What's New in Networking
Applies To: Windows Server 2008 R2
What are the major changes?
The Windows Server® 2008 R2 and Windows® 7 operating systems include networking enhancements that make it easier for users to get connected and stay connected regardless of their location or type of network. These enhancements also enable IT professionals to meet the needs of their business in a secure, reliable, and flexible way.
New networking features covered in this topic include:
What does DirectAccess do?, which enables users to access an enterprise network without the extra step of initiating a virtual private network (VPN) connection.
What does VPN Reconnect do?, which automatically reestablishes a VPN connection as soon as Internet connectivity is restored, saving users from reentering their credentials and re-creating the VPN connection.
What does BranchCache do?, which enables updated content from file and Web servers on a wide area network (WAN) to be cached on computers at a local branch office, improving application response time and reducing WAN traffic.
What does URL-based QoS do?, which enables you to assign a priority level to traffic based on the URL from which the traffic originates.
What does mobile broadband device support do?, which provides a driver-based model for devices that are used to access a mobile broadband network.
What do multiple active firewall profiles do?, which enable the firewall rules most appropriate for each network adapter based on the network to which it is connected.
What do NDF, Network Tracing, and Netsh Trace do?, which integrates the Network Diagnostics Framework with Network Tracing and a new Netsh context, Netsh Trace, to simplify and consolidate network connectivity troubleshooting processes.
Who will be interested in these features?
The following groups might be interested in these features:
System architects and administrators
Network architects and administrators
Security architects and administrators
Application architects and administrators
Web architects and administrators
What does DirectAccess do?
With DirectAccess, domain member computers running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2 can connect to enterprise network resources whenever they are connected to the Internet. A user on a DirectAccess client computer that is connected to the Internet has virtually the same experience as if connected directly to an organization's private network. Furthermore, DirectAccess allows IT professionals to manage mobile computers outside of the office. Each time a DirectAccess client computer connects to the Internet, before the user logs on, DirectAccess establishes a bi-directional connection to the enterprise network that allows the client computer to stay current with company policies and receive software updates.
Security and performance features of DirectAccess include authentication, encryption, and access control. IT professionals can configure the network resources to which each user can connect, granting unlimited access or allowing access only to specific servers. DirectAccess by default sends only the traffic destined for the enterprise network through the DirectAccess server. DirectAccess clients route Internet traffic directly to the Internet resource. DirectAccess can be configured to send all traffic through the enterprise network.
Are there any special considerations?
The DirectAccess server must be running Windows Server 2008 R2, must be a domain member, must have two physical network adapters installed, and must be configured with two consecutive public Internet Protocol version 4 (IPv4) addresses. DirectAccess clients must be domain members. Use the Add Features Wizard in Server Manager to install the DirectAccess Management Console feature. After installing, use the DirectAccess Management console in Administrative Tools to set up the DirectAccess server and monitor DirectAccess operations.
Infrastructure considerations include the following:
Active Directory Domain Services (AD DS). At least one Active Directory® domain must be deployed. Workgroups are not supported.
Group Policy. Group Policy is recommended for deployment of DirectAccess client, DirectAccess server, and selected server settings.
Domain controller. At least one domain controller must be running Windows Server 2008 or later.
Domain Name System (DNS) server. Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (http://go.microsoft.com/fwlink/?LinkID=159951), Windows Server 2008 SP2 or later, or a third-party DNS server that supports DNS message exchanges over Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).
Public key infrastructure (PKI). A PKI is required to issue certificates for Internet Protocol security (IPsec) peer authentication between DirectAccess clients and servers. This is typically done by deploying computer certificates to DirectAccess clients and servers. External certificates are not required. The DirectAccess server also requires an additional SSL certificate, which must have a certificate revocation list (CRL) distribution point that is reachable via a publicly resolvable fully qualified domain name (FQDN).
IPsec. DirectAccess uses IPsec to provide peer authentication and encryption for communications across the Internet. It is recommended that administrators be familiar with IPsec.
IPv6. Internet Protocol version 6 (IPv6) provides the end-to-end addressing necessary for connectivity to the enterprise network. Organizations that are not yet ready to fully deploy native IPv6 can use the ISATAP IPv6 transition technology to access IPv4 resources on the enterprise network. DirectAccess clients can use the Teredo and 6to4 IPv6 transition technologies to connect across the IPv4 Internet. IPv6 or IPv6 transition technology traffic must be available on the DirectAccess server and allowed to pass through the perimeter network firewall.
What does VPN Reconnect do?
VPN Reconnect is a new feature of Routing and Remote Access Services (RRAS) that provides users with seamless and consistent VPN connectivity, automatically reestablishing a VPN when users temporarily lose their Internet connections. Users who connect using wireless mobile broadband will benefit most from this capability. With VPN Reconnect, Windows 7 automatically reestablishes active VPN connections when Internet connectivity is reestablished. Although the reconnection might take several seconds, it is transparent to users.
VPN Reconnect uses IPsec tunnel-mode with Internet Key Exchange version 2 (IKEv2), which is described in RFC 4306, specifically taking advantage of the IKEv2 mobility and multihoming extension (MOBIKE) described in RFC 4555.
Are there any special considerations?
VPN Reconnect is implemented in the RRAS role service of the Network Policy and Access Services (NPAS) role of a computer running Windows Server 2008 R2. Infrastructure considerations include those for NPAS and RRAS. Client computers must be running Windows 7 to take advantage of VPN Reconnect.
What does BranchCache do?
