Professional Documents
Culture Documents
This document supports a preliminary release of a software product that may be changed substantially prior to
final commercial release. This document is provided for informational purposes only and Microsoft makes no
warranties, either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the results from
the use of this document remains with the user. Unless otherwise noted, the companies, organizations,
products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Outlook, Sharepoint, Windows, Windows Media, Windows Server, and Windows Vista are trademarks
of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises iii
Contents
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 1
Introduction
In the past few years, advances in mobile computers and wireless broadband have
enabled users to be more productive while away from the office. According to IDCi, the
third quarter of 2008 marked the point at which computer manufacturers began shipping
more mobile computers than desktop computers worldwide. In 2008, mobile workers will
represent 26.8% of the total workforce, and that number will increase to 30.4% by 2011ii.
Clearly, users are becoming more mobile, and IT professionals must provide an
infrastructure to allow them to remain productive.
Additionally, more users are working from branch offices or home offices instead of the
central office. The changing structure of business puts more pressure on IT professionals
to provide a high-performance and secure infrastructure for connecting remote users and
branch offices while minimizing costs.
With Windows® 7 and Windows Server® 2008 R2, Microsoft introduces several new
networking features to improve the productivity of mobile users and users at branch
offices. This paper describes those features, as well as other networking improvements in
Windows 7 and Windows Server 2008 R2.
DirectAccess
DirectAccess provides users transparent access to internal network resources whenever
they are connected to the Internet. Traditionally, users connect to internal network
resources with a virtual private network (VPN). However, using a VPN can be
cumbersome because:
• Connecting to a VPN takes several steps, and the user needs to wait for the
authentication. For organizations that check the health of a computer before
allowing the connection, establishing a VPN can take several minutes.
• Any time users lose their Internet connection, they need to re-establish the VPN
connection.
Because of these concerns, many users avoid connecting to a VPN. Instead, they use
technologies such as Microsoft Office Outlook® Web Access (OWA) to connect to internal
resources. With OWA, users can retrieve internal e-mail without establishing a VPN
connection. However, if a user tries to open a document on the internal network (often
linked from an e-mail), they are denied access because internal resources are typically
not accessible from the Internet.
Avoiding VPNs also causes problems for IT professionals, who can only manage mobile
computers when they connect to the internal network. When users avoid establishing an
internal connection, mobile computers miss critical updates and changes to Group Policy
settings.
Windows 7 and Windows Server 2008 R2 introduce DirectAccess, which enables users
to have the same experience working at home or at a wireless hotspot as they would in
the office. With DirectAccess, authorized users on Windows 7 computers can access
corporate shares, view intranet Web sites, and work with intranet applications without
going through a VPN.
2 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
Internet Intranet
DirectAccess
client
DirectAccess
server Corporate resources
Internal traffic
Internet traffic
Internet servers
VPN Reconnect
DirectAccess can replace the VPN as the preferred remote access method for many
organizations. However, some organizations will continue to use VPNs side-by-side with
DirectAccess. Therefore, Microsoft is improving VPN usability in Windows 7 with VPN
Reconnect.
VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN
connectivity, automatically re-establishing a VPN when users temporarily lose their
Internet connections. Users who connect using wireless mobile broadband will benefit
most from this capability.
For example, consider a user traveling to work on a train. To make the most out of her
time, she uses a wireless mobile broadband card to connect to the Internet and then
establishes a VPN connection to her company’s network. As the train passes through a
tunnel, she loses her Internet connection. Once outside of the tunnel, the wireless mobile
broadband card automatically reconnects to the Internet. However, with earlier versions
of Windows, the VPN does not reconnect, and she needs to repeat the multi-step
process of connecting to the VPN. This can quickly become time consuming for mobile
users with intermittent connectivity.
Mobile Broadband
Earlier versions of Windows require users of wireless broadband cards to install third-
party software, which is difficult for IT administators to manage, especially considering
that every wireless broadband provider has different software. Users also must be trained
to use the software and must have administrative access to install it, preventing standard
users from easily adding a wireless broadband card.
