Secure access to company resources from any location on any device
Updated: June 30, 2014
This guide is intended for traditional IT enterprises that have infrastructure architects, enterprise security specialists, and device management specialists who want to understand which solutions are available for consumerization of IT and Bring Your Own Device (BYOD). The end-to-end solution discussed in this guide is part of the Microsoft Enterprise Mobility vision.
The current trend of the explosion of devices—company-owned devices, personal devices, and consumers using their devices to access corporate resources on-premises or in the cloud—makes it imperative for IT to help increase user productivity and satisfaction with regard to the usage and identity of devices, and the experience of connecting to corporate resources and applications. At the same time, it brings numerous management and security challenges to IT organizations, which must ensure that enterprise infrastructure and corporate data are protected from malicious intent. These corporations must also make sure that resources can be accessed in compliance with corporate policies, regardless of device type or location.
Your current infrastructure can be extended by implementing and configuring different technologies from Windows Server 2012 R2 to set up an end-to-end solution to deal with these challenges.
The following diagram illustrates the problem that this solution guide addresses. It shows users using their personal and corporate devices to access applications and data both from the cloud and on-premises. These applications and resources can be inside or outside the firewall.
In this solution guide:
This section describes the scenario, problem statement, and goals for an example organization.
Your organization is a medium-sized banking firm. It employs more than 5,000 people who bring their personal devices (Windows RT and iOS-based devices) to work. Currently, they have no way to access company resources from these devices.
Your current infrastructure includes an Active Directory forest that has a domain controller with Windows Server 2012 installed. It also includes a Remote Access server and a System Center Configuration Manager through System Center.
A recent report issued to your company’s management team by the IT team shows that more users are starting to bring their personal devices to work and need access to company data. The management team understands this trend in the market that leads to more users bringing their own devices and wants to ensure that the company implements a solution that securely embraces this demand. To summarize, your company’s IT team needs to:
Let employees use personal devices as well as company devices to access corporate applications and data. These devices include PCs and mobile devices.
Provide secure access to resources according to each user’s needs and company policies for these devices. The user experience across devices must be seamless.
Identify and manage the devices.
This guide weaves together a solution for extending your company’s infrastructure to achieve the following:
Simplified registration of personal and corporate devices.
Seamless connection to internal resources when needed.
Consistent access to company resources across devices.
To solve its business problem and meet all the previously mentioned goals, your organization needs to implement multiple subscenarios. Each of these subscenarios is represented collectively in the following illustration.
This part of the solution involves the following important phases.
IT administrators can set up device registration, which allows the device to be associated with the company’s Active Directory and use this association as a seamless second-factor authentication. Workplace Join is a new feature of Active Directory that allows users to securely register their devices with your company directory. This registration provisions the device with a certificate that can be used to authenticate the device when the user is accessing company resources. By using this association, IT pros can configure custom access policies to require that users are both authenticated and using their Workplace Joined device when accessing company resources.
IT administrators can set up single sign-on (SSO) from devices that are associated with the company’s Active Directory. SSO is the ability for an end user to sign in once when accessing an application provided by their company and not be reprompted for their sign-in information when accessing additional company applications. In Windows Server 2012 R2, the SSO capability is extended to Workplace Joined devices. This will improve the end user experience, while avoiding the risk of having each application store user credentials. This has the additional benefit of limiting the opportunities for password harvesting on personal or company-owned devices.
The following diagram provides a high-level snapshot of Workplace Join.
Each of these capabilities is detailed in the following table.
Solution Design Element
Why is it included in this solution?
Workplace Join allows users to securely register their devices with your company directory. This registration provisions the device with a certificate that can be used to authenticate the device when the user is accessing company resources. For more information, see HYPERLINK "http://technet.microsoft.com/library/dn280945.aspx" Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.
The server roles and technologies that need to be configured for this capability are listed in the following table.
Solution Design Element
Why is it included in this solution?
