Wow! This is it – the last quiz in Contest 1. That’s right – this is quiz 4 of the second round.

To celebrate this occasion and to make things more interesting, we’re going to have FIVE questions. This will give those who are behind a better chance of catching up and put some pressure on the leaders.

Let the game begin!

Question 1: Regarding Certificate Revocation List (CRL) checks, which is the following answers is true? (Choose all true answers):      A.  If the client certificate CRL check fails, the IPsec tunnels cannot be established      B.  If the server certificate CRL check fails, the IP-HTTPS tunnel cannot be established      C.  You must publish the private CRL Distribution Point if you use a commercial CA for your IP-HTTPS listener      D.  A CRL check is not performed when the DirectAccess client connections to the NLS ================================================ Question 2: True or False: The DirectAccess can use IP-HTTPS to connect to the UAG DirectAccess server when located behind an authenticating proxy where authentication is required:      A.  True      B.  False ================================================ Question 3: For the default settings for end-to-end Authentication and encryption with UAG SP1, which of the following statements are true (select all true statements):      A.  End to End security uses IPsec tunnel mode from DA client to intranet server      B.  End to End security uses Authentication with null encapsulation      C.  End to End security authenticates only the first packet to the destination server      D.  End to End security uses ESP-NULL ================================================ Question 4: Bob wants to enable a “manage out” scenario where intranet management servers can initiate connections to DirectAccess clients over the Internet. To do some basic testing, he wants the intranet management servers to be able to ping the DirectAccess client. When Bob tries to ping the DirectAccess client from the management server, the ping requests fail. Bob checks the Firewall Rule he created to support inbound ping to the DirectAccess client and sees the following: Figure A Figure B Figure C Figure D Which of these figures most likely explains the ping failure (Pick one)?:      A.  Figure A      B.  Figure B      C.  Figure C      D.  Figure D ================================================ Question 5: Review the following figure: Based on this figure, which of the following can you state are correct (pick all correct answers)?:      A.  The intranet tunnel is active      B.  The infrastructure tunnel is active      C.  The DirectAccess client is using IP-HTTPS as its active IPv6 transition technology      D.  The DirectAccess client is a domain member

There you go! Five questions with five answers ready for you to send to me.

Send me your answer with the following email link:

tomsh@microsoft.com

by 11AM Central Standard Time (-0600 UTC) on Monday January 31.

Thanks!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

UAG 2010 (UAG) supports two types of network level SSL VPN:

• Network Connector
• Secure Socket Tunneling Protocol (SSTP)

Network Connector is aimed at legacy clients and SSTP for Windows 7 clients.

Network Connector supports both split and non-split tunneling configurations while SSTP, when accessed through the UAG portal, supports only non-split tunneled connections.

This can be a problematic for firms that want to enable a split tunneled configuration to reduce the bandwidth drain that VPN clients can extract when split tunneling isn’t supported. And with current network security opinions moving away from disabling split tunneling as a security solution (see my articles on split tunneling for more information at http://blogs.technet.com/b/tomshinder/archive/2010/03/02/why-split-tunneling-is-not-a-security-issue-with-directaccess.aspx), it makes sense that admins would want to enable split tunneling for their UAG SSTP clients.

Faisal Hussain provides a solution on his blog and you can find it at:

http://blogs.technet.com/b/fsl/archive/2011/01/26/uag-sstp-split-tunnel.aspx

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

A couple of good questions were asked on a recent blog post and I figured it was worthwhile to answer them in more detail in a separate post.

====================================

“Can you clarify a couple points related to Certificate Authorities and CRLs?  I plan on getting a commercial certificate for the IP-HTTPS listener as you recommended, but how does that affect all of the other certificate related configurations in the test lab guide?  The CA created on the domain server is completely separate from this commercial certificate, right?…”

The IP-HTTPS Listener Certificate

The IP-HTTPS listener needs a web site certificate (intended use is server authentication) so that DirectAccess clients can establish an IP-HTTPS connection to the UAG DirectAccess server before establishing the DirectAccess IPsec tunnels. This requires mutual client and server authentication, something that is the default setting for UAG DirectAccess (the default for Windows DirectAccess is server authentication only).

