Download Windows 7 and Windows Server 2008 R2 Networking

Windows 7 and Windows Server 2008 R2
Networking Enhancements for Enterprises
Microsoft Windows Family of Operating Systems
Microsoft Corporation
Published: April 2009
Abstract
This paper describes networking features in Windows® 7 and Windows Server® 2008 R2
including several that were developed to improve the productivity of mobile users and users at
branch offices.
Copyright information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release. This document is provided for informational
purposes only and Microsoft makes no warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. The entire risk of the use or the results from the use of this document
remains with the user. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, BranchCache, Sharepoint, Outlook, Windows, Windows Media, Windows Server, and
Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners.
Contents
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises ................. 5
DirectAccess .................................................................................................................................... 5
VPN Reconnect ............................................................................................................................... 7
Mobile Broadband............................................................................................................................ 8
BranchCache ................................................................................................................................... 8
File Sharing and Offline Files Enhancements ............................................................................... 10
Transparent caching .................................................................................................................. 10
Background synchronization for offline files ............................................................................... 11
URL-based QoS ............................................................................................................................ 11
DNS Security Extensions .............................................................................................................. 13
Support for Green IT ...................................................................................................................... 14
Wake on Wireless LAN .............................................................................................................. 14
Smart network power ................................................................................................................. 14
Summary ....................................................................................................................................... 15
Windows 7 and Windows Server 2008 R2
Networking Enhancements for Enterprises
In the past few years, advances in mobile computers and wireless broadband have enabled users
to be more productive while away from the office. According to IDC, the third quarter of 2008
marked the point at which computer manufacturers began shipping more mobile computers than
desktop computers worldwide (IDC Worldwide Quarterly PC Tracker, December 2008).
In 2008, mobile workers will represent 26.8% of the total workforce, and that number will increase
to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc
#209813, Dec 2007). Clearly, users are becoming more mobile, and IT professionals must
provide an infrastructure to allow them to remain productive.
Additionally, more users are working from branch offices or home offices instead of the central
office. The changing structure of business puts more pressure on IT professionals to provide a
high-performance and secure infrastructure for connecting remote users and branch offices while
minimizing costs.
With Windows® 7 and Windows Server® 2008 R2, Microsoft® introduces several new networking
features to improve the productivity of mobile users and users at branch offices. This document
describes those features, as well as other networking improvements in Windows 7 and Windows
Server 2008 R2. The following topics are covered:
DirectAccess
VPN Reconnect
Mobile Broadband
BranchCache
File Sharing and Offline Files Enhancements
URL-based QoS
Support for Green IT
Summary
Note
For a complete view of Windows 7 resources, articles, demos, and guidance, please visit
the Springboard Series for Windows 7 on the Windows Client TechCenter.
DirectAccess
DirectAccess provides users transparent access to internal network resources whenever they are
connected to the Internet. Traditionally, users connect to internal network resources with a virtual
private network (VPN). However, using a VPN can be cumbersome because:
5

Connecting to a VPN takes several steps, and the user needs to wait for the authentication.
For organizations that check the health of a computer before allowing the connection,
establishing a VPN can take several minutes.

Any time users lose their Internet connection, they need to re-establish the VPN connection.

Internet performance is slowed if all traffic is routed through the VPN.
Because of these concerns, many users avoid connecting to a VPN. Instead, they use
technologies such as Microsoft Office Outlook® Web Access (OWA) to connect to internal
resources. With OWA, users can retrieve internal e-mail without establishing a VPN connection.
However, if a user tries to open a document on the internal network (often linked from an e-mail),
they are denied access because internal resources are typically not accessible from the Internet.
Avoiding VPNs also causes problems for IT professionals, who can only manage mobile
computers when they connect to the internal network. When users avoid establishing an internal
connection, mobile computers miss critical updates and changes to Group Policy settings.
Windows 7 and Windows Server 2008 R2 introduce DirectAccess, which enables users to have
the same experience working at home or at a wireless hotspot as they would in the office. With
DirectAccess, authorized users on Windows 7 computers can access corporate shares, view
intranet Web sites, and work with intranet applications without going through a VPN.
DirectAccess also benefits IT professionals by enabling them to manage mobile computers
outside of the office—anytime, anywhere—even though the computers are not connected to the
VPN. Each time a mobile computer connects to the Internet, before the user logs on,
DirectAccess establishes a bi-directional connection that enables the client computer to stay up to
date with company policies and to receive software updates.
DirectAccess provides a secure and flexible network infrastructure using technologies such as
IPv6 and IPsec. Security and performance features include:

Authentication. DirectAccess authenticates the computer before the user logs on, allowing
IT professionals to manage the computer when the Internet connection is established.
DirectAccess can also authenticate users and supports multifactor authentication methods
such as a smart card authentication.