Domain Controller with Windows Server 2012 R2 schema update
The Active Directory Domain Services (AD DS) instance provides an identity directory to authenticate users and devices, and for the enforcement of access policies and centralized configuration policies. For more information about setting up your directory services infrastructure for this solution, see Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012.
AD FS with Device Registration Service
Active Directory Federation Services (AD FS) lets administrators configure the Device Registration Service (DRS) and implements the Workplace Join protocol for a device to Workplace Join with Active Directory. In addition, AD FS has been enhanced with OAuth authentication protocol as well as device authentication and conditional access control policies that include user, device, and location criteria. For more information about planning your AD FS design infrastructure, see AD FS Design Guide in Windows Server 2012 R2.
You do not need a domain controller running Windows Server 2012 R2 for this solution. All you need is a schema update from your current AD DS installation. For more information about extending the schema, see Install Active Directory Domain Services. You can update the schema on existing domain controllers without installing a domain controller that runs Windows Server 2012 R2 by Running Adprep.exe.
To plan the AD FS environment, see Identifying Your AD FS Deployment Goals.
Today's employees are mobile and expect to be able to access the applications they need to get work done wherever they happen to be. Companies have adopted multiple strategies to enable this using VPN, Direct Access, and Remote Desktop Gateways.
However, in a world of Bring Your Own Device, these approaches don't offer the level of security isolation many customers need. To help meet this need, the Web Application Proxy role service is included in the Windows Server RRAS (Routing and Remote Access Service) role. This role service allows you to selectively publish your enterprise Line-of-Business web apps for access from outside the corporate network.
Work Folders is a new file sync solution that allows users to sync their files from a corporate file server to their devices. The protocol for this sync is HTTPS based. This makes it easy to publish via the Web Application Proxy. This means that users can now sync from both the intranet and the Internet. It also means the same AD FS–based authentication and authorization controls described previously can be applied to syncing corporate files. The files are then stored in an encrypted location on the device. These files can then be selectively removed when the device is unenrolled for management.
DirectAccess and Routing and Remote Access Service (RRAS) VPN are combined into a single Remote Access role in Windows Server 2012 R2. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services.
Windows Server 2012 R2 provides a Virtual Desktop Infrastructure (VDI) that gives your organization’s IT the freedom to choose personal and pooled virtual (VM)–based desktops, as well as session-based desktops. It also offers IT several storage options, based on their requirements.
The following diagram illustrates the technologies you can implement to ensure seamless access to corporate resources.
Solution Design Element
Why is it included in this solution?
Web Application Proxy
Allows the publishing of corporate resources, including Multi-Factor Authentication and the enforcement of conditional access polices when users connect to resources. For more information, see Web Application Proxy Deployment Guide.
Work Folders (File Server)
A centralized location on a file server in the corporate environment that is configured to allow the synchronization of files to user devices. Work Folders can be published directly through a reverse proxy or via the Web Application Proxy for conditional access policy enforcement. For more information, see Work Folders Overview.
This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management. For more information, see 802.1X Authenticated Wireless Access Overview.
VDI enables your organization to deliver a corporate desktop and applications to employees that they can access from their personal and corporate devices, from both internal and external locations with the infrastructure (the Remote Desktop Connection Broker, Remote Desktop Session Host, and Remote Desktop Web Access role services) running within the corporate datacenter. For more information, see Virtual Desktop Infrastructure.
This section provides an introduction to the planning steps required to deploy Web Application Proxy and to publish applications through it. This scenario describes the available preauthentication methods, including using AD FS for authentication and authorization, which allows you to benefit from AD FS features, including Workplace Join, Multi-Factor Authentication (MFA), and multi-factor access control. These planning steps are explained in detail in Plan to Publish Applications through Web Application Proxy.
This section explains the design process for a Work Folders implementation and provides information about the software requirements, deployment scenarios, a design checklist, and additional design considerations. Follow the steps in Designing a Work Folders Implementation to create a basic checklist.
