Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises Microsoft Windows Family of Operating Systems
Published: January 2009
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
ii
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Outlook, Sharepoint, Windows, Windows Media, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
Contents
iii
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
1
Introduction In the past few years, advances in mobile computers and wireless broadband have enabled users to be more productive while away from the office. According to IDCi, the third quarter of 2008 marked the point at which computer manufacturers began shipping more mobile computers than desktop computers worldwide. In 2008, mobile workers will represent 26.8% of the total workforce, and that number will increase to 30.4% by 2011ii. Clearly, users are becoming more mobile, and IT professionals must provide an infrastructure to allow them to remain productive. Additionally, more users are working from branch offices or home offices instead of the central office. The changing structure of business puts more pressure on IT professionals to provide a high-performance and secure infrastructure for connecting remote users and branch offices while minimizing costs. With Windows® 7 and Windows Server® 2008 R2, Microsoft introduces several new networking features to improve the productivity of mobile users and users at branch offices. This paper describes those features, as well as other networking improvements in Windows 7 and Windows Server 2008 R2.
DirectAccess DirectAccess provides users transparent access to internal network resources whenever they are connected to the Internet. Traditionally, users connect to internal network resources with a virtual private network (VPN). However, using a VPN can be cumbersome because: •
Connecting to a VPN takes several steps, and the user needs to wait for the authentication. For organizations that check the health of a computer before allowing the connection, establishing a VPN can take several minutes.
•
Any time users lose their Internet connection, they need to re-establish the VPN connection.
•
Internet performance is slowed if all traffic is routed through the VPN.
Because of these concerns, many users avoid connecting to a VPN. Instead, they use technologies such as Microsoft Office Outlook® Web Access (OWA) to connect to internal resources. With OWA, users can retrieve internal e-mail without establishing a VPN connection. However, if a user tries to open a document on the internal network (often linked from an e-mail), they are denied access because internal resources are typically not accessible from the Internet. Avoiding VPNs also causes problems for IT professionals, who can only manage mobile computers when they connect to the internal network. When users avoid establishing an internal connection, mobile computers miss critical updates and changes to Group Policy settings. Windows 7 and Windows Server 2008 R2 introduce DirectAccess, which enables users to have the same experience working at home or at a wireless hotspot as they would in the office. With DirectAccess, authorized users on Windows 7 computers can access corporate shares, view intranet Web sites, and work with intranet applications without going through a VPN.
2
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
DirectAccess also benefits IT professionals by enabling them to manage mobile computers outside of the office—anytime, anywhere—even though the computers are not connected to the VPN. Each time a mobile computer connects to the Internet, before the user logs on, DirectAccess establishes a bi-directional connection that enables the client computer to stay up to date with company policies and to receive software updates. DirectAccess provides a secure and flexible network infrastructure using technologies such as IPv6 and IPsec. Security and performance features include: •
Authentication. DirectAccess authenticates the computer before the user logs on, allowing IT professionals to manage the computer when the Internet connection is established. DirectAccess can also authenticate users and supports multifactor authentication methods such as a smart card authentication.
•
IPv6. DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients. Organizations that are not yet ready to fully deploy IPv6 can use IPv6 transition technologies such as ISATAP, 6to4, and Teredo to enable clients to connect across the IPv4 Internet and to access IPv4 resources on the enterprise network. These technologies provide IPv6 support for devices and servers that do not support IPv6 natively.
•
Encryption. DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. You can use any IPsec encryption method, including DES, which uses a 56-bit key, and 3DES, which uses three 56bit keys.
•
Access control. With DirectAccess, IT professionals can configure the internal resources to which each user can connect, granting unlimited access or allowing access only to specific servers or networks.
DirectAccess uses split-tunnel routing, as illustrated in Figure 1, which reduces unnecessary traffic on the corporate network. Split-tunnel routing sends only traffic destined for the enterprise network through the DirectAccess server. Although splittunnel routing is the default configuration for DirectAccess, IT professionals can disable the feature to send all traffic through the enterprise network.