BranchCache
With BranchCache™, Windows 7 and Windows Server 2008 R2 reduce wide area
network (WAN) utilization while simultaneously increasing the responsiveness of network
applications at remote offices. When IT professionals enable BranchCache in Windows 7
and Windows Server 2008 R2, data retrieved from Web and file servers on the enterprise
wide area network (WAN) is stored on the local branch office network.. If another client at
the same branch requests the same content, the client can access it directly from the
local network, without fetching the entire file across the WAN. Clients are always
authorized by the server at the datacenter before they can retrieve the content from the
local branch network.
4 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
Headquarters
BranchCache currently supports the following protocols and is fully compatible with end-
to-end encryption such as IPsec:
• HTTP (including HTTPS). The standard protocol for Web transfers, used by
applications such as Internet Explorer®, Windows Media®, and Windows
SharePoint®.
• SMB (including signed SMB). The standard protocol for network file transfers
when connecting to shared folders from Windows Explorer.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 5
When BranchCache is enabled on both the client computer and server computer, the
client computer follows this process to retrieve data using HTTP or SMB:
2. The server computer at the datacenter authenticates the user and verifies that
the user is authorized to access the data.
4. Using the retrieved identifiers, the client computer does the following:
5. If the content is available in the branch (either on one or more clients or the
Hosted Cache), the client computer retrieves the data from within the branch,
and ensures that the data is current and has not been tampered with or
corrupted.
6. If the content is not available in the branch, the client computer retrieves the
content directly from the server computer at the datacenter and either makes it
available on the local network to other requesting client computers or sends it to
the Hosted Cache, where it is made available to other client computers.
All content transfers between client computers or between a client computer and the
Hosted Cache are encrypted.
• Transparent caching on client computers for shared folders, reducing the time
required to access files for the second and subsequent times across a slow
network. This is combined with protocol enhancements that eliminate multiple,
redundant network operations when opening or saving files to provide an
improved application experience across slow networks.
Transparent Caching
Before Windows 7, to open a file across a slow network, client computers always retrived
the file from the server computer, even if the client computer had recently read the file.
With Windows 7 transparent caching, client computers cache remote files more
aggressively, reducing the number of times a client computer might have to retrieve the
same data from a server computer. The first time a user opens a file in a shared folder,
Windows 7 reads the file from the server computer and then stores it in a cache on the
local disk. The second and subsequent times a user reads the same file, Windows 7
retrieves it from disk instead of reading it from the server computer.
To provide data integrity, Windows 7 always contacts the server computer to ensure the
cached copy is up-to-date. The cache is never accessed if the server computer is
unavailable, and updates to the file are always written directly to the server computer.
Transparent caching is not enabled by default on fast networks. IT Professionals can use
Group Policy to enable transparent caching, to improve the efficiency of the cache, and to
save disk space on the client, configuring the amount of disk space the cache uses and
preventing specific file types from being synchronized.
These benefits are transparent to end-users and provide an experience for users at
branch offices that more closely resembles the experience of being on the same LAN as
servers. Additionally, the improved cache efficiency can reduce utilization across WAN
links.
URL-based QoS
Adding more bandwidth cannot solve every network performance issue. Any network
connection, when fully utilized, will cause communications to slow down while the router
is forced to queue outgoing traffic. This often happens with an Internet or WAN
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 7
connection because traffic from multiple clients on a high-speed LAN must share a lower-
speed connection.
For example, if an organization has a 1000 Mbps LAN and a 10 Mbps Internet
connection, computers can send requests across the LAN to the router much faster than
the router can forward the requests to the Internet. In this scenario, the router has to hold
the outgoing requests in a queue and send each request when more bandwidth is
available. By default, routers send outgoing traffic from the queue in a first-in, first-out
basis. Therefore, critical traffic might be waiting in the queue behind less critical traffic.