IPv6. DirectAccess uses IPv6 to provide globally routable IP addresses for remote access
clients. Organizations that are not yet ready to fully deploy IPv6 can use IPv6 transition
technologies such as ISATAP, 6to4, and Teredo to enable clients to connect across the IPv4
Internet and to access IPv4 resources on the enterprise network. These technologies provide
IPv6 support for devices and servers that do not support IPv6 natively.

Encryption. DirectAccess uses IPsec to provide authentication and encryption for
communications across the Internet. You can use any IPsec encryption method, including
DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys.

Access control. With DirectAccess, IT professionals can configure the internal resources to
which each user can connect, granting unlimited access or allowing access only to specific
servers or networks.
DirectAccess uses split-tunnel routing, as illustrated in Figure 1, which reduces unnecessary
traffic on the corporate network. Split-tunnel routing sends only traffic destined for the
6
enterprise network through the DirectAccess server. Although split-tunnel routing is the
default configuration for DirectAccess, IT professionals can disable the feature to send all
traffic through the enterprise network.
Figure 1 DirectAccess traffic flow with split-tunnel routing
VPN Reconnect
DirectAccess can replace the VPN as the preferred remote access method for many
organizations. However, some organizations will continue to use VPNs side-by-side with
DirectAccess. Therefore, Microsoft is improving VPN usability in Windows 7 with VPN Reconnect.
VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN connectivity,
automatically re-establishing a VPN when users temporarily lose their Internet connections. Users
who connect using wireless mobile broadband will benefit most from this capability.
For example, consider a user traveling to work on a train. To make the most out of her time, she
uses a wireless mobile broadband card to connect to the Internet and then establishes a VPN
connection to her company’s network. As the train passes through a tunnel, she loses her
Internet connection. Once outside of the tunnel, the wireless mobile broadband card automatically
reconnects to the Internet. However, with earlier versions of Windows, the VPN does not
reconnect, and she needs to repeat the multi-step process of connecting to the VPN. This can
quickly become time consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows 7 automatically re-establishes active VPN connections when
Internet connectivity re-establishes. While the re-connection might take several seconds, it is
7
completely transparent to users, who are more likely to stay connected to a VPN and get more
use out of internal network resources.
Mobile Broadband
Earlier versions of Windows require users of wireless broadband cards to install third-party
software, which is difficult for IT administators to manage, especially considering that every
wireless broadband provider has different software. Users also must be trained to use the
software and must have administrative access to install it, preventing standard users from easily
adding a wireless broadband card.
With Mobile Broadband, Windows 7 provides a driver-based model for wireless broadband cards.
Now, users can simply connect a wireless broadband card and immediately begin using it. The
interface is built into Windows and is the same regardless of the wireless broadband provider,
reducing the need for training and management efforts. With Windows 7 Mobile Broadband,
connecting to the Internet with wireless broadband is as straightforward as connecting to a
wireless local area network (LAN).
BranchCache
With BranchCache™, Windows 7 and Windows Server 2008 R2 reduce wide area network
(WAN) utilization while simultaneously increasing the responsiveness of network applications at
remote offices. When IT professionals enable BranchCache in Windows 7 and Windows
Server 2008 R2, data retrieved from Web and file servers on the enterprise wide area network
(WAN) is stored on the local branch office network.. If another client at the same branch requests
the same content, the client can access it directly from the local network, without fetching the
entire file across the WAN. Clients are always authorized by the server at the datacenter before
they can retrieve the content from the local branch network.
BranchCache can operate in one of two modes:

Distributed Cache. Using a peer-to-peer architecture, Windows 7 clients cache content
retrieved from Windows Server 2008 R2 and send the content directly to other Windows 7
clients as they need it, without those clients having to retrieve the same content over the
WAN link. A distributed cache is the best choice for branches without a computer running
Windows Server 2008 R2.

