Windows RT 8.1 in the Enterprise: Connectivity
Applies To: Windows RT 8.1
With Windows RT 8.1 you have many options for device connectivity including direct connection to the corporate network, wired and wireless networks, proxy servers, IPSec domain isolation, VPN, and printing.
This topic discusses Windows RT 8.1 device connectivity in an enterprise environment, including the differences in experience when devices are directly connected to the corporate network or connected through some other means such as a wireless network, proxy server, or virtual private network (VPN).
When using a Windows RT 8.1 device to access enterprise resources, it is important to recognize that these devices may be used while connected to the corporate network or while connected to the Internet. In each case, it may be necessary to put in place specific configurations to enable these devices (or any BYOD devices) to access secured resources.
Windows RT 8.1 does not include support for DirectAccess, because this enterprise-targeted functionality is only present in Windows 8.1 Enterprise.
In this topic:
Directly Connected to the Corporate Network
IPSec Domain Isolation
Directly Connected to the Corporate Network
Most Windows RT 8.1 devices will be able to connect to a corporate network with either wireless or wired networking. However, because these devices cannot be joined to Active Directory, there may be some additional configuration necessary, or restrictions put in place that prevent full network access, as explained below.
Because no group policies are processed by Windows RT 8.1, settings such as preconfigured wireless network SSIDs will not be available on these devices. This configuration can be performed manually though by providing instructions to the users telling them the SSID to which they need to connect, along with the security details for that connection. This is typically a one-time operation, as Windows RT 8.1 will remember the details for future connections.
Wireless network profiles can also be configured using the built-in open mobile device management (MDM) agent.
For maximum security as well as auditing, wireless routers can often be configured to use Active Directory or certificates (often using smart cards) to authenticate users, as an alternative to using a preconfigured (and therefore public) connection key. Windows RT 8.1 fully supports these 802.1x authentication options, as well as the built-in Extensible Authentication Protocol (EAP) options. (Note that Windows RT 8.1 may not support 802.1x connections if additional third-party software needs to be installed on the device, as this software will not be available for Windows RT 8.1.)
Wired network access will also be supported by many Windows RT 8.1 devices because device manufacturers may optionally include a physical Ethernet port in their hardware designs. Windows RT 8.1 also includes support for InstantGo-certified USB Ethernet network adapters.
Typically, configuration is not required for wired network connections, but in cases where this is needed the Control Panel or PowerShell can be used to configure the needed settings.
The same 802.1x authentication capabilities described in the “Wireless Networks” section above are also supported for wired connections.
Again, because no group policies are processed by Windows RT 8.1, settings for proxy servers may need to be either configured manually or through other means. The simplest way to enable Windows RT to detect the presence of an internal proxy server that must be used when accessing the Internet is to enable the Web Proxy Autodiscovery Protocol (WPAD) on your corporate network. This involves configuring specific DHCP options, as well as a web server that can provide configuration details to each computer. For more information, consult the documentation provided by your web proxy product vendor. For Forefront TMG, click here.
Enhancements have been made in Windows RT 8.1 to ensure that the Windows Store and Windows Store apps work appropriately with proxy servers, including those requiring authentication.
IPSec Domain Isolation
If using IPSec for domain isolation, devices that are not joined to an Active Directory domain (such as Windows RT devices) may not be able to access some network servers. If access to these is required, they may need to be excluded from default IPSec isolation rules, which turns them into boundary servers. This can be done selectively to allow access to a limited number of servers. Alternatively, a Remote Desktop Gateway could be leveraged to provide proxy access to these isolated systems.
When Windows RT 8.1 devices are connected to the Internet, they may need to connect to enterprise resources. This is often done by establishing a virtual private network (VPN) connection into the corporate network. Once connected through VPN, the Windows RT device behaves like it is directly connected to the corporate network, which allows access to internal applications and servers as appropriate.
To support the establishment of a VPN connection, multiple VPN clients are included in Windows RT 8.1:
Microsoft (Windows Server)
The Microsoft VPN client supports Windows Server 2012 VPN servers, as well as additional third-party VPN servers through the supported PPTP, L2TP, and IKEv2 protocols with a variety of authentication methods as described in the VPN and Interoperability documentation.
For the specific back-end requirements and feature details for the third-party VPN clients, contact the vendors for additional details.
The VPN client configuration details necessary for connecting into a corporate network can be manually configured through the standard networking user interface. The VPN client can also be configured using a simple PowerShell script. This PowerShell script could be provided directly to the end user, to simplify the configuration steps they need to provide, or it could even be leveraged as part of a Windows Intune management infrastructure to automate the configuration entirely. For additional details, see Manage VPN Connections in Windows 8 by Using Windows PowerShell.
VPN connection profiles can be defined through the built-in open MDM agent.
In some VPN authentication configurations, it may also be necessary to install additional security certificates, which can be done using PowerShell, the Certutil.exe command-line tool, or the Certificates control panel.
Smart cards can also be used for authenticating VPN connections. See the Smart Card section of this document for additional details on the types of smart cards supported by Windows RT.
For organizations using RSA SecurID tokens, these can be used with the standard VPN client. For information about this configuration, see Deploy and Configure a VPN for Devices Running Windows RT.
Note that Windows RT does not support the Connection Manager Administration Kit (CMAK), so that cannot be used for configuring VPN connections.
As previously mentioned, Windows RT 8.1 includes a class driver that enables printing directly to thousands of different printer models. See the Windows Compatibility Center for more details. Note that some devices may require firmware updates to support this capability.
Windows RT 8.1 will also support printing to network printers shared from a Windows 8 or Windows Server 2012 print server through enhancements to the printer driver architecture implemented in those releases. See V4 Printer Driver for more information about this new printer driver architecture (referred to as “v4 printer drivers”).