Intranet
Internet
DirectAccess client
DirectAccess server
Corporate resources
Internal traffic Internet traffic Internet servers
Figure 1: DirectAccess traffic flow with split-tunnel routing.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
3
VPN Reconnect DirectAccess can replace the VPN as the preferred remote access method for many organizations. However, some organizations will continue to use VPNs side-by-side with DirectAccess. Therefore, Microsoft is improving VPN usability in Windows 7 with VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN connectivity, automatically re-establishing a VPN when users temporarily lose their Internet connections. Users who connect using wireless mobile broadband will benefit most from this capability. For example, consider a user traveling to work on a train. To make the most out of her time, she uses a wireless mobile broadband card to connect to the Internet and then establishes a VPN connection to her company’s network. As the train passes through a tunnel, she loses her Internet connection. Once outside of the tunnel, the wireless mobile broadband card automatically reconnects to the Internet. However, with earlier versions of Windows, the VPN does not reconnect, and she needs to repeat the multi-step process of connecting to the VPN. This can quickly become time consuming for mobile users with intermittent connectivity. With VPN Reconnect, Windows 7 automatically re-establishes active VPN connections when Internet connectivity re-establishes. While the re-connection might take several seconds, it is completely transparent to users, who are more likely to stay connected to a VPN and get more use out of internal network resources.
Mobile Broadband Earlier versions of Windows require users of wireless broadband cards to install thirdparty software, which is difficult for IT administators to manage, especially considering that every wireless broadband provider has different software. Users also must be trained to use the software and must have administrative access to install it, preventing standard users from easily adding a wireless broadband card. With Mobile Broadband, Windows 7 provides a driver-based model for wireless broadband cards. Now, users can simply connect a wireless broadband card and immediately begin using it. The interface is built into Windows and is the same regardless of the wireless broadband provider, reducing the need for training and management efforts. With Windows 7 Mobile Broadband, connecting to the Internet with wireless broadband is as straightforward as connecting to a wireless local area network (LAN).
BranchCache With BranchCache™, Windows 7 and Windows Server 2008 R2 reduce wide area network (WAN) utilization while simultaneously increasing the responsiveness of network applications at remote offices. When IT professionals enable BranchCache in Windows 7 and Windows Server 2008 R2, data retrieved from Web and file servers on the enterprise wide area network (WAN) is stored on the local branch office network.. If another client at the same branch requests the same content, the client can access it directly from the local network, without fetching the entire file across the WAN. Clients are always authorized by the server at the datacenter before they can retrieve the content from the local branch network.
4
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
BranchCache can operate in one of two modes: •
Distributed Cache. Using a peer-to-peer architecture, Windows 7 clients cache content retrieved from Windows Server 2008 R2 and send the content directly to other Windows 7 clients as they need it, without those clients having to retrieve the same content over the WAN link. A distributed cache is the best choice for branches without a computer running Windows Server 2008 R2.
•
Hosted Cache. Using a client/server architecture, Windows 7 clients copy content to a local computer (Hosted Cache) running Windows Server 2008 R2 that has BranchCache enabled. Other client computers that need the same content retrieve it directly from the Hosted Cache. Compared to the Distributed Cache, Hosted Cache increases the cache availability because content is available even if the client that originally requested the data is offline. Additionally, a Hosted Cache works across subnets and reduces multicast traffic on the local network. Typically, administrators can configure an existing computer running Windows Server 2008 R2 to act as the Hosted Cache, because the Hosted Cache does not require a dedicated server.
Headquarters Distributed Cache
Branch office
Hosted Cache
Branch office
Figure 2: Comparison of BranchCache Distributed Cache and Hosted Cache modes. BranchCache currently supports the following protocols and is fully compatible with endto-end encryption such as IPsec: •
HTTP (including HTTPS). The standard protocol for Web transfers, used by applications such as Internet Explorer®, Windows Media®, and Windows SharePoint®.
