對(duì)Microsoft DirectAccess產(chǎn)品工作原理的個(gè)人理解

最近嘗試了解了一下微軟新一代的×××技術(shù)DirectAccess（其實(shí)也不新了，從WIN2K8R2就開(kāi)始有了），看了一些資料，現(xiàn)在自己寫(xiě)點(diǎn)總結(jié)來(lái)加強(qiáng)理解和記憶。如果有寫(xiě)錯(cuò)了的話，歡迎指正！

**********************

DirectAcces工作過(guò)程中會(huì)先后經(jīng)歷兩個(gè)與內(nèi)網(wǎng)建立聯(lián)系的階段。第一階段是和內(nèi)網(wǎng)DNS、DC建立聯(lián)系。第二階段才是和要訪問(wèn)的內(nèi)網(wǎng)資源建立聯(lián)系。DirectAccess與其他×××解決方案的關(guān)鍵區(qū)別在于：

1.    只要客戶端連接了互聯(lián)網(wǎng)，它就會(huì)自動(dòng)發(fā)起與內(nèi)網(wǎng)DNS、DC的聯(lián)系，從而使系統(tǒng)管理員可以隨時(shí)管理在外漫游的客戶端。一個(gè)典型的應(yīng)用場(chǎng)景是，漫游客戶端只要連上互聯(lián)網(wǎng)，就可以獲得內(nèi)網(wǎng)推過(guò)去的GPO，補(bǔ)丁等。

2.    采用Name Resolution Policy Table（名稱解析策略表）技術(shù)，實(shí)現(xiàn)內(nèi)網(wǎng)與互聯(lián)網(wǎng)流量訪問(wèn)的分離。

回到區(qū)別1,，如何才能自動(dòng)發(fā)起與內(nèi)網(wǎng)DNS、DC的聯(lián)系呢？首先需要一個(gè)發(fā)現(xiàn)機(jī)制。為此，這里引入了Network Location Server的概念。NLS是企業(yè)內(nèi)網(wǎng)中的一臺(tái)Web服務(wù)器。客戶端首先嘗試與NLS取得聯(lián)系，如果能取得聯(lián)系，說(shuō)明DirectAccess已經(jīng)在工作。如果不能與NLS取得聯(lián)系，那么開(kāi)始進(jìn)入兩個(gè)階段的與內(nèi)網(wǎng)建立聯(lián)系的工作過(guò)程。也就是說(shuō)，NLS的作用體現(xiàn)在下圖步驟中的第2步。

發(fā)現(xiàn)機(jī)制之后，才開(kāi)始了兩個(gè)階段的與內(nèi)網(wǎng)建立聯(lián)系的過(guò)程。建立聯(lián)系的過(guò)程涉及到：建立流量通道，身份驗(yàn)證。第一階段的驗(yàn)證對(duì)象是客戶端計(jì)算機(jī)，需要內(nèi)網(wǎng)的PKI架構(gòu)實(shí)現(xiàn)對(duì)客戶端發(fā)放證書(shū)。第二階段的驗(yàn)證是對(duì)客戶端計(jì)算機(jī)和用戶的雙重驗(yàn)證，除了驗(yàn)證計(jì)算機(jī)證書(shū)，還要認(rèn)證域用戶的憑據(jù)（也就是域用戶登錄時(shí)的那一套驗(yàn)證）。

PS: 以下圖片截取自http://wenku.baidu.com/view/108a09e704a1b0717fd5dd85

PS2: 網(wǎng)上找了前人做的實(shí)驗(yàn)《如何在企業(yè)內(nèi)部構(gòu)建Direct Access環(huán)境》http://wenku.baidu.com/link?url=jqQ_xzlSAT9I5zoJ_OFjOqN_gGAVSrSY68ItRzKvICceQLpLbewgaXeTrEzNyjnNIUksLiBj_xPzXFtQN6pIyrB2Ov5wc-RQykD16PKjdLW

最開(kāi)始是看的英文書(shū)，看得有點(diǎn)暈，所以后來(lái)去搜了上面的中文資料。看懂了中文，再看英文解釋就會(huì)覺(jué)得更好理解了?，F(xiàn)在把英語(yǔ)的也貼上來(lái)做參考

This general process can be broken down into the following specific steps:

1. The DirectAccess client computer running Windows 8, Windows 7 Enterprise, or

Windows 7 Ultimate detects that it is connected to a network.

2. The DirectAccess client computer determines whether it is connected to the intranet. If

the client is connected to the intranet, it does not use DirectAccess.

3. The DirectAccess client connects to the DirectAccess server by using IPv6 and IPsec.

4. If the client is not using IPv6, it will try to use 6to4 or Teredo tunneling to send

IPv4-encapsulated IPv6 traffic.

5. If the client cannot reach the DirectAccess server using 6to4 or Teredo tunneling, the

client tries to connect using the Internet Protocol over Hypertext Transfer Protocol Secure

(IP-HTTPS) protocol. IP-HTTPS uses a Secure Sockets Layer (SSL) connection to

encapsulate IPv6 traffic.

6. As part of establishing the IPsec session for the tunnel to reach the intranet DNS server

and domain controller, the DirectAccess client and server authenticate each other using

computer certificates for authentication.

7. If Network Access Protection (NAP) is enabled and configured for health validation, the

Network Policy Server (NPS) determines whether the client is compliant with system

health requirements. If it is compliant, the client receives a health certificate, which is

submitted to the DirectAccess server for authentication.

8. When the user logs on, the DirectAccess client establishes a second IPsec tunnel to access

the resources of the intranet. The DirectAccess client and server authenticate each other

using a combination of computer and user credentials.

9. The DirectAccess server forwards traffic between the DirectAccess client and the intranet

resources to which the user has been granted access.

The Name Resolution Policy Table (NRPT) is used to determine the behavior of the DNS

clients when issuing queries and processing so that internal resources are not exposed to the

public via the Internet and to separate traffic that isn’t DirectAccess Internet traffic from

DirectAccess Internet traffic. By using the NRPT, the DirectAccess clients use the intranet

DNS servers for internal resources and Internet DNS for name resolution of other resources.

The NRPT is managed using group policies, specifically, Computer Configuration\Policies\

Windows Settings\Name Resolution Policy.