The primary advantage of using a commercial certificate for the IP-HTTPS listener is that the commercial certificate provider maintains the Certificate Revocation List (CRL) and Distribution Points for you. Not only do they maintain that list for you, they also make sure that the CRL is highly available. While you could use your private PKI for the IP-HTTPS listener, you would then be responsible for maintaining the CRL and making sure that it it highly available.

Now how does this relate to what we did in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess Test Lab Guide (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71be4b7b-e0e9-4204-b2b5-ac7f3c23b16d)?

In the Test Lab we actually created a certificate template that removed CRL related information so that the DirectAccess client would not fail its IP-HTTPS connection when the CRL wasn’t published. This simplified the TLG environment because we didn’t need to go through the steps of publishing the CRL. In your production environment, you do want to make sure that the CRL is available for your private PKI; so you wouldn’t use the special configuration we did for the web site certificate template we used in the TLG. However, you don’t need to publish your private CRL because the commercial provider is handling the IP-HTTPS certificate’s CRL Distribution Points.

You still want to use your private PKI to distribute computer certificates to the DirectAccess clients and the UAG DirectAccess server. You also want to distribute computer certificates to any machines that you want end-to-end IPsec transport mode protection. And you want to make sure that the CRL is available so that you can revoke certificates (however, revoking certificates for DirectAccess clients is not an effective way to prevent them from connecting to the DirectAccess server – other methods should be used, such as disabling the computer account for the suspect DirectAccess client and changing the password of the user who lost the DirectAccess enabled computer). And you want to be able to use autoenrollment to make is easy to distribute the certificates.

The commercial certificate and the private certificates have no relationship to each other and don’t need any. The commercial certificate provider should be included in the Enterprise Root Certificate Authorities store on all your DirectAccess enabled machines.

========================================================

“And you mentioned that you wouldn't want to host the CRL on the DirectAccess server in a production environment.  Is this only because of performance reasons or because of something else?  And is this CRL not related to the IP-HTTPS listener?  So, just to make sure I'm getting it, there is one CA and a corresponding CRL for the active directory domain, and then another CA/CRL (in this case commercial) for the DirectAccess connections.  Is that right?…”

Public and Private CRL Distribution Points

There are a number of reasons why you wouldn’t want to host the CRL Distribution Point web site on the UAG DirectAccess server, but probably the main one is that every time you reconfigure the DirectAccess settings using the UAG DirectAccess wizard, it will end up resetting your CRL Distribution Point web site. There are also traffic related reasons – since the CRL check requires anonymous access to the CRL Distribution Point web site, you increase both the amount of traffic and the attack surface on the UAG DirectAccess server.

You are correct that there are two CRLs in use in the DirectAccess scenario discussed here:

• The CRL maintained by the commercial certificate provider – they do all the work and you don’t need to worry about it
• The CRL maintained for your private PKI – which is used for revoking certificates delivered by your private certificate servers. You are responsible for managing this CRL and CRL Distribution Point

It’s important to note here that only a “soft” CRL check is done when the DirectAccess client connects to the UAG DirectAccess server. If the DirectAccess client fails the CRL check, it will still be allowed to connect. So whether or not the CRL is available doesn’t determine connectivity for your DirectAccess clients.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

Now for the moment you’ve all been waiting for – the answers to UAG SP1 DirectAccess Contest 1–Round 2/Quiz 2 and Contest 2 Round 1/Quiz 2!

