Modernizing your Remote Access 6/20/2018 1:43 AM BRK2317 Modernizing your Remote Access Lily Wang Aman Arneja © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Overview VPN in Windows 10 Remote Access Scenarios What’s new 6/20/2018 1:43 AM Overview VPN in Windows 10 Remote Access Scenarios What’s new © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Key Takeaways Available options for remote access 6/20/2018 1:43 AM Key Takeaways Available options for remote access Real world configuration scenarios New features in Windows 10 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows 10 VPN Options VPN Windows 10 Classic Win32 6/20/2018 1:43 AM Windows 10 VPN Options VPN Windows VPN Platform Inbox Solution Native Protocols : L2TP, PPTP, SSTP, IKEv2 Takes advantage of all new Win 10 Features Shares Drivers with the Site to Site VPN used for Servers UWP VPN Plugin Platform Based on UWP APIs Available on Desktop/Phone/HoloLens etc. Classic Win32 Based on Win32 NDIS Kernel Drivers Does not take advantage of new VPN Features Only Available on Desktop (Excluding Windows 10S) Windows 10 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Remote Access Scenarios 6/20/2018 1:43 AM Remote Access Scenarios © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your remote access solution 6/20/2018 1:43 AM Your remote access solution © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your VPN toolkit Deployment On demand Authentication Security MDM SCCM 6/20/2018 1:43 AM Your VPN toolkit Deployment On demand Authentication Security MDM SCCM Always On App Trigger Destination name based trigger Certificate Smart Card WHfB auth Traffic Filtering Lockdown Windows Information Protection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Scenario 1 Always Connected Split traffic Simple configuration 6/20/2018 1:43 AM Scenario 1 Always Connected Split traffic Simple configuration Faster initial deployment Ease of maintenance Clientless Ease of use Direct Access-like Non corp traffic should go over physical interface © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Keeps users always connected to corp Boolean feature Corporate network 6/20/2018 1:43 AM payroll Network shares Always On Keeps users always connected to corp Boolean feature Corporate network Netflix Split Tunnel Facebook Configure what traffic should go over the VPN interface The Internet Cat videos © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/20/2018 1:43 AM Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Connection management Scenario 2 On demand Corporate namespaces Connection management Only connected when corporate resources are needed Defined namespaces for corporate resources Reduce # of concurrent connections
Destination Name based Trigger payroll.contoso.com payroll Network shares Destination Name based Trigger Corporate network Netflix Only connects when configured domains are queried FQDN, Suffix or short name Split Tunnel Facebook Configure what traffic should go over the VPN interface The Internet Cat videos © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/20/2018 1:43 AM Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Connection management 6/20/2018 1:43 AM Scenario 3 On demand Line of Business apps Connection management Restrict VPN Only connected when corporate resources are needed Uses mainly LoB apps for enterprise productivity Reduce # of concurrent connections Only configured apps to send traffic over VPN © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Only connects when configured app is launched 6/20/2018 1:43 AM payroll Network shares App Trigger Netflix Only connects when configured app is launched Launch Edge Corporate network Facebook The Internet Cat videos Netflix Traffic Filter Non configured apps cannot access the VPN Launch App 1 payroll Network shares © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/20/2018 1:43 AM Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Scenario 4 On demand Line of Business apps Restrict App Traffic Only connected when LoB apps are open Uses mainly LoB apps for enterprise productivity No app traffic to go over physical interface
Only connects when configured app is launched 6/20/2018 1:43 AM payroll Network shares App Trigger Only connects when configured app is launched Launch Edge Corporate network The Internet Netflix Traffic Filter Configured app traffic must go through VPN Non configured apps cannot access the VPN Launch App 1 payroll Network shares © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/20/2018 1:43 AM Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Common Across Scenarios Authentication Certificate based WHfB Deployment Trusted network detection Server Network settings – proxy, firewall rules, DNS, DHCP
What’s new
Infrastructure tunnel Remote login Manage out Always Connected First time login Disabled Cached credentials Push updates to a device regardless of user login (ie: Windows Update, SCCM policy update, etc) Direct Access-like Clientless Ease of use
IKEv2 with machine cert auth 6/20/2018 1:43 AM IKEv2 with machine cert auth Management traffic (domain controllers, SCCM, etc) Corporate network All other corporate traffic Infrastructure tunnel Always On as long as device is in a wake state Management traffic configurable in the profile Can coexist with one other active user tunnel © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/20/2018 1:43 AM Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Conditional Access for VPN Security Posture Detection On-Prem Integration Simple configuration Short Lived Certificate Tied directly with MFA Minimal changes to existing VPN servers Works with all VPN Servers Simple dashboard in AAD portal Minimal addition to the VPN profile for Client Rich MDM based compliance policy options
Conditional Access Client Internet Intranet Domain 6/20/2018 1:43 AM 1. Token auth through AAD Token Broker 2. Check compliance VPN Platform Token Broker Corp. User CA 6 5 4 3 7 VPN Client/Plugin Certificate Store Client 8 Internet VPN server Intranet RADIUS server 9 10. Authenticate user Domain © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Conditional Access Now in Public Preview
Please evaluate this session Tech Ready 15 6/20/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6/20/2018 1:43 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.