•
SMB (including signed SMB). The standard protocol for network file transfers when connecting to shared folders from Windows Explorer.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
5
When BranchCache is enabled on both the client computer and server computer, the client computer follows this process to retrieve data using HTTP or SMB: 1. The client computer running Windows 7 connects to a computer running Windows Server 2008 R2 at the datacenter and requests content exactly as it would if it were to retrieve content without using BranchCache. 2. The server computer at the datacenter authenticates the user and verifies that the user is authorized to access the data. 3. The server computer at the datacenter returns identifiers (hashes) of the requested content to the client computer instead of sending the content itself. The server computer does so over the same channel that the content would have normally been sent. 4. Using the retrieved identifiers, the client computer does the following: a. If configured to use Distributed Cache, the client computer multicasts on the local network to find other client computers that have already downloaded the content. b. If configured to use Hosted Cache, the client computer looks up content availability on the Hosted Cache. 5. If the content is available in the branch (either on one or more clients or the Hosted Cache), the client computer retrieves the data from within the branch, and ensures that the data is current and has not been tampered with or corrupted. 6. If the content is not available in the branch, the client computer retrieves the content directly from the server computer at the datacenter and either makes it available on the local network to other requesting client computers or sends it to the Hosted Cache, where it is made available to other client computers. All content transfers between client computers or between a client computer and the Hosted Cache are encrypted.
File Sharing and Offline Files Enhancements IT professionals can take advantage of the Windows 7 file sharing enhancements to further improve user productivity in branch offices. Windows 7 provides: •
Transparent caching on client computers for shared folders, reducing the time required to access files for the second and subsequent times across a slow network. This is combined with protocol enhancements that eliminate multiple, redundant network operations when opening or saving files to provide an improved application experience across slow networks.
•
Background synchronization capabilities for offline files, reducing administrative overhead and enhancing end-user experience.
6
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
Transparent Caching Before Windows 7, to open a file across a slow network, client computers always retrived the file from the server computer, even if the client computer had recently read the file. With Windows 7 transparent caching, client computers cache remote files more aggressively, reducing the number of times a client computer might have to retrieve the same data from a server computer. The first time a user opens a file in a shared folder, Windows 7 reads the file from the server computer and then stores it in a cache on the local disk. The second and subsequent times a user reads the same file, Windows 7 retrieves it from disk instead of reading it from the server computer. To provide data integrity, Windows 7 always contacts the server computer to ensure the cached copy is up-to-date. The cache is never accessed if the server computer is unavailable, and updates to the file are always written directly to the server computer. Transparent caching is not enabled by default on fast networks. IT Professionals can use Group Policy to enable transparent caching, to improve the efficiency of the cache, and to save disk space on the client, configuring the amount of disk space the cache uses and preventing specific file types from being synchronized. These benefits are transparent to end-users and provide an experience for users at branch offices that more closely resembles the experience of being on the same LAN as servers. Additionally, the improved cache efficiency can reduce utilization across WAN links.
Background Synchronization for Offline Files With Windows Vista, user updates to files are written to the server computer when the user is online. If the user is offline, the file updates are cached on the client computer’s disk and synchronized with the server the next time the user is online. In Windows 7, synchronization can happen automatically and in the background, without requiring the user to choose between online and offline modes. File synchronization is transparent to the end user, centrally configurable using Group Policy settings, and can be monitored and controlled from Sync Center. This provides reliable and transparent shared folder synchronization, giving users access to files on shared folders even when they are disconnected from the network. Users need not worry about manually synchronizing their data over slow networks, and IT professionals are assured that data from client computers is backed up on the servers. By making synchronization more powerful and transparent, Folder Redirection, a feature that allows user folders such as Documents to be re-directed to a server computer, becomes much more useful. IT professionals can use Group Policy settings to enable both Folder Redirection and synchronization. Windows 7 redirects user folders to the network location and automatically synchronizes files between the version on the client computer and the version on the server. When the user disconnects from the network, Windows 7 opens the local copies of the files exactly as if the user were connected to the network, and changes synchronize the next time the user connects. This provides automatic network backup of user data without impacting the user. Windows 7 adds the “usually offline” mode, which provides similar capabilities when connected to a server across a slow network.