This section describes general considerations that must be taken during planning to deploy a single Windows Server 2012 Remote Access server with basic features:
With Windows Server 2012 R2, your organization can set up control to access company resources based on the identity of the user, the identity of the registered device, and the user’s network location (whether the user is within the corporate boundary or not). Using multi-factor authentication integrated into the Web Application Proxy, IT can take advantage of additional layers of authentication as users and devices connect to the corporate environment.
To easily limit the risks associated with compromised user accounts, in Windows Server 2012 R2, it is much simpler to implement multiple factors of authentication using Active Directory. A plug-in model lets you configure different risk management solutions directly into AD FS.
There are numerous access control risk management enhancements in AD FS in Windows Server 2012 R2, including the following:
Flexible controls based on network location to govern how a user authenticates to access an AD FS–secured application.
Flexible policies to determine if a user needs to perform Multi-Factor Authentication based on the user’s data, device data, and network location.
Per-application controls to ignore SSO and force the user to provide credentials every time they access a sensitive application.
Flexible per-application access policies based on user data, device data, or network location. AD FS Extranet Lockout enables administrators to protect Active Directory accounts from brute-force attacks from the Internet.
Access revocation for any Workplace Joined device that is disabled or deleted in Active Directory.
The following diagram illustrates the Active Directory enhancements for improving access control risk mitigation.
Solution design element
Why is it included in this solution?
Workplace Join (enabled by Device Registration Service [DRS])
Your organization can implement IT governance with device authentication and second-factor authentication with SSO. Workplace Joined devices provide IT administrators greater levels of control for personal devices and corporate devices. For more information about DRS, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.
Through Azure Multi-Factor Authentication, IT can apply additional layers of authentication and verification of users and devices. For more information, see What is Azure Multi-Factor Authentication?
In addition to security and access, IT also needs to have a good strategy in place to manage PCs and personal devices from a single administrator console. Managing devices includes setting security and compliance settings, gathering software and hardware inventory, or deploying software. IT also must have a solution in place to protect the company by wiping corporate data stored on the mobile device when the device is lost, stolen, or retired from use.
The solution, Manage mobile devices and PCs by migrating to Configuration Manager with Windows Intune, explains in detail the Unified Device Management solution.
It is critical that you address important design questions before designing a Bring Your Own Device (BYOD) and Unified Device Management infrastructure that enables employees to use their own devices and protects the company’s data.
The infrastructure design to support BYOD is discussed in BYOD user and device considerations. The design that is discussed in this document uses Microsoft-based technology. However, the design options and considerations can be applied to any infrastructure used to embrace the BYOD model.
For a handy checklist that lists the steps required to support mobile device management, see Checklist for Mobile Device Management.
The following steps take you through the step-by-step process of setting up the domain controller (AD DS), AD FS, and Device Registration Service.
Set up your domain controller
Install the AD DS role service and promote your computer to be a domain controller in Windows Server 2012 R2. This will upgrade your AD DS schema as part of the domain controller installation. For more information and step-by-step instructions, see Install Active Directory Domain Services.
Install and configure the federation server
You can use Active Directory Federation Services (AD FS) with Windows Server 2012 R2 to build a federated identity management solution that extends distributed identification, authentication, and authorization services to web-based applications across organization and platform boundaries. By deploying AD FS, you can extend your organization’s existing identity management capabilities to the Internet. For more information and step-by-step instructions, see Windows Server 2012 R2 AD FS Deployment Guide.
Configure Domain Registration Service
You can enable DRS on your federation server after you install AD FS. Configuring DRS involves preparing your Active Directory forest to support devices and then enabling DRS. For detailed instructions, see Configure a federation server with Device Registration Service.
Set up a web server and a sample claims–based application to verify and test the AD FS and Device Registration configuration
You need to set up a web server and a sample claims application, and then follow certain procedures to verify the above steps. Perform the steps in the following order:
Configure and verify Workplace Join on Windows and iOS devices
This section provides instructions for setting up Workplace Join on a Windows device, an iOS device, and experience SSO to a company resource.
You need to configure File Services Work folders, Remote Desktop Services Virtualization, and Remote Access.
Configure Web Application Proxy
This section provides an introduction to the configuration steps required in order to deploy Web Application Proxy and publish applications through it.
Configure the Web Application Proxy Infrastructure: Describes how to configure the infrastructure required to deploy Web Application Proxy.
Install and Configure the Web Application Proxy Server: Describes how to configure Web Application Proxy servers, including configuring any required certificates, installing the Web Application Proxy role service, and joining Web Application Proxy servers to a domain.
Publish Applications using AD FS Preauthentication: Describes how to publish applications through Web Application Proxy using AD FS preauthentication.
Publish Applications using Pass-through Preauthentication: Describes how to publish applications using pass-through preauthentication.
Configure Work Folders
The simplest Work Folders deployment is a single file server (often called a sync server) without support for syncing over the Internet, which can be a useful deployment for a test lab or as a sync solution for domain-joined client computers. To create a simple deployment, these are the minimum steps to follow:
For additional detailed instructions about how to deploy work folders, see Deploying Work Folders.
Configure and verify Remote Desktop Services Session Virtualization
A VDI standard deployment enables you to install the appropriate role services on separate computers. A standard deployment provides more precise control of virtual desktops and virtual desktop collections by not creating them automatically.
This test lab walks you through the process of creating a Session Virtualization standard deployment by doing the following:
Installing the RD Connection Broker, RD Session Host, and RD Web Access role services on separate computers.
Creating a session collection.
Publishing a session-based desktop for each RD Session Host server in the collection.
Publishing applications as RemoteApp programs.
For detailed steps to configure and verify a VDI deployment, see Remote Desktop Services Session Virtualization Standard Deployment.
Configure Remote Access
Windows Server 2012 combines DirectAccess and Routing and Remote Access Service (RRAS) VPN into a single Remote Access role. The following are the configuration steps required to deploy a single Windows Server 2012 Remote Access server with basic settings.
Configure the DirectAccess Infrastructure: This step includes configuring network and server settings, DNS settings, and Active Directory settings.
Configure the DirectAccess Server: This step includes configuring DirectAccess client computers and server settings.
Verify the Deployment: This step includes steps for verifying the deployment.
Set up flexible and expressive per-application authorization policies, whereby you can permit or deny access based on user, device, network location, and authentication state by configuring Multifactor Access Control. Set up additional risk management in your environment with Multi-Factor Authentication.
Configure and verify Multifactor Access Control
This involves the following three steps:
Configure and verify Multi-Factor Authentication
This involves the following three steps:
Follow the following steps in order to set up device management in your enterprise.
Install the System Center 2012 R2 Configuration Manager console: By default, when you install a primary site, the Configuration Manager console also is installed on the primary site server computer. After the site installs, you can install additional System Center 2012 R2 Configuration Manager consoles on additional computers to manage the site. Installing a console from both Configuration Manager 2007 and System Center 2012 R2 Configuration Manager on the same computer is supported. This side-by-side installation allows you to use a single computer to manage both your existing Configuration Manager 2007 infrastructure and the mobile devices you manage using Windows Intune with System Center 2012 R2 Configuration Manager. However, you cannot use the management console from System Center 2012 R2 Configuration Manager to manage your Configuration Manager 2007 site, and vice versa. For more information, see Install a Configuration Manager Console.
Enroll mobile devices: Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. For information about how to enroll mobile devices, see Mobile Device Enrollment.
Manage mobile devices: After you install and make the basic configurations for your stand-alone primary site, you can begin to configure management of mobile devices. The following are typical actions you might configure:
To apply compliance setting to mobile devices, see Compliance Settings for Mobile Devices in Configuration Manager.
To create and deploy applications to mobile devices, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager.
To configure hardware inventory, see How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager.
To configure software inventory, see Introduction to Software Inventory in Configuration Manager.
To wipe content from mobile devices, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.
Product evaluation/Getting started
Planning and design