How can you reach the DNS servers if what you are saying above is true? Thanks! Jason -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, July 26, 2010 10:13 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope that makes sense... -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, July 23, 2010 17:43 To: NT System Admin Issues Subject: Re: Anyone using Forefront UAG and Direct Access O... Actual field experience! Did not know about the smart card requirement. That's good to know. What smart card technology are you using, if you can say? What kind of apps have you run into that don't play nice with it? Kurt On Fri, Jul
RE: Anyone using Forefront UAG and Direct Access
Awesome! Great information and thanks for the elaboration. Are you using Forefront TMG? I'm kind of irked right now about the fact I can't get IPv6 traffic to flow through it. It doesn't even allow me to put IPv6 addresses on the Internal/Trusted network. -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Tuesday, July 27, 2010 11:02 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access First - There's more to it than just translating IPv4 addresses to IPv6 and back. Let me rephrase my statement and see if this works any better: Applications that depend on protocols implementations (such as the version of SIP used in MS Communicator) which don't work over IPv6 will not work over DirectAccess. In this case, you could have a completely IPv6-only local area network, with no DirectAccess involved, and Communicator will still not work. Second - DirectAccess clients are supplied with a Name Resolution Policy Table. In the NRPT, you tell the client if you are looking to resolve an *.internal.mycorp.com name, use these (internal) DNS servers and, by extension, route the traffic to that address across the secure intranet tunnel. So, by supplying the client with an name, you've given DirectAccess the information it needs to determine if the destination desired is through the intranet tunnel or to the outside world. If you only supply your client with an IP address, the lack of a name to resolve means the NRPT isn't consulted and DirectAccess assumes the destination to be in the outside world. The Cable Guy blog on TechNet has a lot of good discussion on these topics and DirectAccess in general. http://technet.microsoft.com/en-us/library/ff576611.aspx -Malcolm -Original Message- From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Tuesday, July 27, 2010 07:58 To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access A few question on this topic: Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Are you using ForeFront UAG? My understanding what that the NAT64/DNS64 and Forefront UAG product complimented this so that you could access IPv4 only systems. In reviewing my email with Tom Shinder, over at the DA team, he mentions that an IPv6 only network can be used with only DA. However, IPv4 resources need the UAG to be reachable. This doesn't specifically contradict what you are saying, but I'd say it's doable. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. DNS works by IP. How can you reach the DNS servers if what you are saying above is true? Thanks! Jason -Original Message- From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, July 26, 2010 10:13 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope
RE: Anyone using Forefront UAG and Direct Access
I need to tuck this one away for the next... what is it called? Va-ca-tion? Right along with Clubber Lang's instructions for removing yourself from the Exchange list. Priceless... From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: Saturday, July 24, 2010 8:40 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Best. OoO. Reply. Ever. -sc From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 3:53 PM To: NT System Admin Issues Subject: FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO's and this. From: greg.swe...@actsconsulting.net [mailto:greg.swe...@actsconsulting.net] Sent: Friday, July 23, 2010 3:51 PM To: Brumbaugh, Luke Subject: Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Anyone using Forefront UAG and Direct Access
Indeed. :) -ASB: http://XeeSM.com/AndrewBaker On Sat, Jul 24, 2010 at 9:40 AM, Steven M. Caesare scaes...@caesare.comwrote: Best. OoO. Reply. Ever. -sc *From:* Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] *Sent:* Friday, July 23, 2010 3:53 PM *To:* NT System Admin Issues *Subject:* FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO’s and this. *From:* greg.swe...@actsconsulting.net [mailto: greg.swe...@actsconsulting.net] *Sent:* Friday, July 23, 2010 3:51 PM *To:* Brumbaugh, Luke *Subject:* Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope that makes sense... -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, July 23, 2010 17:43 To: NT System Admin Issues Subject: Re: Anyone using Forefront UAG and Direct Access O... Actual field experience! Did not know about the smart card requirement. That's good to know. What smart card technology are you using, if you can say? What kind of apps have you run into that don't play nice with it? Kurt On Fri, Jul 23, 2010 at 13:29, Malcolm Reitz malcolm.re...@live.com wrote: I won’t say DirectAccess is just another VPN, because it isn’t, but it is a VPN technology with pretty robust security. It isn’t an easy setup, as it requires working with IPv6 and certificates, however, once it is running, it is really slick in operation. Just connecting your laptop to the Internet and being instantly able to map corporate file shares and open intranet web apps or RDP sessions is great. Downsides to it are that not everything works with it, as not everything plays nice with IPv6, and the hardware requirements are more significant than for a traditional IPsec VPN. It also only works with Windows 7 clients. Microsoft has enhanced security on their DirectAccess implementation by requiring their people to use smart cards for DirectAccess authentication. We may do that as well. I can say that everyone using my DirectAccess POC setup is liking it so far. Because of its “always on” nature, I think it will be a great boon to our management of remote computers (they always be connected for patching, AV updates, inventory, etc.). -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 14:51 To: NT System Admin Issues Subject: Anyone using Forefront UAG and Direct Access Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Anyone using Forefront UAG and Direct Access