Hosted Cache. Using a client/server architecture, Windows 7 clients copy content to a local
computer (Hosted Cache) running Windows Server 2008 R2 that has BranchCache enabled.
Other client computers that need the same content retrieve it directly from the Hosted Cache.
Compared to the Distributed Cache, Hosted Cache increases the cache availability because
content is available even if the client that originally requested the data is offline. Additionally,
a Hosted Cache works across subnets and reduces multicast traffic on the local network.
8
Typically, administrators can configure an existing computer running Windows
Server 2008 R2 to act as the Hosted Cache, because the Hosted Cache does not require a
dedicated server.
Figure 2 Comparison of BranchCache Distributed Cache and Hosted Cache modes
BranchCache currently supports the following protocols and is fully compatible with end-to-end
encryption such as IPsec:

HTTP (including HTTPS). The standard protocol for Web transfers, used by applications
such as Internet Explorer®, Windows Media®, and Windows SharePoint®.

SMB (including signed SMB). The standard protocol for network file transfers when
connecting to shared folders from Windows Explorer.
When BranchCache is enabled on both the client computer and server computer, the client
computer follows this process to retrieve data using HTTP or SMB:
1. The client computer running Windows 7 connects to a computer running Windows
Server 2008 R2 at the datacenter and requests content exactly as it would if it were to
retrieve content without using BranchCache.
2. The server computer at the datacenter authenticates the user and verifies that the user is
authorized to access the data.
3. The server computer at the datacenter returns identifiers (hashes) of the requested content to
the client computer instead of sending the content itself. The server computer does so over
the same channel that the content would have normally been sent.
4. Using the retrieved identifiers, the client computer does the following:
a. If configured to use Distributed Cache, the client computer multicasts on the local
network to find other client computers that have already downloaded the content.
9
b. If configured to use Hosted Cache, the client computer looks up content availability on
the Hosted Cache.
5. If the content is available in the branch (either on one or more clients or the Hosted Cache),
the client computer retrieves the data from within the branch, and ensures that the data is
current and has not been tampered with or corrupted.
6. If the content is not available in the branch, the client computer retrieves the content directly
from the server computer at the datacenter and either makes it available on the local network
to other requesting client computers or sends it to the Hosted Cache, where it is made
available to other client computers.
All content transfers between client computers or between a client computer and the Hosted
Cache are encrypted.
File Sharing and Offline Files Enhancements
IT professionals can take advantage of the Windows 7 file sharing enhancements to further
improve user productivity in branch offices. Windows 7 provides:

Transparent caching on client computers for shared folders, reducing the time required to
access files for the second and subsequent times across a slow network. This is combined
with protocol enhancements that eliminate multiple, redundant network operations when
opening or saving files to provide an improved application experience across slow networks.

