What’s New and Cool in Windows Server 2008 R2 Networking
Windows Server 2008 R2 has been out for a while, but I know a lot of you are probably still using Windows Server 2003 or maybe Windows Server 2008 (in fact, I know a few folks who are still stuck on Windows 2000 Server). I know how that goes; it’s a lot of work to make the change. Why introduce a new operating system unless you really need to? You have to have some compelling reasons to upgrade. Otherwise, who needs the hassle?
I have some good news for you: if you’re into cool networking features, then you might want to take a look at Windows Server 2008 R2. Here are some of the features in Windows Server 2008 R2 that I think you’ll like, and that just might convince you that it’s time to bite the bullet and go for the upgrade:
- VPN Reconnect
- URL-based Quality of Service
Let’s take a look at each of these and see if one of more of these features captures your imagination.
DirectAccess is a new remote access technology that allows your domain member computers to always be connected to the intranet without requiring a VPN connection. You might have heard other people talk about DirectAccess as a type of VPN connection, but the fact is that DirectAccess is much more than a VPN. Microsoft is positioning it as a VPN replacement. So what’s the difference? A Virtual Private Network allows your users access to the network when they want to access information located there. In contrast, DirectAccess allows you to extend your network itself to all DirectAccess enabled clients, so that users are always connected to the intranet and your IT group is always connected to the DirectAccess client computers. The big benefit is that, in contrast to VPN clients, DirectAccess clients are always managed, always up-to-date, and always in compliance with your desired configuration settings.
There are only two ways to get this goodness is to upgrade, as DirectAccess requires Windows Server 2008 R2 on the server side and Windows 7 Enterprise or Ultimate on the client side. You might or might not have to upgrade the entire network infrastructure, depending on which form of DirectAccess you deploy (as we’ll discuss in a moment).
DirectAccess is not really a specific technology, it’s actually a collection of technologies that, when you put them all together, is called “DirectAccess”. The key technologies that are part of DirectAccess include:
- Active Directory - the DirectAccess client and server must be members of an Active Directory domain for authentication
- Group Policy - Group Policy Objects (GPOs) are used to distribute DirectAccess related configuration settings to both the DirectAccess client and server
- DNS - DirectAccess uses DNS to determine which connections should be sent over the DirectAccess connection and which connections should be sent directly to the server on the Internet
- PKI - DirectAccess uses computer certificate authentication and IPsec, which requires a PKI so that you can deploy certificates
- IPsec - DirectAccess is a secure remote access solution that takes advantage of both IPsec tunnel mode and IPsec transport mode to secure connections from the remote DirectAccess client to the DirectAccess server and to servers located on the intranet
- IPv6 - DirectAccess is a forward looking technology that is built on the networking protocol of the future, which is IPv6. (However, With UAG, you don’t have to have a native IPv6 network to get DirectAccess working on your network today)
Some of these technologies are part of any Windows domain. Others you might or might not have deployed on your network. All of these individual technologies can be deployed with previous versions of Windows Server, but only Windows Server 2008 R2 can put them together to create a DirectAccess solution.
It’s also important to understand that there are actually two forms of DirectAccess: Windows DirectAccess and UAG DirectAccess. The Windows form of DirectAccess is good for small and medium sized businesses that only have a few servers, but to use it, you must have a native Windows Server 2008 R2 domain and you must run an IPv6 network. For enterprise deployments, you’ll want to use the UAG DirectAccess solution because it’s more robust and scalable. In addition, UAG DirectAccess enables you to deploy DirectAccess even if you don’t have IPv6 deployed and don’t have a Windows Server 2008 infrastructure (you’ll still need one Windows Server 2008 R2 machine on which UAG is installed).
Whereas DirectAccess is a technology that can replace the VPN, VPN Reconnect is a new VPN technology included with Windows Server 2008 R2 that is similar to other VPN protocols with which you’re probably familiar, such as PPTP and L2TP/IPsec. It uses the same VPN connectoid that’s used by these VPN protocols. However, the big difference between these other VPN protocols and VPN Reconnect is that with VPN Reconnect, connections are automatically reestablished if the connection is lost. In other words, if the VPN connection drops, the users aren’t prompted with a messaging telling them that the connection was lost and asking if they want to try to connect again. Instead, the software reconnects for them.
This is very convenient for mobile users. For example, suppose you are using a Wireless WAN connection with an “air card” of some kind. You’re in a train and you’re working on email or documents or SharePoint sites or whatever. Everything is going fine, but then the train goes through a tunnel. While in the tunnel, the Internet connection fails because there is no reception. However, you are working on email in Outlook at the time so you do not even notice that the connection has dropped (that is, the VPN Reconnect connection). When the train leaves the tunnel, the Internet connection comes back and the VPN Reconnect VPN connection is automatically reestablished. All this happens in the background and the user doesn’t even know that the connection dropped during the time in the tunnel.