With BranchCache, content from Web and file servers on the enterprise WAN is stored on the local branch office network to improve response time and reduce WAN traffic. When another client at the same branch requests the same content, the client can access it directly from the local network without obtaining the entire file across the WAN. BranchCache can be set up to operate in either a distributed cache mode or a hosted cache mode. Distributed cache mode uses a peer-to-peer architecture. Content is cached at the branch office on the client computer that firsts requests it. The client computer subsequently makes the cached content available to other local clients. Hosted cache mode uses a client/server architecture. Content requested by a client at the branch office is subsequently cached to a local server (called the Hosted Cache server), where it is made available to other local clients. In either mode, before a client retrieves content, the server where the content originates authorizes access to the content, and content is verified to be current and accurate using a hash mechanism.
Are there any special considerations?
BranchCache supports HTTP, including HTTPS, and Server Message Block (SMB), including signed SMB. Content servers and the hosted cache server must be running Windows Server 2008 R2, and client computers must be running Windows 7.
What does URL-based QoS do?
QoS marks IP packets with a Differentiated Services Code Point (DSCP) number that routers then examine to determine the priority of the packet. If packets are queued at the router, higher priority packets are sent before lower priority packets. With URL-based QoS, IT professionals can prioritize network traffic based on the source URL, in addition to prioritization based on IP address and ports. This gives IT professionals more control over network traffic, ensuring that important Web traffic is processed before less-important traffic, even when that traffic originates at the same server. This can improve performance on busy networks. For example, you can assign Web traffic for critical internal Web sites a higher priority than external Web sites. Similarly non-work-related Web sites that can consume network bandwidth can be assigned a lower priority so that other traffic is not affected.
What does mobile broadband device support do?
The Windows 7 operating system provides a driver-based model for mobile broadband devices. Earlier versions of Windows require users of mobile broadband devices to install third-party software, which is difficult for IT professionals to manage because each mobile broadband device and provider has different software. Users also have to be trained to use the software and must have administrative access to install it, preventing standard users from easily adding a mobile broadband device. Now, users can simply connect a mobile broadband device and immediately begin using it. The interface in Windows 7 is the same regardless of the mobile broadband provider, reducing the need for training and management efforts.
What do multiple active firewall profiles do?
Windows Firewall settings are determined by the profile that you are using. In Windows Vista and Windows Server 2008, only one firewall profile can be active at a time. Therefore, if you have multiple network adapters connected to different network types, you still have only one active profile—the profile providing the most restrictive rules. In Windows Server 2008 R2 and Windows 7, each network adapter applies the firewall profile that is most appropriate for the type of network to which it is connected: Private, Public, or Domain. This means that if you are at a coffee shop with a wireless hotspot and connect to your corporate domain network by using a VPN connection, then the Public profile continues to protect the network traffic that does not go through the tunnel, and the Domain profile protects the network traffic that goes through the tunnel. This also addresses the issue of a network adapter that is not connected to a network. In Windows 7 and Windows Server 2008 R2, this unidentified network will be assigned the Public profile, and other network adapters on the computer will continue to use the profile that is appropriate for the network to which they are attached.
What do NDF, Network Tracing, and Netsh Trace do?
Network Diagnostic Framework (NDF) provides a way for end users, as well as support technicians, and component or application developers, to simplify network troubleshooting by automating many of the common troubleshooting steps and solutions. In Windows® 7, the Network Diagnostic Framework (NDF) and Event Tracing for Windows (ETW) are more closely integrated, which enables diagnostics to log network events and packets in a single file. Collecting all of the needed information in one step provides an efficient method of troubleshooting network connectivity issues. When a user runs Windows Network Diagnostics, a diagnostics session log is automatically created and stored in Action Center/Troubleshooting/View History. Each diagnostic session generates a report with diagnostics results.
In Windows 7 NDF and network tracing, events related to a specific issue are categorized by using activity-ID-based correlation (known as grouping), and then output in an Event Trace Log (ETL) file. Grouping captures all issue-related events across the stack; all related events are grouped together. The result is that you can examine the entire transaction, from end-to-end, as a single collection of events. You can analyze the data in the ETL file by using a number of tools, such as Network Monitor 3.3, Event Viewer, the Netsh trace convert command, or Tracerpt.exe.
Windows 7 includes a new Netsh context, Netsh trace. Netsh trace is also integrated with NDF and Network Tracing, and enables you to perform comprehensive tracing, along with network packet capturing, and filtering. Two key concepts related to Netsh trace are scenarios and providers. A tracing scenario is defined as a collection of selected event providers. Providers are the individual components in the network protocol stack, such as WinSock, TCP/IP, Windows Filtering Platform and Firewall, Wireless LAN Services, or NDIS. You can use commands in the Netsh trace context to enable pre-defined scenarios for troubleshooting specific issues, and to configure specific parameters for a tracing session. For any given scenario, you can view the list of associated providers that will report events when you run a trace session, and view details about specific providers. You can also specify additional providers that are not included in an enabled scenario. Additionally, because it is frequently beneficial to minimize tracing results by limiting irrelevant tracing details, you can apply a variety of Netsh trace filters to reduce the ETL trace file size.
Finally, an additional benefit of NDF and Network Tracing in Windows 7 is that you can use Netsh trace to collect both packet captures and trace events on the client, without requiring installation of Netmon on the computer that your are troubleshooting. Running a tracing session by using Netsh trace correlates and groups packets with related trace events. Because Netmon is only required on the computer that you are using to examine the packets, the user need only copy the file that is collected in Action Center, and then either e-mail it to you or provide it on removable media, such as a USB flash drive.