Windows Server 2008 R2 Unleashed (13 page)

virtual private network (VPN) to gain access into the network.

DirectAccess is an amazing technology that combines sophisticated security technology

ptg

and policy-based access technology to provide remote access to a network; however, orga-

nizations do find it challenging to get up to speed with all the technology components

necessary to make DirectAccess work. So, although many organizations will seek to

achieve DirectAccess capabilities, it might be months or a couple of years before all the

technologies are in place for the organization to easily enable DirectAccess in their enter-

prise environment.

Some of the technologies required to make DirectAccess work include the following:

.
PKI certificates—
DirectAccess leverages PKI certificates as a method of identifica-

tion of the remote device as well as the basis for encrypted communications from

the remote device and the network. Thus, an organization needs to have a good

certificate infrastructure in place for server and client certificate-based encrypted

communications.

.
Windows 7 clients—
DirectAccess only works with clients that are running

Windows 7. The client component for encryption, encapsulation, and policy control

depend on Windows 7 to make all the components work together.

.
IPSec—
The policy control used in DirectAccess leverages IPSec to identify the desti-

nation resources that a remote user should have access to. IPSec can be endpoint to

endpoint (that is, from the client system all the way to the application server) or

IPSec can be simplified from the client system to a DirectAccess proxy server where

the actual endpoint application servers do not need to be IPSec enabled. In any case,

IPSec is a part of the security and policy structure that ensures the remote client

system is only accessing server resources that by policy the remote client should

have access to as part of the DirectAccess session connection.

Improvements in Mobile Computing in Windows Server 2008 R2

29

.
IPv6—
Lastly, DirectAccess uses IPv6 as the IP session identifier. Although most orga-

nizations have not implemented IPv6 yet and most on-ramps to the Internet are still

1

IPv6, tunneling of IPv6 is fully supported in Windows 7 and Windows Server 2008

R2 and can be used in the interim until IPv6 is fully adopted. For now, IPv6 is a

requirement of DirectAccess and is used as part of the remote access solution.

More details on DirectAccess are provided in Chapter 24, “Server-to-Client Remote Access

and DirectAccess.”

Windows 7 VPN Reconnect

VPN Reconnect is not a Windows Server 2008 R2–specific feature but rather a Windows 7

client feature; however, with the simultaneous release of the Windows 7 client and

Windows Server 2008 R2, it is worth noting this feature because Microsoft will be touting

the technology and network administrators will want to know what they need to do to

implement the technology. VPN Reconnect is simply an update to the VPN client in

Windows 7 that reestablishes a VPN session on a client system in the event that the client

system’s VPN session is disconnected.

VPN Reconnect effectively acknowledges that a client VPN session has been disconnected

and reestablishes the session. Many longtime administrators might wonder why this is

ptg

new because client systems in the past (Windows XP, Vista, and so forth) have always had

the ability to retry a VPN session upon disconnect. However, the difference is that instead

of simply retrying the VPN session and establishing a new VPN session, the VPN

Reconnect feature of Windows 7 reestablishes a VPN session with the exact same session

identification, effectively allowing a session to pick up exactly where it left off.

For example, a Windows 7 client user can be transferring a file on a wired VPN connected

session and then switch midstream to a Wi-Fi VPN-connected session, and the file transfer

will continue uninterrupted.

VPN Reconnect utilizes the IKE v2 protocol on the client and on the Windows Server 2008

R2 side with an established session identification so that upon reconnect, the session ID

remains the same.

Chapter 24 provides more details on VPN Reconnect.

Windows 7 Mobile Broadband

Another Windows 7–specific technology for mobile users is Windows 7 Mobile Broadband.

Again, something that has nothing to do specifically with Windows Server 2008 R2,

Windows 7 Mobile Broadband is an update to the carrier-based (for example, AT&T,

Sprint, Verizon) mobile connection devices and services in Windows 7.

In the past, a user plugged in a Mobile Broadband card to their Windows XP or Vista

system and then had to launch an application such as the AT&T Connection Manager.

With Windows 7 and the latest Mobile Broadband drivers for the device and for Windows

7, the insertion of the Mobile Broadband card into a mobile system automatically

connects the user to the Internet. Just like if the user turns on a Wi-Fi adapter in a system

30

CHAPTER 1

Windows Server 2008 R2 Technology Primer

and automatically establishes a connection to a Wi-Fi access point, Mobile Broadband

automatically connects the user to the Internet.

When the Windows 7 Mobile Broadband adapter is disconnected from the user’s system,

the Mobile Broadband session disconnects, and if the system has a Wi-Fi or wired Ethernet

connection available, the user’s system automatically connects to an alternate connection

point. Combine Mobile Broadband with VPN Reconnect or with DirectAccess and a

mobile user has seamless connection access back into their organization’s network.

Improvements in Windows Server 2008 R2 for

Better Branch Office Support

Windows Server 2008 R2 has greatly enhanced the technology offerings that provide

better IT services to organizations with remote offices or branch offices. Typically, a

remote or branch office has limited IT support or at least the site needs to have the same

functionality and reliability as the main corporate or business office, but without the

budget, to have lots of redundant hardware and devices for full operational support. With

the new Windows Server 2008 R2 branch office resources, a remote location can now have

high security, high performance, access to data without significant latency, and opera-

ptg

tional capabilities, even if the remote site is dropped off the network due to a WAN or

Internet connection problem.

