210 likes | 575 Views
Secure Flexible & Remote Working with Unified Access Gateway. Bill Orme Microsoft Corporation orme@microsoft.com. Vision Provide unified, seamless, secure anywhere access for enterprises.
E N D
Secure Flexible & Remote Working with Unified Access Gateway Bill Orme Microsoft Corporation orme@microsoft.com
VisionProvide unified, seamless, secure anywhere access for enterprises Increasingly, people envision a world of anywhere access - a world in which the information, the communities, and the content that they value is available instantly and easily, no matter where they are. Bill Gates, Enabling Secure Anywhere Access in a Connected World, Feb 2007
What is UAG? Unified Access Gateway is next version of Intelligent Application Gateway (IAG) with a vision and mission to provide managed, unmanaged & mobile devices with unified secure anywhere access to on-premise and in-the-cloud applications. Also unite all Microsoft Access gateways into a single solution platform.
Customer Needs • Secure Access from Managed and Unmanaged Devices • Simplified and Granular Access Control • Application Interoperability Outside the Corporate Network • Full Enablement of Mobile Devices • 2 factor authentication for all applications
Challenges and Concerns? Demand for access Fragmented technology Difficult to manage Escalating threats • Many access points • Various devices • Intranet/Extranet • More advanced • More frequent • Profit motivated • Point products • Poor interoperability • Lack of integration • Multiple security consoles • Complex reporting and analysis • Granular policy hard to deploy Security & Access Solution Requirements Comprehensive Integrated Simplified
Security requirements based on policy Who gets access? What do they get access too? What can they do with it? Can we protect our Infrastructure and application servers? Detach security policies from technology solutions Changing Security Requirement Perceptions What (Data) Where (Device) Who (Identity)
Connectivity Approach Each session is tailored according to its user and the device in use, maximizing security and productivity for that session. Internal & External Users Managed & Unmanaged Devices Private Resources Financial Partner or Field Agent Home PC Home PC Financial Partner or Field Agent Kiosk Logistics Partner Kiosk Logistics Partner Corporate Laptop Project Manager Employee Project Manager Employee Corporate Managed Laptop Remote Technician Employee Unmanaged Partner PC Unmanaged Partner PC Remote Technician Employee
UAG Solution Architecture • Exchange • CRM • SharePoint • IIS based • IBM, SAP, • Oracle Mobile Home / Friend / Kiosk HTTPS / HTTP TS HTTPS (443) Internet Direct Access Non web Authentication End-point health detection Enterprise Readiness Edge Ready Information Leakage Prevention Non-Windows Business Partners / Sub - Contractors AD, ADFS, RADIUS, LDAP…. Data Center / Corporate Network Employees Managed Machines Internet / home / hotel / other company
Control Secure Application Access Protect Safeguard Native AD integration w/strong and two-factor authentication SQL Server File upload / download control; .EXE identification Active Directory Session termination & inactivity timeouts File Shares Comprehensive monitoring and logging Single sign-on to multiple and custom directories ISA Server Endpoint policy-defined micro-portal IIS Mobile Devices Data Resources Intelligent Application Gateway™ Port 443 Custom Applications Laptops Intranet Kiosks External Firewall Web application firewall w/app-specific content, command, and URL filtering Portal defined by user identity SharePoint Server Exchange Server ‘Restricted zones’ definitions for URLs Policy-driven intranet access with ACL-level controls Endpoint compliance check and clean-up Positive and negative-logic filtering rules
DirectAccess – Platform MANAGED IPv6 Windows7 DirectAccess IPv6 Always On Windows7 DirectAccess Server • Comprehensive anywhere access solution available in Windows 7 and Windows Server 2008 R2 • Provides seamless, always-on, secure connectivity to on-premise and remote users alike • Eliminates the need to connect explicitly to corporate network while remote • Facilitates secure, end-to-end communication and collaboration • Leverages a policy-based network access approach • Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network
DirectAccess – Solution UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN DirectAccessServer IPv4 Non Windows + PDA IPv4 UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG improves adoption and extends access to existing infrastructure UAG is a hardened edge appliance available in HW and virtual options UAG uses wizards and tools to simplify deployments and ongoing management.
IAG 2007 Feature Instead of the application handling the “checklist” individually, IAG features are overlaid for each resource Financial Partner Unmanaged Partner PC Corporate Laptop Home PC Kiosk Field Sales Rep Encryption Endpoint Scan Authentication Access Control Project Manager Employee URL Translation SSL VPN Cache Cleaning Remote Technician
IAG / UAG Feature Comparison IAG 2007 UAG Application Intelligence and Publishing End Point Security SSL Tunneling Information Leakage Prevention Robust Authentication Support (KCD, ADFS, OTP) Product Certification (Common Criteria, ICSA) New NAP Integration New New Terminal Services Integration New Array Management New Enhanced Management and Monitoring (MOM Pack) New Enhanced Mobile Solutions New New and Customizable User Portal New Wizard Driven Configuration New Direct Access and SSTP Integration
Microsoft Confidential Detailed Feature Set
IAG System Architecture • Active Directory® • RADIUS • TACACS+ • Novell eDirectory® • Sun Netscape LDAP • HTTP authentication • „Other“ (API) • … Intelligent Application Gateway Session/User Manager HAT Content Inspection Policy Engine SSL VPN UserInteraction Pages Internet Information Server Internet Security & Acceleration Server Windows Server 2003 R2 Ext. NIC Appliance Hardware Hyper-V VHD Int. NIC • web apps • client/server apps • other apps, VoIP etc.
UAG Architecture End Point Detection Client and deep policies for security health assessment Application Intelligence Optimizers for core, common, scenarios enabling security and functionality SSL VPN Tunneling Multiple tunnels providing access for non web applications Reverse Proxy Intelligent URL rewriting and manipulation engine to simplify publishing Application Access Policy and Security Management Wizard driven configuration for core scenarios allowing easy implementation and enforcement of granular policies. Web based monitoring and control across arrays. Consolidated GatewaysTS Gateway, ADFS Proxy, RRAS Ext. NIC Appliance Hardware Hyper-V VHD MSI Int. NIC
What kind of Applications are supported/published? Virtually every application • Web Applications – Assumed • Non-Web/Native Applications • Provide Full Network Connectivity
Authentication & Authorization • Active Directory • LDAP • TACACS • RADIUS • RSA • Smart Card • Certificates • Etc … using IAG Hooks
Multi Layer Security Model ON&OFF • Endpoint Security • Single Sign-On • Multi Factor Authentication • Authentication on Demand • Group Authorization • Access Policy and Control • Data Cleaning - Attachment Wiper • Integrated Application Firewall • Granular Access Control
To know more about our next version “UAG” please visit http://microsoft.com/uag