I've lost thos directions, could you repost for my edification? :-) On Mon, Jul 26, 2010 at 9:29 AM, Maglinger, Paul pmaglin...@scvl.comwrote: I need to tuck this one away for the next… what is it called? Va-ca-tion? Right along with Clubber Lang’s instructions for removing yourself from the Exchange list. Priceless… *From:* Steven M. Caesare [mailto:scaes...@caesare.com] *Sent:* Saturday, July 24, 2010 8:40 AM *To:* NT System Admin Issues *Subject:* RE: Anyone using Forefront UAG and Direct Access Best. OoO. Reply. Ever. -sc *From:* Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] *Sent:* Friday, July 23, 2010 3:53 PM *To:* NT System Admin Issues *Subject:* FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO’s and this. *From:* greg.swe...@actsconsulting.net [mailto: greg.swe...@actsconsulting.net] *Sent:* Friday, July 23, 2010 3:51 PM *To:* Brumbaugh, Luke *Subject:* Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
Oh man, that was awesome. If you have saved away... either please re-post, or send me a copy! -sc From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, July 26, 2010 9:29 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access I need to tuck this one away for the next... what is it called? Va-ca-tion? Right along with Clubber Lang's instructions for removing yourself from the Exchange list. Priceless... From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: Saturday, July 24, 2010 8:40 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Best. OoO. Reply. Ever. -sc From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 3:53 PM To: NT System Admin Issues Subject: FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO's and this. From: greg.swe...@actsconsulting.net [mailto:greg.swe...@actsconsulting.net] Sent: Friday, July 23, 2010 3:51 PM To: Brumbaugh, Luke Subject: Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Anyone using Forefront UAG and Direct Access
This does make some sense. The issue with VOIP might well be a problem at some point - we have a Shoretel system, and it's desired at some point to have remote folks use a soft phone remotely. I don't know if it uses IPv4 only, or if it can use v6, or even if it uses SIP for its native implementation. IIRC, it needs a SIP gateway to work with COTS SIP phones, so it might not be affected by that. I'm not terribly worried about apps that don't use name resolution, as we don't have any. I'm actually a fan of disabling split tunneling, but I do recognize the drawbacks - especially when remote bandwidth is limited. However, I have to wonder if this starts to highlight problems with split DNS. That could prove, erm, interesting for us. Kurt On Mon, Jul 26, 2010 at 07:12, Malcolm Reitz malcolm.re...@live.com wrote: Smart cards are optional for DirectAccess, not required. What I was trying (poorly) to say was that Microsoft's internal implementation of DirectAccess is set up to require smart card authentication (e.g. MSFT employees must use smart cards). Our DirectAccess implementation currently does not require the users to have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor in the market) are a quite useful security tool, but they require a distribution/maintenance infrastructure that complicates their use. Applications that don't work across a DirectAccess link are those which won't work over IPv6. The first one I came across was the Communicator IM client. I think VoIP apps that rely on the SIP protocol fall in to this category as well. Also, internal applications that you access by IP address only will be a problem. This is because DirectAccess makes it routing decisions based on name resolution, not IP destination. Say your corporate network is using the 10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel to your corporate network, but you can't tell it to route all traffic to any 10.x.x.x address across the tunnel. The only way around this is to force all communications across the tunnel (that is, disable split-tunneling). Unfortunately, this has performance implications, as it makes DirectAccess use a less-efficient protocol and increases the load on the DirectAccess servers, not to mention it sends all Internet-bound traffic from the client the long way through the corporate network and out the corporate Internet connection. Hope that makes sense... -Malcolm -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, July 23, 2010 17:43 To: NT System Admin Issues Subject: Re: Anyone using Forefront UAG and Direct Access O... Actual field experience! Did not know about the smart card requirement. That's good to know. What smart card technology are you using, if you can say? What kind of apps have you run into that don't play nice with it? Kurt On Fri, Jul 23, 2010 at 13:29, Malcolm Reitz malcolm.re...@live.com wrote: I won’t say DirectAccess is just another VPN, because it isn’t, but it is a VPN technology with pretty robust security. It isn’t an easy setup, as it requires working with IPv6 and certificates, however, once it is running, it is really slick in operation. Just connecting your laptop to the Internet and being instantly able to map corporate file shares and open intranet web apps or RDP sessions is great. Downsides to it are that not everything works with it, as not everything plays nice with IPv6, and the hardware requirements are more significant than for a traditional IPsec VPN. It also only works with Windows 7 clients. Microsoft has enhanced security on their DirectAccess implementation by requiring their people to use smart cards for DirectAccess authentication. We may do that as well. I can say that everyone using my DirectAccess POC setup is liking it so far. Because of its “always on” nature, I think it will be a great boon to our management of remote computers (they always be connected for patching, AV updates, inventory, etc.). -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 14:51 To: NT System Admin Issues Subject: Anyone using Forefront UAG and Direct Access Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender
RE: Anyone using Forefront UAG and Direct Access
Best. OoO. Reply. Ever. -sc From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 3:53 PM To: NT System Admin Issues Subject: FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO's and this. From: greg.swe...@actsconsulting.net [mailto:greg.swe...@actsconsulting.net] Sent: Friday, July 23, 2010 3:51 PM To: Brumbaugh, Luke Subject: Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
+1 I forwarded that to folks on my current contract last week … Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: Saturday, July 24, 2010 9:40 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Best. OoO. Reply. Ever. -sc From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 3:53 PM To: NT System Admin Issues Subject: FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO’s and this. From: greg.swe...@actsconsulting.net [mailto:greg.swe...@actsconsulting.net] Sent: Friday, July 23, 2010 3:51 PM To: Brumbaugh, Luke Subject: Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
Honestly, I think we should frame that one in the SYSADMIN Hall of Fame.. Even I'd be scared to even try and contact greg for anything during his vacation time, or fear the wrath of a crazied sys admin mubling about how he is going to route his ISCI network using my head as a conduit... J Happy Saturday, If anyone is looking for a Windows 2008 Audit layout document, I am doing the final touches on it this weekend, and should have something for review next week. I am sure it will be a nice cheat-sheet for those that don't spill through the logs each and every day of there lives in troubleshooting the permissions non-sense... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Saturday, July 24, 2010 11:37 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access +1 I forwarded that to folks on my current contract last week ... Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: Saturday, July 24, 2010 9:40 AM To: NT System Admin Issues Subject: RE: Anyone using Forefront UAG and Direct Access Best. OoO. Reply. Ever. -sc From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 3:53 PM To: NT System Admin Issues Subject: FW: Anyone using Forefront UAG and Direct Access This is a new one, 22 OOO's and this. From: greg.swe...@actsconsulting.net [mailto:greg.swe...@actsconsulting.net] Sent: Friday, July 23, 2010 3:51 PM To: Brumbaugh, Luke Subject: Automatic reply: Anyone using Forefront UAG and Direct Access Warning...If you see a blond headed, pale white man wandering around mumbling comments about ISCSI, server migrations, ticket SLA's and has a crazed look in his eyes...do not attempt to apprehend this man. He has escaped from his job and is thought to be attempting what was once known as vacation. This is a long ago forgotten ritual and we dont know what to expect from him. Best course of action is to offer him a coke and a smile and back away slowly. Rumor has it that vacations lasted a week so you might try to reach him on the 26th. We have no futher information on this man but his team can be reached at 813-657-0849 and can handle any issues while Greg is missing. ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Anyone using Forefront UAG and Direct Access
IMHO, yes, and no. It's basically IPSec to a gateway inside your network. Nothing new there. However, according to what I've read, it makes the connection at boot time, which allows you to apply GPOs, login scripts, etc. So, whoever gains access to the machine has access to your network. Mitigations: 1) Full Disk Encryption. Must have this to stymie things like booting from a Nordahl disk to change the Administrator password, among other things 2) No Admin access for standard users - don't allow them to install anything that isn't business-related and authorized. This is where whitelisting apps is going to be critical. There are probably other things that can and should be done, but I believe that's the basics. Kurt On Fri, Jul 23, 2010 at 12:51, Brumbaugh, Luke luke.brumba...@butlerschein.com wrote: Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Anyone using Forefront UAG and Direct Access
I won't say DirectAccess is just another VPN, because it isn't, but it is a VPN technology with pretty robust security. It isn't an easy setup, as it requires working with IPv6 and certificates, however, once it is running, it is really slick in operation. Just connecting your laptop to the Internet and being instantly able to map corporate file shares and open intranet web apps or RDP sessions is great. Downsides to it are that not everything works with it, as not everything plays nice with IPv6, and the hardware requirements are more significant than for a traditional IPsec VPN. It also only works with Windows 7 clients. Microsoft has enhanced security on their DirectAccess implementation by requiring their people to use smart cards for DirectAccess authentication. We may do that as well. I can say that everyone using my DirectAccess POC setup is liking it so far. Because of its always on nature, I think it will be a great boon to our management of remote computers (they always be connected for patching, AV updates, inventory, etc.). -Malcolm From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 23, 2010 14:51 To: NT System Admin Issues Subject: Anyone using Forefront UAG and Direct Access Thoughts? Is it a big security hole? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
