Windows 7 and Windows Server 2008

R2 Networking Enhancements for

Enterprises
Microsoft Windows Family of Operating Systems

Published: January 2009

Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises ii

This document supports a preliminary release of a software product that may be changed substantially prior to
final commercial release. This document is provided for informational purposes only and Microsoft makes no
warranties, either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the results from
the use of this document remains with the user. Unless otherwise noted, the companies, organizations,
products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Outlook, Sharepoint, Windows, Windows Media, Windows Server, and Windows Vista are trademarks
of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises iii

Contents
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 1

Introduction
In the past few years, advances in mobile computers and wireless broadband have
enabled users to be more productive while away from the office. According to IDCi, the
third quarter of 2008 marked the point at which computer manufacturers began shipping
more mobile computers than desktop computers worldwide. In 2008, mobile workers will
represent 26.8% of the total workforce, and that number will increase to 30.4% by 2011ii.
Clearly, users are becoming more mobile, and IT professionals must provide an
infrastructure to allow them to remain productive.

Additionally, more users are working from branch offices or home offices instead of the
central office. The changing structure of business puts more pressure on IT professionals
to provide a high-performance and secure infrastructure for connecting remote users and
branch offices while minimizing costs.

With Windows® 7 and Windows Server® 2008 R2, Microsoft introduces several new
networking features to improve the productivity of mobile users and users at branch
offices. This paper describes those features, as well as other networking improvements in
Windows 7 and Windows Server 2008 R2.

DirectAccess
DirectAccess provides users transparent access to internal network resources whenever
they are connected to the Internet. Traditionally, users connect to internal network
resources with a virtual private network (VPN). However, using a VPN can be
cumbersome because:

• Connecting to a VPN takes several steps, and the user needs to wait for the
authentication. For organizations that check the health of a computer before
allowing the connection, establishing a VPN can take several minutes.

• Any time users lose their Internet connection, they need to re-establish the VPN
connection.

• Internet performance is slowed if all traffic is routed through the VPN.

Because of these concerns, many users avoid connecting to a VPN. Instead, they use
technologies such as Microsoft Office Outlook® Web Access (OWA) to connect to internal
resources. With OWA, users can retrieve internal e-mail without establishing a VPN
connection. However, if a user tries to open a document on the internal network (often
linked from an e-mail), they are denied access because internal resources are typically
not accessible from the Internet.

Avoiding VPNs also causes problems for IT professionals, who can only manage mobile
computers when they connect to the internal network. When users avoid establishing an
internal connection, mobile computers miss critical updates and changes to Group Policy
settings.

Windows 7 and Windows Server 2008 R2 introduce DirectAccess, which enables users
to have the same experience working at home or at a wireless hotspot as they would in
the office. With DirectAccess, authorized users on Windows 7 computers can access
corporate shares, view intranet Web sites, and work with intranet applications without
going through a VPN.
2 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises

DirectAccess also benefits IT professionals by enabling them to manage mobile

computers outside of the office—anytime, anywhere—even though the computers are not
connected to the VPN. Each time a mobile computer connects to the Internet, before the
user logs on, DirectAccess establishes a bi-directional connection that enables the client
computer to stay up to date with company policies and to receive software updates.

DirectAccess provides a secure and flexible network infrastructure using technologies

such as IPv6 and IPsec. Security and performance features include:

• Authentication. DirectAccess authenticates the computer before the user logs

on, allowing IT professionals to manage the computer when the Internet
connection is established. DirectAccess can also authenticate users and
supports multifactor authentication methods such as a smart card authentication.

• IPv6. DirectAccess uses IPv6 to provide globally routable IP addresses for

remote access clients. Organizations that are not yet ready to fully deploy IPv6
can use IPv6 transition technologies such as ISATAP, 6to4, and Teredo to enable
clients to connect across the IPv4 Internet and to access IPv4 resources on the
enterprise network. These technologies provide IPv6 support for devices and
servers that do not support IPv6 natively.

• Encryption. DirectAccess uses IPsec to provide authentication and encryption

for communications across the Internet. You can use any IPsec encryption
method, including DES, which uses a 56-bit key, and 3DES, which uses three 56-
bit keys.

• Access control. With DirectAccess, IT professionals can configure the internal

resources to which each user can connect, granting unlimited access or allowing
access only to specific servers or networks.

DirectAccess uses split-tunnel routing, as illustrated in Figure 1, which reduces

unnecessary traffic on the corporate network. Split-tunnel routing sends only traffic
destined for the enterprise network through the DirectAccess server. Although split-
tunnel routing is the default configuration for DirectAccess, IT professionals can
disable the feature to send all traffic through the enterprise network.

Internet Intranet

DirectAccess
client
DirectAccess
server Corporate resources

Internal traffic
Internet traffic

Internet servers

Figure 1: DirectAccess traffic flow with split-tunnel routing.

Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 3

VPN Reconnect
DirectAccess can replace the VPN as the preferred remote access method for many
organizations. However, some organizations will continue to use VPNs side-by-side with
DirectAccess. Therefore, Microsoft is improving VPN usability in Windows 7 with VPN
Reconnect.

VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN
connectivity, automatically re-establishing a VPN when users temporarily lose their
Internet connections. Users who connect using wireless mobile broadband will benefit
most from this capability.

For example, consider a user traveling to work on a train. To make the most out of her
time, she uses a wireless mobile broadband card to connect to the Internet and then
establishes a VPN connection to her company’s network. As the train passes through a
tunnel, she loses her Internet connection. Once outside of the tunnel, the wireless mobile
broadband card automatically reconnects to the Internet. However, with earlier versions
of Windows, the VPN does not reconnect, and she needs to repeat the multi-step
process of connecting to the VPN. This can quickly become time consuming for mobile
users with intermittent connectivity.

With VPN Reconnect, Windows 7 automatically re-establishes active VPN connections

when Internet connectivity re-establishes. While the re-connection might take several
seconds, it is completely transparent to users, who are more likely to stay connected to a
VPN and get more use out of internal network resources.

Mobile Broadband
Earlier versions of Windows require users of wireless broadband cards to install third-
party software, which is difficult for IT administators to manage, especially considering
that every wireless broadband provider has different software. Users also must be trained
to use the software and must have administrative access to install it, preventing standard
users from easily adding a wireless broadband card.

With Mobile Broadband, Windows 7 provides a driver-based model for wireless

broadband cards. Now, users can simply connect a wireless broadband card and
immediately begin using it. The interface is built into Windows and is the same regardless
of the wireless broadband provider, reducing the need for training and management
efforts. With Windows 7 Mobile Broadband, connecting to the Internet with wireless
broadband is as straightforward as connecting to a wireless local area network (LAN).

BranchCache
With BranchCache™, Windows 7 and Windows Server 2008 R2 reduce wide area
network (WAN) utilization while simultaneously increasing the responsiveness of network
applications at remote offices. When IT professionals enable BranchCache in Windows 7
and Windows Server 2008 R2, data retrieved from Web and file servers on the enterprise
wide area network (WAN) is stored on the local branch office network.. If another client at
the same branch requests the same content, the client can access it directly from the
local network, without fetching the entire file across the WAN. Clients are always
authorized by the server at the datacenter before they can retrieve the content from the
local branch network.
4 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises

BranchCache can operate in one of two modes:

• Distributed Cache. Using a peer-to-peer architecture, Windows 7 clients cache

content retrieved from Windows Server 2008 R2 and send the content directly to
other Windows 7 clients as they need it, without those clients having to retrieve
the same content over the WAN link. A distributed cache is the best choice for
branches without a computer running Windows Server 2008 R2.

• Hosted Cache. Using a client/server architecture, Windows 7 clients copy

content to a local computer (Hosted Cache) running Windows Server 2008 R2
that has BranchCache enabled. Other client computers that need the same
content retrieve it directly from the Hosted Cache. Compared to the Distributed
Cache, Hosted Cache increases the cache availability because content is
available even if the client that originally requested the data is offline. Additionally,
a Hosted Cache works across subnets and reduces multicast traffic on the local
network. Typically, administrators can configure an existing computer running
Windows Server 2008 R2 to act as the Hosted Cache, because the Hosted
Cache does not require a dedicated server.

Headquarters

Distributed Cache Hosted Cache

Branch office Branch office

Figure 2: Comparison of BranchCache Distributed Cache and Hosted Cache

modes.

BranchCache currently supports the following protocols and is fully compatible with end-
to-end encryption such as IPsec:

• HTTP (including HTTPS). The standard protocol for Web transfers, used by
applications such as Internet Explorer®, Windows Media®, and Windows
SharePoint®.

• SMB (including signed SMB). The standard protocol for network file transfers
when connecting to shared folders from Windows Explorer.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 5

When BranchCache is enabled on both the client computer and server computer, the
client computer follows this process to retrieve data using HTTP or SMB:

1. The client computer running Windows 7 connects to a computer running

Windows Server 2008 R2 at the datacenter and requests content exactly as it
would if it were to retrieve content without using BranchCache.

2. The server computer at the datacenter authenticates the user and verifies that
the user is authorized to access the data.

3. The server computer at the datacenter returns identifiers (hashes) of the

requested content to the client computer instead of sending the content itself.
The server computer does so over the same channel that the content would have
normally been sent.

4. Using the retrieved identifiers, the client computer does the following:

a. If configured to use Distributed Cache, the client computer multicasts on

the local network to find other client computers that have already
downloaded the content.

b. If configured to use Hosted Cache, the client computer looks up content

availability on the Hosted Cache.