Last week’s quiz was a bit different with some practical problem solving scenarios based on screenshots. Let’s see how you did:

===========================================

Question 1:
Review the information in figure 1. (UAG1 is the UAG DirectAccess server and DC1 is on the intranet)

Figure 1

From the information provided to you in Figure 1, which of the following answers is most likely? (choose 1 answer)
     A. The Teredo server was moved off the UAG DirectAccess server
     B.  The 6to4 relay router was moved off the UAG DirectAccess server
     C.  The NAT64/DNS64 service was moved off the UAG DirectAccess server
     D.  The ISATAP Router was moved off the UAG DirectAccess server 

The answer to question 1 is D.

To be better understand the scenario, the figure below shows the network diagram for the test environment from which this screenshot was taken.

If you look at the screenshot we have three pieces of information we can use to determine the answer.

The first piece of information is the ping uag1 result. This returns a native IPv6 address assigned to the UAG DirectAccess server. In typical scenarios, when you ping the UAG server you will either see an ISATAP address returned, of if you’re using an IPv4 only network with the help of NAT64/DNS64, then you would see an IPv4 address. This indicates that the UAG DirectAccess server has a native IPv6 address assigned to its internal interface and is not using ISATAP to communicate with the internal network.

The  second piece of information from from ping dc1. The ICMP Echo Reply is returned from an ISATAP address, indicating that ISATAP is being used on the internal network.

The third piece of information we have comes from tracert –d dc1. You’ll notice that the second hop returns an address on the same network ID as the IP address returned from the ping uag1. The last hop is to DC1, which is on an ISATAP subnet.

When you put these three pieces of information together, the best conclusion that you can draw is that there is a network device between the UAG DirectAccess server that is routing native IPv6 packets to an ISATAP enabled subnet. This device is an ISATAP router, which you can see in the network diagram as ISATAP1. Normally, the UAG DirectAccess server hosts the ISATAP server role – but in this scenario, the ISATAP router was moved to a separate machine.

Note that this network diagram is part of a larger network diagram that describes how to configure a multi-site UAG DirectAccess solution using ISATAP routers and a single ISATAP cloud for the intranet. I hope to be able to complete the documentation on that scenario soon and will post it here.

===========================================

Question 2:
Review the information in figure 2. (UAG1 is the UAG DirectAccess server and DC1 is on the intranet) (choose 1 answer)

Figure 2

From the information provided to you in Figure 2, what is the most likely roll for the machine with the IP address 2002:836b:4:8000:0:5efe:10.0.0.20 ?
     A.  ISATAP router
     B.  Windows Server 2008 R2 IPv6 RRAS router
     C.  IP-HTTPS relay
     D.  Teredo relay

The answer to question 2 is A.

Again, we have three pieces of information that we can work with to solve the problem.

The first piece of information comes from the ipconfig output. Here we can see the IPv4 and IPv6 addressing assigned to this computer – which is DC1 because we recognize the ISATAP address from the previous question. We also see a default gateway assigned to the ISATAP adapter, which is a link-local ISATAP address assigned to the machine with the IPv4 address 10.0.0.20. This indicates that 10.0.0.20 must be an ISATAP gateway (router).

The second piece of information comes ping uag1. Like in the first question, we see that UAG1 resolves to a native IPv6 address, which is consistent with the UAG DirectAccess server being assigned a native IPv6 on its internal interface and not using ISATAP itself.

The third piece of information comes from a tracert –d client1. The first hop address is the ISATAP assigned address to the machine that is assigned as the default gateway for the ISATAP adapter on DC1. The second hop comes from the native IPv6 addresses assigned to the internal interface of the UAG DirectAccess server. The third hop comes from a machine that is assigned an Teredo address, which you might not know since you don’t know the IP addressing on the external interface of the UAG DirectAccess server, but you do recognize that it is a native IPv6 address that is on a different network ID as the internal interface of the UAG DirectAccess server.

When we put these three pieces of information together it becomes clear that in order for DC1 to ping CLIENT1, it must travel over an ISATAP subnet, to an ISATAP router, which forwards the IPv6 packet over the native IPv6 subnet to the internal interface of the UAG DirectAccess server, which then routes the connection to the IP-HTTPS enabled DirectAccess client on the Internet.

