DirectAccess requires the use of IPv6 so that DirectAccess clients have globally routable addresses. For organizations that are already using a native IPv6 infrastructure, DirectAccess seamlessly extends the existing infrastructure to DirectAccess client computers, and those client computers can still access Internet resources using IPv4.
For organizations that have not yet begun deploying IPv6, DirectAccess provides a straightforward way to begin IPv6 deployment without requiring an infrastructure upgrade. You can use the 6to4 and Teredo IPv6 transition technologies for connectivity across the IPv4 Internet and either NAT64 or ISATAP for connectivity across your IPv4-only intranet..
A NAT64 device translates IPv6 and IPv4 traffic so that DirectAccess client computers can access resources on your intranet that do not yet support IPv6. DirectAccess with UAG includes a built-in NAT64.
You can also use the ISATAP IPv6 transition technology so that DirectAccess clients can access IPv6-capable resources across your IPv4-only intranet.
DirectAccess and Network Access Protection
To encourage computers to comply with security and health requirement policies and reduce the risk of malware spreading, non-compliant clients can be restricted from accessing intranet resources or communicating with compliant computers. Using Network Access Protection (NAP) with DirectAccess, IT administrators can require DirectAccess client computers to be healthy and comply with corporate health requirement policies. For example, client computers can obtain a connection to the DirectAccess server only if they have recent security updates, anti-malware definitions, and other security settings.
Using NAP in conjunction with DirectAccess requires that NAP-enabled DirectAccess clients submit a health certificate for authentication when creating the initial connection with the DirectAccess server. The health certificate contains the computer’s identity and proof of system health compliance. As previously described, a NAP-enabled DirectAccess client obtains a health certificate by submitting its health state information to an HRA that is located on the Internet. The health certificate must be obtained prior to initiating a connection to a DirectAccess server.
By using NAP with DirectAccess, a non-compliant client computer that might be infected with malware cannot connect to an intranet with DirectAccess, limiting the malware’s ability to spread. NAP is not required to use DirectAccess, but it is recommended
No comments:
Post a Comment