5. If the content is available in the branch (either on one or more clients or the
Hosted Cache), the client computer retrieves the data from within the branch,
and ensures that the data is current and has not been tampered with or
corrupted.

6. If the content is not available in the branch, the client computer retrieves the
content directly from the server computer at the datacenter and either makes it
available on the local network to other requesting client computers or sends it to
the Hosted Cache, where it is made available to other client computers.

All content transfers between client computers or between a client computer and the
Hosted Cache are encrypted.

File Sharing and Offline Files

Enhancements
IT professionals can take advantage of the Windows 7 file sharing enhancements to
further improve user productivity in branch offices. Windows 7 provides:

• Transparent caching on client computers for shared folders, reducing the time
required to access files for the second and subsequent times across a slow
network. This is combined with protocol enhancements that eliminate multiple,
redundant network operations when opening or saving files to provide an
improved application experience across slow networks.

• Background synchronization capabilities for offline files, reducing administrative

overhead and enhancing end-user experience.
6 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises

Transparent Caching
Before Windows 7, to open a file across a slow network, client computers always retrived
the file from the server computer, even if the client computer had recently read the file.
With Windows 7 transparent caching, client computers cache remote files more
aggressively, reducing the number of times a client computer might have to retrieve the
same data from a server computer. The first time a user opens a file in a shared folder,
Windows 7 reads the file from the server computer and then stores it in a cache on the
local disk. The second and subsequent times a user reads the same file, Windows 7
retrieves it from disk instead of reading it from the server computer.

To provide data integrity, Windows 7 always contacts the server computer to ensure the
cached copy is up-to-date. The cache is never accessed if the server computer is
unavailable, and updates to the file are always written directly to the server computer.
Transparent caching is not enabled by default on fast networks. IT Professionals can use
Group Policy to enable transparent caching, to improve the efficiency of the cache, and to
save disk space on the client, configuring the amount of disk space the cache uses and
preventing specific file types from being synchronized.

These benefits are transparent to end-users and provide an experience for users at
branch offices that more closely resembles the experience of being on the same LAN as
servers. Additionally, the improved cache efficiency can reduce utilization across WAN
links.

Background Synchronization for Offline Files

With Windows Vista, user updates to files are written to the server computer when the
user is online. If the user is offline, the file updates are cached on the client computer’s
disk and synchronized with the server the next time the user is online. In Windows 7,
synchronization can happen automatically and in the background, without requiring the
user to choose between online and offline modes. File synchronization is transparent to
the end user, centrally configurable using Group Policy settings, and can be monitored
and controlled from Sync Center. This provides reliable and transparent shared folder
synchronization, giving users access to files on shared folders even when they are
disconnected from the network. Users need not worry about manually synchronizing their
data over slow networks, and IT professionals are assured that data from client
computers is backed up on the servers.

By making synchronization more powerful and transparent, Folder Redirection, a feature

that allows user folders such as Documents to be re-directed to a server computer,
becomes much more useful. IT professionals can use Group Policy settings to enable
both Folder Redirection and synchronization. Windows 7 redirects user folders to the
network location and automatically synchronizes files between the version on the client
computer and the version on the server. When the user disconnects from the network,
Windows 7 opens the local copies of the files exactly as if the user were connected to the
network, and changes synchronize the next time the user connects. This provides
automatic network backup of user data without impacting the user. Windows 7 adds the
“usually offline” mode, which provides similar capabilities when connected to a server
across a slow network.

URL-based QoS
Adding more bandwidth cannot solve every network performance issue. Any network
connection, when fully utilized, will cause communications to slow down while the router
is forced to queue outgoing traffic. This often happens with an Internet or WAN
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 7

connection because traffic from multiple clients on a high-speed LAN must share a lower-
speed connection.

For example, if an organization has a 1000 Mbps LAN and a 10 Mbps Internet
connection, computers can send requests across the LAN to the router much faster than
the router can forward the requests to the Internet. In this scenario, the router has to hold
the outgoing requests in a queue and send each request when more bandwidth is
available. By default, routers send outgoing traffic from the queue in a first-in, first-out
basis. Therefore, critical traffic might be waiting in the queue behind less critical traffic.

Figure 3 shows two clients sending traffic to two websites: www.contoso.com (a critical
internal website) and www.southridgevideo.com (a non-critical personal website). As the
figure demonstrates, the router treats the packets exactly the same, and packets
destined for www.southridgevideo.com might be sent after packets destined for
www.contoso.com.

http://www.contoso.com
http://www.southridgevideo .com

Internet

Router

Figure 3: Without QoS, low-priority traffic can be sent before high-priority traffic.