================================================

Question 3:

Review the information in figure 3.

Figure 3

Why is the first “quartet” for CLIENT1 different than the other IPv6 addresses on the network? (choose one answer) 
     A.  CLIENT1 is on a different ISATAP subnet
     B.  CLIENT1 is on the Internet and has registered its IP-HTTPS address
     C.  CLIENT1 is located behind a web proxy and has registered its 6to4 address
     D.  CLIENT1 is located behind a NAT device and has registered its Teredo address

The answer to question 3 is D.

Answer A is incorrect because CLIENT1 is not assigned an ISATAP address. For more information on ISATAP addressing, see http://technet.microsoft.com/en-us/library/bb727021.aspx

Answer B is incorrect because CLIENT1 is “on the Internet” which implies that the machine is assigned a public IP address. When the machine is assigned a public IP address, it will register its 6to4 address. In addition, IP-HTTPS clients’ IPv6 address always start with 2002:

Answer C is incorrect because CLIENT1 is located behind a web proxy – which means that only IP-HTTPS is available to client and not 6to4.

Answer D is correct because CLIENT1 is located behind a NAT device and Teredo is used preferentially when the DirectAccess client is located behind a NAT device.

================================================

Leaderboard

================================================

Wow! That was a good one – everyone did great and it shows that our DirectAccess contestants are pretty sharp when it come to IPv6. That’s a good thing, because I think that 2011 is going to be the Year of IPv6 given that we’ll run out of IPv4 allocations very soon.

Next Thursday I’ll post the last quiz in Content 1 and announce the winner! To make it even more interesting – I’m going to include FIVE questions. That will make it possible for anyone to get in the last jump to take home a winner for this round.

So set yourself up a reminder to check for the quiz on Friday January 28, 2011.

See you then!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

It’s time for your weekly UAG DirectAccess quiz! We’re getting close to the end of contest 1, so make sure you don’t miss a step for the next two weeks.

Last week’s quiz was definitely tricky and introduced some obscure or difficult to find information. This week I’m going to try something a little different.

Remember to send your entries before 11AM Central Standard Time (-0600 UTC) on Monday January 24th.

To the questions!

Question 1: Review the information in figure 1. (UAG1 is the UAG DirectAccess server and DC1 is on the intranet) Figure 1 From the information provided to you in Figure 1, which of the following answers is most likely? (choose 1 answer)      A. The Teredo server was moved off the UAG DirectAccess server      B.  The 6to4 relay router was moved off the UAG DirectAccess server      C.  The NAT64/DNS64 service was moved off the UAG DirectAccess server      D.  The ISATAP Router was moved off the UAG DirectAccess server  ================================================ Question 2: Review the information in figure 2. (UAG1 is the UAG DirectAccess server and DC1 is on the intranet) (choose 1 answer) Figure 2 From the information provided to you in Figure 2, what is the most likely roll for the machine with the IP address 2002:836b:4:8000:0:5efe:10.0.0.20 ?      A.  ISATAP router      B.  Windows Server 2008 R2 IPv6 RRAS router      C.  IP-HTTPS relay      D.  Teredo relay ================================================ Question 3: Review the information in figure 3. Figure 3 Why is the first “quartet” for CLIENT1 different than the other IPv6 addresses on the network? (choose one answer)       A.  CLIENT1 is on a different ISATAP subnet      B.  CLIENT1 is on the Internet and has registered its IP-HTTPS address      C.  CLIENT1 is located behind a web proxy and has registered its 6to4 address      D.  CLIENT1 is located behind a NAT device and has registered its Teredo address

Let’s see if this more “practical” approach to the questions is a bit less tricky than the quiz we had last week. This quiz is a nice test of your basic IPv6 knowledge – so good luck and have fun!

Send me your answers at:

tomsh@microsoft.com

by 11AM Central Standard Time (-0600 UTC) on Monday January 24th.

Thanks!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder