1. Working remote: what to consider, technology evolution

2. Session Agenda Remote access: do we need it? Remote access: what are the options? Microsoft’s strategy for remote access – The vision: seamless, secure, ubiquitous – Making it real: DirectAccess & Unified Access Gateway Q & A

3. Information Worker’s World Has Been Changing… MOBILE & DISTRIBUTED WORKFORCE CENTRAL OFFICE BRANCH OFFICES REMOTE WORK In 2008, mobile workers will represent 26.8% of the total workforce, and that number will increase to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813)

4. Remote Access Needs Financial Partner or Field Agent Project Manager Employee Logistics Partner Remote Technician Employee Corporate Managed Laptop Home PC Unmanaged Partner PC Kiosk Changing threat environment IT governance Regulatory compliance Changing threat environment IT governance Regulatory compliance

5. Remote Access Options Dialup? too costly, limited user experience Reverse Proxy? Only Web apps Terminal Services? Not from everywhere, TCO considerations Traditional VPN based on IPSec – most popular Limited functionality from firewalled or NAT’ed networks / Not very user friendly Client becomes difficult to roll out / Managed devices only Requires administrative installation Potential security exposure by extending network SSL VPN In office experience from anywhere Granular policy control Next-Gen IPSec VPN User friendly: no more FW/NAT problems; seamless access from everywhere Built into client OSs Granular policy control

6. DirectAccess Providing seamless, secure access to enterprise resources from anywhere −Provides seamless, always-on, secure connectivity to on-premise and remote users alike −Eliminates the need to connect explicitly to corpnet while remote −Facilitates secure, end-to-end communication and collaboration − Leverages a policy-based network access approach −Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network

7. Benefits Of DirectAccess Always-on access to corpnet while roaming No explicit user action required – it just works Same user experience on premise and off Simplified remote management of mobile resources as if they were on the LAN Lower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networks Integrated administration of all connectivity mechanisms Healthy, trustable host regardless of network Fine grain per app/server policy control Richer policy control near assets Ability to extend regulatory compliance to roaming assets Incremental deployment path toward IPv6

8. Microsoft Windows 7 clients Microsoft Windows Server 2008 DirectAccess Server IPv6 IPSec v6 Tunneling protocols – 6to4 – Teredo – IP-HTTPS NAT-PT devices DirectAccess Technologies DirectAccess Server Compliant Client IPsec/IPv6 Internet Intranet User Enterprise Network Intranet User IPsec/IPv6 Assume the underlying network is always insecure Redefine CORPNET edge to insulate the datacenter and business critical resources Tunnel over IPv4 UDP, HTTPS, etc. Security policies based on identity, not location

9. Making It Real Extend access to line of business servers with IPv4- only support? Access for down level and non Windows clients? Scalability and management? Deployment and administration? Hardened Edge Solution?

10. UAG & DA Solution Architecture

11. UAG History and Evolution Protection Access

12. UAG Product "Stack" Application Access Management Wizard driven configuration for core scenarios allowing easy implementation and enforcement of granular policies. Web based monitoring and control across arrays. Reverse Proxy Intelligent URL rewriting and manipulation engine to simplify publishing SSL VPN Tunneling +DA Multiple tunnels providing access for non web applications Policy and Security Application Intelligence Optimizers for core, common, scenarios enabling security and functionality End Point Detection Client and deep policies for security health assessment

13. How UAG works Web ApplicationsLegacy ApplicationsClient-Server Applications Authenticated user? Allowed application?Allowed device?Allowed request? Secure Connection Client-side caching?“Good” URL?

14. UAG Networking Options Client Direct Access HTTP(S) apps SSL port fwd (SSL Wrapper) SSL socket fwd (Socket Forwarder) SSL Network Tunneling SSTP SSL VPN Options Next-gen IPSec VPN

15. UAG Client Components Component Manager Session Clean-up Client Trace Utility Endpoint Detection SSL Wrapper SSL Wrapper (Java Applet) Socket Forwarder LSPLSP NSPNSP Network Connector Quarantine Enforcement

16. Dynamic User Session Financial Partner or Field Agent Project Manager Employee Logistics Partner Corporate Laptop Home PC Kiosk Remote Technician Employee Unmanaged Partner PC Each user session is determined by access policies that relate to the user, the device, and the resources

17. User Experience – UAG Portals

26. Endpoint Security It uses client-side scripting for detection to generate variables that describe client properties – AV running/AV up-to-date – Personal Firewall – Host IDS running – Processes running/not running – Registry entries – Custom The variables are uploaded as a chunk of XML data, and ASP policy expressions are evaluated on the UAG Results are stored in the UAG Session Manager service Various components in UAG query the Session Manager – The filter web site (for download/upload/restricted zones blocking functionality) – The PortalHomePage (to decide which links to display/gray out etc.)

27. User Authentication Front-end authentication – Most authentication services supported OOB Active Directory Other LDAP (Novell,Sun, IBM, …) RADIUS/TACACS ADFS Custom – Multiple auth services can be used to control access At logon On the fly (application access)

29. User Authentication Back-end authentication – SSO Credential replay KCD Custom

30. Coarse-grained authorization User-based – Access to each application can be granted to selected users/groups – Users and groups defined in external authentication services

31. Fine-grained Authorization Policy-based – Application functionalities enabled/disabled according to output from endpoint security check Sending email with attachments through OWA not allowed if AV not running Downlaoding documents from SharePoint not permitted if client is not “certified” Enabled by “Application Intelligence” – Built-in application knowledge – MS Sharepoint, Outlook Web Access, Dynamics CRM… – SAP Enterprise Portal – Lotus Notes (iNotes, Nativ, DOLS) – Lotus SameTime – Documentum eRoom – …other

35. Session clean-up UAG wipes session data when session ends −Transparent to end users −Application Optimizer: application-specific modules allow wiping additional data outside browser’s cache −Application-based (Citrix Bitmap Cache, Lotus Notes…) −Extensible via custom scripts What can be wiped −Files and html pages downloaded −Cookies, History information, User credential When it can be executed −User logoff, Inactivity timeout −Crash, browser closed by user −Shutdown

36. Browser support Windows OSs – Internet Explorer – Netscape Navigator – FireFox – Safari Linux – Netscape Navigator – FireFox MAC OS (10.3 and up) – Safari

37. Seamless, Secure, Ubiquitous

38. Q & A