URL-based QoS Adding more bandwidth cannot solve every network performance issue. Any network connection, when fully utilized, will cause communications to slow down while the router is forced to queue outgoing traffic. This often happens with an Internet or WAN
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
7
connection because traffic from multiple clients on a high-speed LAN must share a lowerspeed connection. For example, if an organization has a 1000 Mbps LAN and a 10 Mbps Internet connection, computers can send requests across the LAN to the router much faster than the router can forward the requests to the Internet. In this scenario, the router has to hold the outgoing requests in a queue and send each request when more bandwidth is available. By default, routers send outgoing traffic from the queue in a first-in, first-out basis. Therefore, critical traffic might be waiting in the queue behind less critical traffic. Figure 3 shows two clients sending traffic to two websites: www.contoso.com (a critical internal website) and www.southridgevideo.com (a non-critical personal website). As the figure demonstrates, the router treats the packets exactly the same, and packets destined for www.southridgevideo.com might be sent after packets destined for www.contoso.com.
http://www.contoso.com http://www.southridgevideo .com
Internet Router Figure 3: Without QoS, low-priority traffic can be sent before high-priority traffic. When IT professionals configure Quality of Service (QoS), Windows marks outgoing packets with a Differentiated Services Code Point (DSCP) number. Routers then examine the DSCP value to determine the packet’s priority. If a network connection is fully utilized and the router is holding packets in a queue, higher-priority packets are sent before lower-priority packets, overriding the default first-in, first-out behavior. Therefore, QoS can maintain the responsiveness of critical network applications even when the network is busy. With earlier versions of Windows, IT professionals could specify applications, IP addresses, and port numbers to determine QoS priorities. With this level of granularity, IT professionals could prioritize database traffic over Web and e-mail traffic—a useful capability. They could also prioritize traffic to a critical server over traffic to a less-critical server. However, with the growth of Web services and application server consolidation, IT professionals need finer control over how Windows prioritizes Web traffic. For example, a single intranet server might host a critical customer service application and a non-critical discussion forum on the same server. Web services or applications on a single server share a common IP address, limiting the value of IP-based prioritization. IT professionals need to be able to assign different priorities to different Web applications and sites on a single server. Windows 7 allows IT professionals to prioritize Web traffic based on the URL. With URLbased QoS, IT professionals can ensure important Web traffic is processed before lessimportant traffic, improving performance on busy networks. For example, IT professionals can assign Web traffic for critical internal Web sites a higher priority than external Web sites, maximizing performance when the network is busy. Similarly, if users visit non-
8
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
work-related Web sites that consume a large portion of the network’s bandwidth, IT professionals can assign that traffic a low priority so other traffic isn’t impacted. With URL-based QoS, IT professionals can also configure the path portion of a URL, known as the Uniform Resource Identifier (URI). For example, IT professionals could assign http://contoso.com/cust_serv/ a high priority and http://contoso.com/forum/ a low priority. IT professionals can configure QoS using Group Policy settings.
