Play by Play: Secure Remote Access with Windows Server 2012 R2

Introduction
Today we're sitting down with Enterprise Security MVP, Pluralsight author and independent consultant, Richard Hicks. More and more we're finding our users and servers accessing resources that are on different networks than themselves. In some cases, making sure this communication is secured has been a difficult and/or expensive problem to solve. Many time we address the security need with physical hardware and new licenses. Instead, in today's play by play we're going to look at ways to use Windows Server 2012 Unified Remote Access role to help us create secure access with the tools and licenses you already have in your Windows Server environment. Welcome to today's play by play where I have the great pleasure of sitting down with Richard Hicks. He's our Enterprise Security MVP and independent consultant and today we're going to be talking about secure remote access with Windows Server 2012 so let's go ahead and start at the beginning. What are the options here? Very good. So unknown to a lot of people, Windows has a great many secure mode access capabilities. They've been in the operating system for quite some time, but in Windows Server 2012 R2 we have something called the Unified Remote Access Role. Basically Microsoft has a number of different secure remote access technologies built into the operating system that are designed to meet the varying needs and requirements of enterprises and businesses large and small, really. It starts off with traditional client-based VP in which we're probably all familiar with. Windows has been doing this for many, many years. It's been part of the RRAS or routing and remote access service roles since NT4 certainly, that's far as I go back. So it's been around for quite some time. Client-based VPN, a traditional client-based VPN is your standard, the client being built into the desktop software. You need to connect to the network and you establish a connection, log in with your credentials and then you have access to the corporate network and when you're done you can terminate the session, but it's very much user interactive. A few years ago Microsoft introduced a really interesting and very compelling remote access capability called DirectAccess. It first started out in Windows Server 2008 and it's kind of grown and matured to this point where in Server 2012 R2 it's a fantastic solution and DirectAccess fundamentally changes the way we think about providing secure remote access, so where VPN was always about connecting, the user connecting to the corporate network, DirectAccess kind of turns that around and extends the network to the user. It provides seamless and transparent, always-on, secure, remote corporate network connectivity. In another key point that differentiates DirectAccess from a client-based VPN is that it's bidirectional and that's where we talk about extending the network to the user because once the user is connected remotely via DirectAccess, it is as if they are on the corporate network. Anything that you can do to assist them on your LAN, you can perform the same actions to a system that is connected remotely over DirectAccess and so a lot of, especially large enterprises really like that solution. It provides unparalleled, easy to use remote access experience because you access resources externally in the same way you do internally. So if I'm sitting here at my desk in my cube and I double click on a shortcut to my home drive and I access my files on the corporate network, if I were to do that with VPN when I was outside the network I would first have to make the conscious decision, I needed to connect to the network. Then I would have to launch my VPN, provide my credentials, wait for it to log on. Once it's established, then I could do that. Whereas with DirectAccess, the connection happens at the machine level and it actually happens before the user even gets their prompt for login or credentials. So once the connection is already established at that point, once the user logs on, if they have a shortcut to a file on their, you know, on their file server, a link to an intranet website, they just click on it and it's connected and it just works, it just runs. So it's the same experience. You don't have to teach them to use a different URL when they're external. You don't have to have them do any additional steps prior to accessing the application. It just works and it's fantastic and again, enterprises really like this solution because it provides much, a much better management experience for their remote, field-based devices. For example, the DirectAccess, since the clients are always on and always connected, any time they have an active internet connection, whether or not the user is logged on at all, it is connected to the corporate network. It's talking to the Active Directory, group policy servers, getting group policy updates, talking to systems management servers, reporting back on systems configurations status and health and things like that, so it's tremendously beneficial from that perspective. But Windows Server 2012 R2 also includes some other features. For example, it also supports site-to-site VPN and site-to-site VPN although traditionally done with, you know a security device like a network device, is pretty compelling in Windows because it gives you a very cost-effective way to establish site-to-site connectivity. Traditionally and historically that's been used for either business partner collaboration, or remote office connectivity. So I have a remote office in another location that has only a handful of users in it. I can use a site-to-site VPN to establish that corporate network connectivity for the users in that office. More commonly and more compelling today is that we are now seeing this explosion of growth and infrastructure as a service in public Cloud providers and so they're hosting our infrastructure. Those servers that we have running in Azure and Amazon web services or any other public Cloud hosting provider, often need to be able to communicate with resources On-Premise. Whether that be Active Directory, rather that be SQL servers and things like that and so establishing a site-to-site VPN with public Cloud provider is becoming a more common use case. And then finally the last role or last feature in the unified remote access role is a feature called web application proxy. Now web application proxy is a feature of the operating system that functions as a reverse web proxy and it's designed, it's designed to provide secure remote access at the application level. So capabilities like a client-based VPN and DirectAccess provide network level connectivity, but there may be instances in which it makes more sense just to make the application available to the user instead of the entire network and web application proxies designed to provide secure remote access to popular or common On-Premise workloads like Exchange, Outlook Web Access, or SharePoint, CRM, anything that would be a web- based application hosted internally that you needed to provide secure remote access to. So those are kind of the three roles, so client-based VPN, DirectAccess, and web application proxy are all those features that are part of the Unified Remote Access role in Windows Server 2012 R2. Okay.