Secure Enterprise

3-95

Network Access and VPN

Aman Arneja
Program Manager
OSG Networking
Agenda
Enterprise Expectations
Remote Access Overview
Windows 8.1 Recap and Feedback
Windows 10 VPN Solution
On Demand VPN
Securing Network Access
Passport for Work
EDP Integration
Deployment
Plugin Platform

Demo
Enterprise expectations for corporate access

Access from any Protect Access

device Remotely to corporate
resources

Audit usage and Easy

protect against Management &
data leak Deployment
Mobility is the new normal

67%
of the people who use a
905M
tablets in use for work and
smartphone for work and home globally by 2017
70% of people who use a
tablet for work are choosing
the devices themselves

FORRESTER FORRESTER
FORRSIGHTS WORKFORCE EMPLOYEE MOBILE WORKFORCE
SURVEY, Q2 2012 ADOPTION TRENDS, 2013
Remote Access Solution

Network Access Mobile Device

Control Management

Secure tunnel over Internet

Corporate
Resources
Windows 8.1 A Step in the right direction
Recap
Recap
Inbox VPN Solution for Windows Phone
IKEv2 and L2TP based VPN

Plugin Platform for Windows & Windows

Phone
Simple, Windows Store API based solution. No need for Kernel Drivers

MDM Deployment Support

CSP for Windows Phone, WMI for PC

On Demand VPN
App Triggering
Customer Feedback
Plugin Platform
Limited set of partners
For PC the apps were Inbox and couldn’t be on-boarded to the store

Deployment
Different deployment solutions for Phone and PC

Network Security Features

Need for Per-App VPN
Ability to control the traffic going over VPN
Auditing requirements for all IP traffic on a device

Connection Experience
Direct Access like Always On VPN
Biometric Auth support
Windows 10 Momentum forward
Windows 10 Remote Access Overview

Converged Platform across Desktop and

Phones

Plugin Platform Updates

Open to new ISVs
Write a UAP app and deploy it to both Phone and PC
Store Based Distribution

New Security & Convenience Features

One Deployment story for Desktop and Phone

Auto Connect
Always On
Once configured, VPN is always connected till
the user manually disconnects

Configurable to allow users to be always

connected to the corporate network

Optimized for power & performance

No change needed to 3rd party VPN

applications

MDM solutions can push the “Always-ON”

VPN profile to mobile devices
App Triggered VPN
VPN Profile can be triggered based on App
Launch
Desktop Apps
File Path
Fully Qualified Binary Name
Store Apps
Package Family Name

Active Profile used to determine Profile to

Trigger
Selecting an Active Profile

The User can choose which profile is active

By Default, the last pushed MDM profile with

Trigger data will be the Active Profile
Securing Network Access
Security controls and knobs for the admins
Traffic Filters
Traffic filters allow app/device specific rules for
traffic allowed over the VPN Interface

If any traffic rule is added, all other traffic is

blocked

Multiple rules are processed using an OR

Per App VPN
Control the Apps allowed over VPN

Force/Split paradigms at the app layer

Split – I trust this app, it is allowed to go over
the Internet or the VPN Interface
Force – I need to use this app over VPN, when
VPN is connected, it can only go over VPN

Works with existing 8.1 VPN plugins

Traffic Rules

Traffic rule types

Local/Remote port ranges
Local/Remote IP Ranges
Protocol
SDDL Claim
Within each rule, each parameter is evaluated
with an AND operation
Lock Down VPN
For the Extremely Security conscious
organizations
Once deployed, all IP traffic will only go over
the VPN
VPN will be always connected
User will not be able to disconnect the connection
User will not be able modify the connection

If the VPN interface is not available, the traffic

will be blocked
Typical usage will be on purely business
Passport for Work
VPN Single Sign-on experience
Passport for Work
Passport for work is integrated with VPN

2 factor authentication married with ease of

use

Authenticate to VPN using Biometrics

Sign-In to PC, Connect to VPN Automatically

with strong authentication
Enterprise Data
Protection
 Protects data at rest, and wherever it
rests or may roam to
INTRODUCING
Seamless integration into the platform,
Enterprise Data No mode switching and use any app

Protection Corporate vs personal data identifiable

wherever it rests on the device
A DIFFERENT
APPROACH Prevents unauthorized apps from
accessing business data

IT has fully control of keys and data and

can remote wipe data on demand

Common experience across all Windows

devices with cross platform support
Enterprise Data Protection

DATA EGRESS
Enlightened applications will be able to
User maintain protection on egress
Policy based app restrictions can block
app access to data, meaning it can’t
egress
Network policy enables the blocking of
data moving to non-corporate locations
Deployment Options
Easy to deploy, Easy to maintain
MDM Deployment
New VPN CSP – VPNv2
Converged across Phone and PC

Re-Designed based on feedback from MDM’s and

Enterprises

Supports all Windows 10 features

SCCM can leverage the CSP through WMI-CSP

bridge

Old VPN CSP to stay on the phone for backwards

compatibility.
Store App Based Deployment

Create/Edit/Connect a VPN Connection

through VPN Management API’s

Mainline scenarios for APIs

Workplace App
VPN Solution with Plugin
Consumer VPN
Plugin Platform
Helping ISVs deliver innovative
remote access solutions
Platform Updates
Now open to all ISVs

VPN API surface converged across PC and

Phone

Write one Universal app, deploy on both,

Phone and PC devices
Windows 8.1 Upgrade
Inbox plugins from Windows 8.1 to move to
the Store

Partners working on their UAP app for Day 0

support

Once upgraded, User will be prompted to

update to the store app
Onboarding New ISVs
Platform open to all ISV’s for
VPN Plugin
VPN Connection Manager App

New ISV Onboarding process to be made

public
In the mean time, reach out to your Microsoft Account Manager

A special VPN capability needed on the

developer account for the API’s to work.
To be granted to ISV’s after understanding their use case
Demo : Per App VPN with App triggers
Related sessions that you should attend!
Sessions @ \\Build
Derek Adam & Joerg Zender | Enterprise Data Protection: Building apps that keep work and
personal data separate and secure
Anoosh Saboori & Mike Stephens | Moving beyond passwords and credential theft
April 29, 5PM | Janani Vasudevan | Managing Mobile Devices and Applications in an Enterprise

Sessions @ Ignite in Chicago

Yogesh Mehta | Protecting your data with containers without boxing yourself in [ Link ]
Nelly Porter | Secure authentication with Windows Hello [ Link ]
© 2015 Microsoft Corporation. All rights reserved.