The tools and technologies new or improved in Windows Server 2008 R2 include Read-

Only Domain Controllers, BitLocker Drive Encryption, distributed file server data replica-

tion, and distributed administration.

Details on the new technologies built in to Windows Server 2008 R2 that better support

remote and branch offices are covered in Chapter 32.

Read-Only Domain Controllers for the Branch Office

As covered in the section “Introducing the Read-Only Domain Controller” earlier in this

chapter, the RODC provides a copy of the Active Directory global catalog for logon

authentication of select users and communications with the Active Directory tree without

having the security exposure of a full global catalog server in the remote location. Many

organizations concerned with distributed global catalog servers chose to not place a server

in a remote location, but rather kept their global catalog and domain controllers central-

ized. What this meant for remote and branch offices is that all logon authentication had

to go across the WAN or Internet connection, which could be very slow. And in the event

of a WAN or Internet connection failure, the remote or branch office would be offline

because users could not authenticate to the network and access network resources until

the WAN or Internet connection was restored.

Read-Only Domain Controllers provide a way for organizations to distribute authentica-

tion and Active Directory access without increasing their security risk caused by the distri-

bution of directory services.

Improvements in Windows Server 2008 R2 for Better Branch Office Support

31

BranchCache File Access

New to Windows Server 2008 R2 is a role called BranchCache. BranchCache is a technol-

1

ogy that provides users with better access to files across a wide area network (WAN).

Normally, if one user accesses a file, the file is transferred across the WAN for the user, and

then when another user accesses the same file, the same file is again transferred across the

WAN for the other user. BranchCache acknowledges that a file has been transferred across

the WAN by a previous user, and instead of retrieving the file across the WAN, the file is

accessed locally by the subsequent user.

BranchCache requires Windows 7 on the client side and can be set up so that the file is

effectively retrieved in a peer-to-peer manner from another Windows 7 client that had

previously accessed a file. Or, a Windows Server 2008 R2 server with the BranchCache

server role can be set up in the remote location where remotely accessed files are

temporarily cached for other Windows 7 client users to seamlessly access the files locally

instead of being downloaded across the WAN.

BranchCache does not require the user to do anything differently. Users simply accesses

files as they normally do (either off a Windows file system or from a SharePoint document

library), and the combination of Windows 7 and Windows Server 2008 R2 does all the

caching automatically. BranchCache has proven to improve access time on average

30%–45% for remote users, thus increasing user experience and potentially user productiv-

ptg

ity by having faster access to information in remote locations.

BitLocker for Server Security

BitLocker is a technology first introduced with Windows Vista that provides an organiza-

tion with the ability to do a full partition encryption of all files, documents, and informa-

tion stored on the encrypted partition. When BitLocker was first introduced in Windows

Server 2008 as a server tool, it was hard to understand why a server would need to have its

drive volume encrypted. It made sense that a laptop would be encrypted in the event the

laptop is stolen—so that no one could get access to the data on the laptop hard drive.

However, when considering that servers are placed in remote locations—many times not

in a locked server rack in a locked computer room but rather sitting in a closet or even

under a cash register in the situation of a retail store with a server acting as the point-of-

sale system—servers with sensitive data are prevalent in enterprise environments.

So, BitLocker provides encryption of the volume of a Windows Server 2008 R2 server; for

organizations that are concerned that the server might be physically compromised by the

theft of the server or physical attack of the system, BitLocker is a great component to

implement on the server system.

Distributed File System Replication

Introduced in Windows 2000, improved in Windows 2003, and now a core component of

the branch office offerings in Windows Server 2008 R2, Distributed File System Replication

(DFSR) allows files to be replicated between servers, effectively providing duplicate infor-

mation in multiple locations. Windows Server 2008 R2 has a much improved Distributed

File System than what was available in Windows 2000/2003. In most organizations, files

32

CHAPTER 1

Windows Server 2008 R2 Technology Primer

are distributed across multiple servers throughout the enterprise. Users access file shares

that are geographically distributed but also can access file shares sitting on several servers

in a site within the organization. In many organizations, when file shares were originally

created years ago, server performance, server disk capacity, and the workgroup nature of

file and print server distribution created environments in which those organizations had a

file share for every department and every site. Thus, files have typically been distributed

throughout an entire organization across multiple servers.

Windows Server 2008 R2 Distributed File System Replication enables an organization to

combine file shares to fewer servers and create a file directory tree not based on a server-

by-server or share-by-share basis, but rather an enterprisewide directory tree. This allows

an organization to have a single directory spanning files from multiple servers throughout

the enterprise.

Because the DFSR directory is a logical directory that spans the entire organization with

links back to physical data, the actual physical data can be moved without having to make

changes to the way the users see the logical DFS directory. This enables an organization to

add or delete servers, or move and consolidate information, however it works best within

the organization.

For branch office locations, DFSR allows for data stored on a file server in a remote loca-

tion to be trickled back to the home office for nightly backup. Instead of having the

ptg

remote location responsible for data backup, or the requirement of an organization to

have tape drives in each of its branch offices, any data saved on the branch office can be

Other books

Extra Time by Michelle Betham
El sueño de Hipatia by José Calvo Poyato
A Million Dirty Secrets by C. L. Parker
Maclean by Allan Donaldson