High priority: http://*.contoso.com Low priority: http://*.southridgevideo .com
Internet Router Figure 4: URL-based QoS allows IT professionals to prioritize Web traffic
DNS Security Extensions DNS clients running Windows 7 or Windows Server 2008 R2 and DNS servers running Windows Server 2008 R2 support DNS Security Extensions (DNSSEC) to validate the integrity of DNS records as per Request For Comments (RFCs) 4033, 4034 and 4035. By validating that a DNS record was generated by the authoritative DNS server and that the DNS record has not been modified, computers running Windows 7 and Windows Server 2008 R2 can validate the integrity of DNS responses. With DNSSEC, authoritative DNS servers running Windows Server 2008 R2 that support DNSSEC will cryptographically sign a DNS zone to generate digital signatures for all the resource records in the zone. Other DNS servers can use a trust anchor to verify that a DNS record was signed by the authoritative DNS server and that it has not been modified. While DNS servers perform the validation of DNS records, DNS clients running Windows 7 are DNSSEC-aware. A DNS client running Windows 7 relies on its local DNS server for DNSSEC validation and can check whether validation has been successfully performed on the responses before returning the results of the query to an application. Figure 5 illustrates how IPsec and DNSSEC can provide an end-to-end DNSSEC solution to validate a DNS request that must traverse multiple levels of DNS servers. For example, the client computer could be located at a branch office and configured to use IPsec to connect to a local, non-authoritative DNS server running Windows Server 2008 R2. The local DNS server can forward requests to the domain’s authoritative DNS server, use DNSSEC to verify the integrity of internal DNS records (even if there are multiple interim DNS servers), and inform the client that DNSSEC was used to validate the records.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
IPsec Authenticated/ encrypted
Client
9
DNSSEC Validated
Caching DNS server
Authoritative DNS server
Figure 5: DNSSEC can prevent man-in-the-middle attacks.
Support for Green IT Windows 7 offers Wake on Wireless LAN (WOWL) and Smart Network Power features to reduce power consumption.
Wake on Wireless LAN Users can save energy by putting computers into sleep mode when they’re not in use. With earlier versions of Windows, users and IT professionals could use Wake on LAN (WOL) to wake the computer so that it could be managed across the network. However, WOL only works when computers are connected to wired networks. Wireless computers in sleep mode cannot be started or managed across the network, allowing them to fall behind on configuration changes, software updates, and other management tasks. Windows 7 adds support for Wake on Wireless LAN (WoWLAN). With WoWLAN, Windows 7 can reduce electricity consumption by enabling users and IT professionals to remotely wake computers connected to wireless networks from sleep mode. Because users can wake computers to access them across the network, IT professionals can configure them to enter the low-power sleep mode when not in use.
Smart Network Power Wired network connections use power when they’re enabled, even if a network cable isn’t connected. Windows 7 offers the ability to automatically turn off power to the network adapter when the cable is disconnected. When the user connects a cable, power is automatically restored. This feature offers the power-saving benefits of disabling a wired network connection while still allowing users to connect easily to wired networks.
Summary Windows 7 and Windows Server 2008 R2 offer the following features to help remote users feel like they’re working in the office by keeping them connected and making the most out of intermittent and low-bandwidth links: •
DirectAccess, VPN Reconnect, and Mobile Broadband make getting connected and staying connected easy or completely automatic.
•
BranchCache and file sharing enhancements make the most out of lowbandwidth connections.
10
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
By providing a secure and flexible infrastructure, Windows 7 and Windows Server 2008 R2 provide IT professionals with the following benefits: •
DirectAccess and VPN Reconnect increase the time mobile users are connected to the internal network, improving manageability.
•
DNSSEC allows client computers to authenticate DNS servers, and DNS servers to authenticate each other, reducing the risk of man-in-the-middle attacks.
•
Mobile Broadband simplifies configuration of wireless broadband adapters.
Finally, these benefits reduce costs for IT professionals: •
BranchCache, URL-based QoS, and file sharing enhancements optimize bandwidth utilization.
•
Support for green IT allows users to save power while still enabling administrators to manage computers across the network.
In summary, the networking improvements in Windows 7 and Windows Server 2008 R2 improve user productivity and decrease management costs, adding significant value to Microsoft’s newest client and server operating systems.
i ii
IDC Worldwide Quarterly PC Tracker, December 2008. IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813, Dec 2007.