Background synchronization capabilities for offline files, reducing administrative overhead
and enhancing end-user experience.
Transparent caching
Before Windows 7, to open a file across a slow network, client computers always retrived the file
from the server computer, even if the client computer had recently read the file. With Windows 7
transparent caching, client computers cache remote files more aggressively, reducing the number
of times a client computer might have to retrieve the same data from a server computer.
The first time a user opens a file in a shared folder, Windows 7 reads the file from the server
computer and then stores it in a cache on the local disk. The second and subsequent times a
user reads the same file, Windows 7 retrieves it from disk instead of reading it from the server
computer.
To provide data integrity, Windows 7 always contacts the server computer to ensure the cached
copy is up-to-date. The cache is never accessed if the server computer is unavailable, and
updates to the file are always written directly to the server computer. Transparent caching is not
enabled by default on fast networks.
IT Professionals can use Group Policy to enable transparent caching, to improve the efficiency of
the cache, and to save disk space on the client, configuring the amount of disk space the cache
uses and preventing specific file types from being synchronized.
10
These benefits are transparent to end-users and provide an experience for users at branch
offices that more closely resembles the experience of being on the same LAN as servers.
Additionally, the improved cache efficiency can reduce utilization across WAN links.
Background synchronization for offline files
With Windows Vista®, user updates to files are written to the server computer when the user is
online. If the user is offline, the file updates are cached on the client computer’s disk and
synchronized with the server the next time the user is online. In Windows 7, synchronization can
happen automatically and in the background, without requiring the user to choose between online
and offline modes.
File synchronization is transparent to the end user, centrally configurable using Group Policy
settings, and can be monitored and controlled from Sync Center. This provides reliable and
transparent shared folder synchronization, giving users access to files on shared folders even
when they are disconnected from the network. Users need not worry about manually
synchronizing their data over slow networks, and IT professionals are assured that data from
client computers is backed up on the servers.
By making synchronization more powerful and transparent, Folder Redirection, a feature that
allows user folders such as Documents to be re-directed to a server computer, becomes much
more useful. IT professionals can use Group Policy settings to enable both Folder Redirection
and synchronization. Windows 7 redirects user folders to the network location and automatically
synchronizes files between the version on the client computer and the version on the server.
When the user disconnects from the network, Windows 7 opens the local copies of the files
exactly as if the user were connected to the network, and changes synchronize the next time the
user connects. This provides automatic network backup of user data without impacting the user.
Windows 7 adds the “usually offline” mode, which provides similar capabilities when connected to
a server across a slow network.
URL-based QoS
Adding more bandwidth cannot solve every network performance issue. Any network connection,
when fully utilized, will cause communications to slow down while the router is forced to queue
outgoing traffic. This often happens with an Internet or WAN connection because traffic from
multiple clients on a high-speed LAN must share a lower-speed connection. s
For example, if an organization has a 1000 Mbps LAN and a 10 Mbps Internet connection,
computers can send requests across the LAN to the router much faster than the router can
forward the requests to the Internet. In this scenario, the router has to hold the outgoing requests
in a queue and send each request when more bandwidth is available. By default, routers send
outgoing traffic from the queue in a first-in, first-out basis. Therefore, critical traffic might be
waiting in the queue behind less critical traffic.
11
Figure 3 shows two clients sending traffic to two Web sites: www.contoso.com (a critical internal
Web site) and www.southridgevideo.com (a non-critical personal Web site). As the figure
demonstrates, the router treats the packets exactly the same, and packets destined for
www.southridgevideo.com might be sent after packets destined for www.contoso.com.
Figure 3 Without QoS, low-priority traffic can be sent before high-priority traffic
When IT professionals configure Quality of Service (QoS), Windows marks outgoing packets with
a Differentiated Services Code Point (DSCP) number. Routers then examine the DSCP value to
determine the packet’s priority. If a network connection is fully utilized and the router is holding
packets in a queue, higher-priority packets are sent before lower-priority packets, overriding the
default first-in, first-out behavior. Therefore, QoS can maintain the responsiveness of critical
network applications even when the network is busy.
With earlier versions of Windows, IT professionals could specify applications, IP addresses, and
port numbers to determine QoS priorities. With this level of detail, IT professionals could prioritize
database traffic over Web and e-mail traffic—a useful capability. They could also prioritize traffic
to a critical server over traffic to a less-critical server.
However, with the growth of Web services and application server consolidation, IT professionals
need finer control over how Windows prioritizes Web traffic. For example, a single intranet server
might host a critical customer service application and a non-critical discussion forum on the same