VPN Reconnect uses IKEv2 and takes advantages of new capabilities enabled through the IKEv2 mobility and multihoming extensions (MOBIKE) that are described in RFC4555. You must have Windows Server 2008 R2 and Windows 7 clients to use VPN Reconnect. There is no back-port for earlier versions of Windows.
It might look as if there are some similarities between DirectAccess and VPN Reconnect. Both of them allow transparent connectivity to the corporate network and both of them will automatically reconnect if the Internet connection is dropped. However, there are some significant differences:
- DirectAccess requires that DirectAccess clients be domain members. VPN Reconnect does not require the clients to be domain members.
- DirectAccess enables connectivity to management servers before the user logs on. VPN Reconnect starts when the user launches the VPN connectoid to establish the initial connection.
- DirectAccess is designed to support end-to-edge and end-to-end security. VPN Reconnect is designed to support only end-to-edge security.
In general, you’ll want to use VPN Reconnect for non-domain members. For domain members, managed computers, DirectAccess is the preferred remote access technology.
BranchCache is a new technology included with Windows Server 2008 R2 and Windows 7 that allows users at your branch offices to access information at the main office faster than ever. One of the big problems that branch office users have is accessing content at the main office over a bandwidth limited WAN link or site-to-site VPN to the main office. This sometimes leads users to avoid accessing information that would allow them to be more productive and add value to the company.
You can use BranchCache to cache main office content at the branch office. When a user connects to a HTTP(S) or SMB (CIFS) resource at the main office, that content will be cached at the branch office. When another user attempts to access the same content later, that content will be delivered from a local cache located at the branch office. This significantly speeds up access to the content since it’s delivered at LAN speeds at the branch office (typically Gigabit Ethernet) rather than WAN speeds (typically less than 10 Mbps).
BranchCache can be configured in one of two modes:
- Hosted Mode - In Hosted Mode, BranchCache works with a BranchCache server that hosts the cached content for all the machines in the branch office. When a BranchCache client machine in the branch office requests content from the main office, it accesses the content and then shares that content with the BranchCache server. When a second host on the branch office network makes a request for the same content, it connects to the source server at the main office to authenticate and obtain metadata to determine whether the content has changed since it was cached. Then it obtains the content at LAN speeds from the Hosted Mode BranchCache at the branch office.
- Distributed Mode - In Distributed Mode, there is noBranchCache server. Instead, Windows 7 clients share cached content with each other. When a Windows 7 computer at the branch office obtains content over SMB or HTTP(S) from the main office, it will cache that information locally. When another Windows 7 computer at the branch office makes a request for the same content, it will authenticate with the origin server and receive the metadata, and then it will receive the content at LAN speeds from the Windows 7 client that requested the same content previously.
Distributed mode is used when there are fewer than 50 computers on the branch office network. All computers need to be within the same multicast broadcast domain, which means that they need to be on the same network segment. If your branch office has more than 50 clients or has multiple network segments, then you will need to use BranchCache Hosted Mode.
Windows Server 2008 R2 and Windows 7 now support URL-based Quality of Service (QoS). This is something that’s been available with ISA Server and Threat Management Gateway (TMG) for quite some time, but now it’s been brought to the clients and servers on the network.
The new Windows Server 2008 R2 and Windows 7 QoSfeature includes in IP packets a Differentiated Services Code Point (DSCP) value, which routers that are configured with DSCP value information can examine to assign apriority to the packet. When routers are very busy, the packets can queued and the queue can be configured to send higher priority packets before lower priority packets.
With Windows Server 2008 R2 and Windows 7, you can use URL-based QoSto prioritize network traffic based on the source URL, in addition to prioritization based on IP address and ports. This enables you to have more control over network traffic and ensures that high priority Web traffic is forwarded before lower priority traffic, even when that traffic originates at the same server. This can make a big difference in perceived performance.
For example, you probably have a number of internal web servers that users need to access in order to get their work done. You can assign to these internal servers addresses a higher priority than that of external server addresses, so that traffic to the critical internal resources is given preference over non-critical server access.
In this article, we looked at four new networking features included in Windows Server 2008 R2 and Windows 7. These included DirectAccess, a new remote access technology that extends your intranet to all domain member managed computers, no matter where those computers are located; VPN Reconnect, an ideal solution for non-domain member computers that need VPN connectivity to the corporate network, and gives them transparent connectivity, so that they don’t need to be bothered with reestablishing VPN connections; BranchCache, a feature that allows branch office clients to receive main office content at LAN speeds instead of slow WAN speeds; and URL-based QoS, that allows you prioritize connections based on URL, so that high priority web servers can be given higher priority than lower valued web servers when it comes to network connectivity.