IPsec protects communications over IP networks through the use of cryptographic security services, providing a flexible framework that can be used for secure access scenarios that meet virtually any requirement. As part of your Forefront UAG DirectAccess planning, you must decide where you intend terminating IPsec encryption. The level of authentication you intend to provide to your intranet servers assists you in choosing the access model that is suited to your organization's requirements.

This topic describes the end-to-edge and end-to-end access models.

End-to-edge access model

The end-to-edge access model allows DirectAccess clients to connect to IPv6 reachable resources inside your intranet. Traffic is always encrypted between the DirectAccess client and the Forefront UAG DirectAccess server. The Forefront UAG DirectAccess server acts as an IPsec gateway, and terminates the IPsec tunnels for the DirectAccess client. Traffic between the Forefront UAG server and the intranet resources is neither encrypted nor authenticated.

In end-to-edge access mode, the DirectAccess client uses IPsec to create two encrypted tunnels to the Internet-facing interface of the Forefront UAG DirectAccess server. The first tunnel, known as the infrastructure tunnel, allows the DirectAccess client to access AD DS domain controllers, DNS servers and other management servers, and uses computer authentication. The second tunnel, known as the intranet tunnel, allows the DirectAccess client to access intranet resources, and uses both computer and user authentication.

The following figure shows an example of the end–to-edge access model.



End-to-edge protection
Note:
When first deploying Forefront UAG DirectAccess, it is recommended that you use the end-to-edge access model.

The following are the benefits of the end-to-edge access model:

  • It does not require IPsec-authenticated traffic in the enterprise network.

  • It allows access to IPv6-capable application servers and applications on the intranet, in a native IPv6 infrastructure, or when using ISATAP.

  • It allows access to non-IPv6 capable application servers and applications on the intranet, when using NAT64 and DNS64.

  • It enables access to servers that do not support IPsec.

  • It closely resembles current VPN architecture and is typically easier to deploy.

  • It is configurable with the Forefront UAG DirectAccess Configuration Wizard.

  • It can be used with smart cards for an additional level of authorization.

A limitation of the end-to-edge access model is that it fails to provide end-to-end authentication or data protection for internal traffic from the Forefront UAG DirectAccess server to the intranet application servers.

End-to-end access model

The End-to-end access model extends the end–to-edge IPsec policies all the way to the specified application servers. The DirectAccess clients use an IPsec transport policy that provides authentication and traffic protection of IPsec sessions until termination at the specified application server endpoint. In this case, the Forefront UAG DirectAccess server forwards traffic as authenticated and traffic protected IPsec sessions to the application servers. Additionally, you can encrypt the data payload between the DirectAccess client and an application server as required by changing the IPsec data protection (quick mode) settings in the Forefront UAG DirectAccess server configuration. Intranet application servers that are not included in AD DS security groups specified to use the end-to-end access model are accessed using the default end-to-edge access model.

The following figure shows an example of the end-to-end access model.



End-to-end protection

When selecting application servers that require end-to-end encryption and authentication, it is important to note that:

  • The selected end-to-end application servers must run Windows Server 2008 or later.

  • The selected end-to-end application servers must be accessible via IPv6 (Native or ISATAP, not NAT64).

  • The selected end-to-end application servers must be members of one or more AD DS security groups.

  • The selected end-to-end application servers can be used with smart cards for an additional level of authorization.

The following are the benefits of the end-to-end access model:

  • It provides additional end-to-end authentication, data integrity, and data confidentiality, beyond that provided with traditional VPN connections.

  • The specified end-to-end application servers are configurable with the Forefront UAG DirectAccess Configuration Wizard.

A limitation of the end-to-end access model is that application servers included in the AD DS security group must run Windows Server 2008 or later, and support IPv6 connections.

For more information on how to configure Forefront UAG DirectAccess to use an access model, see Identifying and configuring application servers.