server. Web services or applications on a single server share a common IP address, limiting the
value of IP-based prioritization. IT professionals need to be able to assign different priorities to
different Web applications and sites on a single server.
Windows 7 allows IT professionals to prioritize Web traffic based on the URL. With URL-based
QoS, IT professionals can ensure important Web traffic is processed before less-important traffic,
improving performance on busy networks. For example, IT professionals can assign Web traffic
for critical internal Web sites a higher priority than external Web sites, maximizing performance
when the network is busy. Similarly, if users visit non-work-related Web sites that consume a
large portion of the network’s bandwidth, IT professionals can assign that traffic a low priority so
other traffic isn’t impacted.
With URL-based QoS, IT professionals can also configure the path portion of a URL, known as
the Uniform Resource Identifier (URI). For example, IT professionals could assign
12
http://contoso.com/cust_serv/ a high priority and http://contoso.com/forum/ a low priority. IT
professionals can configure QoS using Group Policy settings.
Figure 4 URL-based QoS allows IT professionals to prioritize Web traffic
DNS Security Extensions
DNS clients running Windows 7 and Windows Server 2008 R2 and DNS servers running
Windows Server 2008 R2 support DNS Security Extensions (DNSSEC) to validate the integrity of
DNS records as per Request For Comments (RFCs) 4033, 4034 and 4035. By validating that a
DNS record was generated by the authoritative DNS server and that the DNS record has not
been modified, computers running Windows 7 and Windows Server 2008 R2 can validate the
integrity of DNS responses.
With DNSSEC, authoritative DNS servers running Windows Server 2008 R2 that support
DNSSEC will cryptographically sign a DNS zone to generate digital signatures for all the resource
records in the zone. Other DNS servers can use a trust anchor to verify that a DNS record was
signed by the authoritative DNS server and that it has not been modified.
While DNS servers perform the validation of DNS records, DNS clients running Windows 7 are
DNSSEC-aware. A DNS client running Windows 7 relies on its local DNS server for DNSSEC
validation and can check whether validation has been successfully performed on the responses
before returning the results of the query to an application.
Figure 5 illustrates how IPsec and DNSSEC can provide an end-to-end DNSSEC solution to
validate a DNS request that must traverse multiple levels of DNS servers. For example, the client
computer could be located at a branch office and configured to use IPsec to connect to a local,
non-authoritative DNS server running Windows Server 2008 R2. The local DNS server can
forward requests to the domain’s authoritative DNS server, use DNSSEC to verify the integrity of
internal DNS records (even if there are multiple interim DNS servers), and inform the client that
DNSSEC was used to validate the records.
13
Figure 5 DNSSEC can prevent man-in-the-middle attacks
Support for Green IT
Windows 7 offers Wake on Wireless LAN (WOWL) and Smart Network Power features to reduce
power consumption.
Wake on Wireless LAN
Users can save energy by putting computers into sleep mode when they’re not in use. With
earlier versions of Windows, users and IT professionals could use Wake on LAN (WOL) to wake
the computer so that it could be managed across the network. However, WOL only works when
computers are connected to wired networks. Wireless computers in sleep mode cannot be started
or managed across the network, allowing them to fall behind on configuration changes, software
updates, and other management tasks.
Windows 7 adds support for Wake on Wireless LAN (WoWLAN). With WoWLAN, Windows 7 can
reduce electricity consumption by enabling users and IT professionals to remotely wake
computers connected to wireless networks from sleep mode. Because users can wake computers
to access them across the network, IT professionals can configure them to enter the low-power
sleep mode when not in use.
Smart network power
Wired network connections use power when they’re enabled, even if a network cable isn’t
connected. Windows 7 offers the ability to automatically turn off power to the network adapter
when the cable is disconnected. When the user connects a cable, power is automatically
restored. This feature offers the power-saving benefits of disabling a wired network connection
while still allowing users to connect easily to wired networks.
14
Summary
Windows 7 and Windows Server 2008 R2 offer the following features to help remote users feel
like they’re working in the office by keeping them connected and making the most out of
intermittent and low-bandwidth links:

DirectAccess, VPN Reconnect, and Mobile Broadband make getting connected and staying
connected easy or completely automatic.

BranchCache and file sharing enhancements make the most out of low-bandwidth
connections.
By providing a secure and flexible infrastructure, Windows 7 and Windows Server 2008 R2
provide IT professionals with the following benefits:

DirectAccess and VPN Reconnect increase the time mobile users are connected to the
internal network, improving manageability.

DNSSEC allows client computers to authenticate DNS servers, and DNS servers to
authenticate each other, reducing the risk of man-in-the-middle attacks.

Mobile Broadband simplifies configuration of wireless broadband adapters.
Finally, these benefits reduce costs for IT professionals:

BranchCache, URL-based QoS, and file sharing enhancements optimize bandwidth
utilization.

Support for green IT allows users to save power while still enabling administrators to manage
computers across the network.
In summary, the networking improvements in Windows 7 and Windows Server 2008 R2 improve
user productivity and decrease management costs, adding significant value to Microsoft’s newest
client and server operating systems.
15