My battery is running flat (lesson: switch to "power saver mode" when running on batter you idiot!) so I’ll probably finish this one tomorrow – some of us Irish folks are meeting up tonight for a couple of drinks/dinner.
As you should know, the next generation TCP stack in Vista was a big change for the better. It offers solutions to serious productivity issues when teamed with Windows 2008. Reminder: the Tolley Group Study.
Personal story: I’ve tried this with Vista accessing an SSL W2008 SharePoint server this week from Barcelona. The server is on the net in Dublin and I was on a crowded WiFi LAN. It was like being on the same LAN as the SharePoint server. I know that XP could not have had the same performance over this (very) latent link.
The presenter is a woman from MS Turkey. Needs for now: IT Pros need flexibility, mobility and performance. Users want seamless networking. They don’t care about wifi, broadband, LAN, VPN, etc. Windows 7 offers:
- DirectAccess to services on W2008 R2
- VPN Reconnect and Mobile Broadband
- DNS Security
- BranchCache
- More SMB enhancements
- URL based QoS – handy for dense web servers.
- Support for Green IT – power savings I guess?
Mobile Access: Had to patch them now. Hard to manage. We have some functionality with native installs of SCCM 2007. Difficult for users to access internal resource remotely. Windows 7 offers a "corporate network boundary" to include assets no matter where they are. Easier to service remote PC’s.
Direct Access
We now get a demo of the seamless remote access to internal resources. It works as if she was on the LAN in MS. It works over IPv6 … IPv6 addresses are unique across all machines in the world. A DirectAccess server monitors traffic on the border. The PC has a client. It scans the destination address. If it’s a corporate internal address the client traffic is directed to the DirectAccess server running on Windows Serve r0208 R2 – "Split Tunnelling". You can use a proxy if you don’t like this process. This entire solution allows tunnelling over IPv4 UDP, TLS, etc. NAP can sit in here to ensure that the client only gains access if it is compliant with corporate policies. W2003 can be remotely accesses using IPv6 addresses – there’s a patch. IPSec is used to secure the session between the client and the DirectAccess server. It is not required within the corporate intranet but recommended (as usual – but rarely done). The solution assumes the client is on an insecure network. NAP assumes the client is non-complaint and must prove itself.
Strategy:
- Be ready to deploy/monitor IPv6
- Full server or selected server access
- How much bandwidth?
Windows 7 clients:
- Windows 2008 R2 DirectAccess Server
- DC, DNS, AD, PKI, Applciations server, etc … IPv6.
During deployment:
- Use DirectAccess config wisard to set up server.
VPN Reconnect
Mobile broadband is unreliable. Windows 7 will persist network connectivity to automatically reconnect the VPN tunnel when the underlying network is back online. Seamless for the user. The policy defines how long of an outage is tolerated. Default is 30 minutes.
Mobile Broadband
Bad experience for user. Requires dodgy 3rd party software. More management. Windows 7 provides PNP for mobile broadband devices. End users just plug and connect. Better for network providers, admins and users.
Branch Office
There’s two optimised networking solutions, one for a deployment with a server and one without:
- Distributed Branch Cache: desktops/laptops use broadcast to ID potential caching hosts on the LAN (only 1 VLAN) that already have downloaded the block ID’d by the hashing algorithm.
- Host Based Brach Cache: Clients get the ID of the block and check a central cache on the LAN. It’s a single host over many VLAN’s (configured by GPO). If it’s already cached, get it locally, otherwise the client downloads and forwards to the cache.
Either way, sessions/locks are maintained. Read is optimised, a write uploads the entire file 🙁 GPO manages things. There is no current policy for aging/retention of cached blocks. We want to get rid of servers from the branch office but the best solution is host based (requiring W2008 R2 for cache and server). The services supported are file share (SMB) and web (HTTP/HTTPS). SSL and signing supported.
Deployment: Distributed – GPO, Host – Role installation.
SMB Enhancements
Transport Caching: The Win7 client caches open file share files locally. Reads are local. Writes are written to the server. User transparent. Better WAN performance for the user.
Example. Client 1 downloads a file. Client 2 requests a download. Caching (distributed or host BranchCache) makes the blocks available to client 2 from client 1 or a server. Client 2 request a new open – it’s loaded from a local cache on client 2.
Improved Office Experience
Office is very chatty; constantly reading open file content. New optimisations consolidate this to a single stream of traffic.
Offline Files
We now get regularly admin controlled 2 way synchronisation of files – with windows for busy periods. This allows corporate data synchronisation and user experience optimisation over the WAN.
DNS Security
DNSSEC secures DNS against man-in-the-middle attacks.
URL QoS
QoS policies can be defined for specific URL’s. Consider a single web server with many web sites. Should all web sites be tarred with the same brush: some are more important than others.
Green IT
Wake on Wireless LAN: Wake up a host, perform maintenance, put it to sleep.
Smart network Power: idle NIC’s are put to sleep. DON’T USE FOR "SERVERS". Consider distributed BranchCache where clients rely on other clients for WAN optimisation.
Q&A
BranchCache is based on block level tech. Similar to DFS-R but new code.
Remote management via Direct Access gives seamless access for the IT Pro and user. Consider remote admin for ConfigMgr. It might now be dead. You can even ping a remote machine with this technology.
BrachCache: Any write activity sends the entire file over the WAN, not just the changed blocks. BOO! Riverbed and Citrix still have a window, even if you only care about SMB and HTTP(S).
The BranchCache is ACL’d and encrypted. Pre0-staging is possible but only via scripted download. MS provides a clever API for their or partner later use for direct media pre-staging (ideal solution).
BranchCache generated the most questions and interest from this session.