Figure 3 shows two clients sending traffic to two websites: www.contoso.com (a critical
internal website) and www.southridgevideo.com (a non-critical personal website). As the
figure demonstrates, the router treats the packets exactly the same, and packets
destined for www.southridgevideo.com might be sent after packets destined for
www.contoso.com.
http://www.contoso.com
http://www.southridgevideo .com
Internet
Router
Figure 3: Without QoS, low-priority traffic can be sent before high-priority traffic.
However, with the growth of Web services and application server consolidation, IT
professionals need finer control over how Windows prioritizes Web traffic. For example, a
single intranet server might host a critical customer service application and a non-critical
discussion forum on the same server. Web services or applications on a single server
share a common IP address, limiting the value of IP-based prioritization. IT professionals
need to be able to assign different priorities to different Web applications and sites on a
single server.
Windows 7 allows IT professionals to prioritize Web traffic based on the URL. With URL-
based QoS, IT professionals can ensure important Web traffic is processed before less-
important traffic, improving performance on busy networks. For example, IT professionals
can assign Web traffic for critical internal Web sites a higher priority than external Web
sites, maximizing performance when the network is busy. Similarly, if users visit non-
8 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
work-related Web sites that consume a large portion of the network’s bandwidth, IT
professionals can assign that traffic a low priority so other traffic isn’t impacted.
With URL-based QoS, IT professionals can also configure the path portion of a URL,
known as the Uniform Resource Identifier (URI). For example, IT professionals could
assign http://contoso.com/cust_serv/ a high priority and http://contoso.com/forum/ a low
priority. IT professionals can configure QoS using Group Policy settings.
Internet
Router
With DNSSEC, authoritative DNS servers running Windows Server 2008 R2 that support
DNSSEC will cryptographically sign a DNS zone to generate digital signatures for all the
resource records in the zone. Other DNS servers can use a trust anchor to verify that a
DNS record was signed by the authoritative DNS server and that it has not been
modified.
While DNS servers perform the validation of DNS records, DNS clients running Windows
7 are DNSSEC-aware. A DNS client running Windows 7 relies on its local DNS server for
DNSSEC validation and can check whether validation has been successfully performed
on the responses before returning the results of the query to an application.
Figure 5 illustrates how IPsec and DNSSEC can provide an end-to-end DNSSEC solution
to validate a DNS request that must traverse multiple levels of DNS servers. For
example, the client computer could be located at a branch office and configured to use
IPsec to connect to a local, non-authoritative DNS server running Windows Server 2008
R2. The local DNS server can forward requests to the domain’s authoritative DNS server,
use DNSSEC to verify the integrity of internal DNS records (even if there are multiple
interim DNS servers), and inform the client that DNSSEC was used to validate the
records.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 9
IPsec DNSSEC
Authenticated/ Validated
encrypted
Windows 7 adds support for Wake on Wireless LAN (WoWLAN). With WoWLAN,
Windows 7 can reduce electricity consumption by enabling users and IT professionals to
remotely wake computers connected to wireless networks from sleep mode. Because
users can wake computers to access them across the network, IT professionals can
configure them to enter the low-power sleep mode when not in use.
Summary
Windows 7 and Windows Server 2008 R2 offer the following features to help remote
users feel like they’re working in the office by keeping them connected and making the
most out of intermittent and low-bandwidth links:
• BranchCache and file sharing enhancements make the most out of low-
bandwidth connections.
10 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises
By providing a secure and flexible infrastructure, Windows 7 and Windows Server 2008
R2 provide IT professionals with the following benefits:
• DirectAccess and VPN Reconnect increase the time mobile users are connected
to the internal network, improving manageability.
• DNSSEC allows client computers to authenticate DNS servers, and DNS servers
to authenticate each other, reducing the risk of man-in-the-middle attacks.
• Support for green IT allows users to save power while still enabling
administrators to manage computers across the network.