對Microsoft DirectAccess產品工作原理的個人理解
最近嘗試了解了一下微軟新一代的×××技術DirectAccess(其實也不新了��,從WIN2K8R2就開始有了)����,看了一些資料�,現在自己寫點總結來加強理解和記憶����。如果有寫錯了的話����,歡迎指正���!
**********************
DirectAcces工作過程中會先后經歷兩個與內網建立聯系的階段���。第一階段是和內網DNS�����、DC建立聯系���。第二階段才是和要訪問的內網資源建立聯系��。DirectAccess與其他×××解決方案的關鍵區別在于:
1. 只要客戶端連接了互聯網���,它就會自動發起與內網DNS����、DC的聯系����,從而使系統管理員可以隨時管理在外漫游的客戶端��。一個典型的應用場景是���,漫游客戶端只要連上互聯網��,就可以獲得內網推過去的GPO���,補丁等�����。
2. 采用Name Resolution Policy Table(名稱解析策略表)技術����,實現內網與互聯網流量訪問的分離�。
回到區別1,���,如何才能自動發起與內網DNS��、DC的聯系呢��?首先需要一個發現機制��。為此�����,這里引入了Network Location Server的概念�����。NLS是企業內網中的一臺Web服務器�?�?蛻舳耸紫葒L試與NLS取得聯系����,如果能取得聯系���,說明DirectAccess已經在工作���。如果不能與NLS取得聯系���,那么開始進入兩個階段的與內網建立聯系的工作過程�����。也就是說����,NLS的作用體現在下圖步驟中的第2步�����。
發現機制之后�����,才開始了兩個階段的與內網建立聯系的過程�。建立聯系的過程涉及到:建立流量通道����,身份驗證��。第一階段的驗證對象是客戶端計算機���,需要內網的PKI架構實現對客戶端發放證書����。第二階段的驗證是對客戶端計算機和用戶的雙重驗證�,除了驗證計算機證書��,還要認證域用戶的憑據(也就是域用戶登錄時的那一套驗證)�����。
PS: 以下圖片截取自http://wenku.baidu.com/view/108a09e704a1b0717fd5dd85
PS2: 網上找了前人做的實驗《如何在企業內部構建Direct Access環境》http://wenku.baidu.com/link?url=jqQ_xzlSAT9I5zoJ_OFjOqN_gGAVSrSY68ItRzKvICceQLpLbewgaXeTrEzNyjnNIUksLiBj_xPzXFtQN6pIyrB2Ov5wc-RQykD16PKjdLW
最開始是看的英文書�����,看得有點暈�����,所以后來去搜了上面的中文資料����??炊酥形?,再看英文解釋就會覺得更好理解了?�,F在把英語的也貼上來做參考
This general process can be broken down into the following specific steps:
1. The DirectAccess client computer running Windows 8, Windows 7 Enterprise, or
Windows 7 Ultimate detects that it is connected to a network.
2. The DirectAccess client computer determines whether it is connected to the intranet. If
the client is connected to the intranet, it does not use DirectAccess.
3. The DirectAccess client connects to the DirectAccess server by using IPv6 and IPsec.
4. If the client is not using IPv6, it will try to use 6to4 or Teredo tunneling to send
IPv4-encapsulated IPv6 traffic.
5. If the client cannot reach the DirectAccess server using 6to4 or Teredo tunneling, the
client tries to connect using the Internet Protocol over Hypertext Transfer Protocol Secure
(IP-HTTPS) protocol. IP-HTTPS uses a Secure Sockets Layer (SSL) connection to
encapsulate IPv6 traffic.
6. As part of establishing the IPsec session for the tunnel to reach the intranet DNS server
and domain controller, the DirectAccess client and server authenticate each other using
computer certificates for authentication.
7. If Network Access Protection (NAP) is enabled and configured for health validation, the
Network Policy Server (NPS) determines whether the client is compliant with system
health requirements. If it is compliant, the client receives a health certificate, which is
submitted to the DirectAccess server for authentication.
8. When the user logs on, the DirectAccess client establishes a second IPsec tunnel to access
the resources of the intranet. The DirectAccess client and server authenticate each other
using a combination of computer and user credentials.
9. The DirectAccess server forwards traffic between the DirectAccess client and the intranet
resources to which the user has been granted access.
The Name Resolution Policy Table (NRPT) is used to determine the behavior of the DNS
clients when issuing queries and processing so that internal resources are not exposed to the
public via the Internet and to separate traffic that isn’t DirectAccess Internet traffic from
DirectAccess Internet traffic. By using the NRPT, the DirectAccess clients use the intranet
DNS servers for internal resources and Internet DNS for name resolution of other resources.
The NRPT is managed using group policies, specifically, Computer Configuration\Policies\
Windows Settings\Name Resolution Policy.