When IT professionals configure Quality of Service (QoS), Windows marks outgoing

packets with a Differentiated Services Code Point (DSCP) number. Routers then examine
the DSCP value to determine the packet’s priority. If a network connection is fully utilized
and the router is holding packets in a queue, higher-priority packets are sent before
lower-priority packets, overriding the default first-in, first-out behavior. Therefore, QoS can
maintain the responsiveness of critical network applications even when the network is
busy.

With earlier versions of Windows, IT professionals could specify applications, IP

addresses, and port numbers to determine QoS priorities. With this level of granularity, IT
professionals could prioritize database traffic over Web and e-mail traffic—a useful
capability. They could also prioritize traffic to a critical server over traffic to a less-critical
server.

However, with the growth of Web services and application server consolidation, IT
professionals need finer control over how Windows prioritizes Web traffic. For example, a
single intranet server might host a critical customer service application and a non-critical
discussion forum on the same server. Web services or applications on a single server
share a common IP address, limiting the value of IP-based prioritization. IT professionals
need to be able to assign different priorities to different Web applications and sites on a
single server.

Windows 7 allows IT professionals to prioritize Web traffic based on the URL. With URL-
based QoS, IT professionals can ensure important Web traffic is processed before less-
important traffic, improving performance on busy networks. For example, IT professionals
can assign Web traffic for critical internal Web sites a higher priority than external Web
sites, maximizing performance when the network is busy. Similarly, if users visit non-
8 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises

work-related Web sites that consume a large portion of the network’s bandwidth, IT
professionals can assign that traffic a low priority so other traffic isn’t impacted.

With URL-based QoS, IT professionals can also configure the path portion of a URL,
known as the Uniform Resource Identifier (URI). For example, IT professionals could
assign http://contoso.com/cust_serv/ a high priority and http://contoso.com/forum/ a low
priority. IT professionals can configure QoS using Group Policy settings.

High priority: http://*.contoso.com

Low priority: http://*.southridgevideo .com

Internet

Router

Figure 4: URL-based QoS allows IT professionals to prioritize Web traffic

DNS Security Extensions

DNS clients running Windows 7 or Windows Server 2008 R2 and DNS servers running
Windows Server 2008 R2 support DNS Security Extensions (DNSSEC) to validate the
integrity of DNS records as per Request For Comments (RFCs) 4033, 4034 and 4035. By
validating that a DNS record was generated by the authoritative DNS server and that the
DNS record has not been modified, computers running Windows 7 and Windows Server
2008 R2 can validate the integrity of DNS responses.

With DNSSEC, authoritative DNS servers running Windows Server 2008 R2 that support
DNSSEC will cryptographically sign a DNS zone to generate digital signatures for all the
resource records in the zone. Other DNS servers can use a trust anchor to verify that a
DNS record was signed by the authoritative DNS server and that it has not been
modified.

While DNS servers perform the validation of DNS records, DNS clients running Windows
7 are DNSSEC-aware. A DNS client running Windows 7 relies on its local DNS server for
DNSSEC validation and can check whether validation has been successfully performed
on the responses before returning the results of the query to an application.

Figure 5 illustrates how IPsec and DNSSEC can provide an end-to-end DNSSEC solution
to validate a DNS request that must traverse multiple levels of DNS servers. For
example, the client computer could be located at a branch office and configured to use
IPsec to connect to a local, non-authoritative DNS server running Windows Server 2008
R2. The local DNS server can forward requests to the domain’s authoritative DNS server,
use DNSSEC to verify the integrity of internal DNS records (even if there are multiple
interim DNS servers), and inform the client that DNSSEC was used to validate the
records.
Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises 9

IPsec DNSSEC
Authenticated/ Validated
encrypted

Client Caching Authoritative

DNS server DNS server

Figure 5: DNSSEC can prevent man-in-the-middle attacks.

Support for Green IT

Windows 7 offers Wake on Wireless LAN (WOWL) and Smart Network Power features to
reduce power consumption.

Wake on Wireless LAN

Users can save energy by putting computers into sleep mode when they’re not in use.
With earlier versions of Windows, users and IT professionals could use Wake on LAN
(WOL) to wake the computer so that it could be managed across the network. However,
WOL only works when computers are connected to wired networks. Wireless computers
in sleep mode cannot be started or managed across the network, allowing them to fall
behind on configuration changes, software updates, and other management tasks.

Windows 7 adds support for Wake on Wireless LAN (WoWLAN). With WoWLAN,
Windows 7 can reduce electricity consumption by enabling users and IT professionals to
remotely wake computers connected to wireless networks from sleep mode. Because
users can wake computers to access them across the network, IT professionals can
configure them to enter the low-power sleep mode when not in use.

Smart Network Power

Wired network connections use power when they’re enabled, even if a network cable isn’t
connected. Windows 7 offers the ability to automatically turn off power to the network
adapter when the cable is disconnected. When the user connects a cable, power is
automatically restored. This feature offers the power-saving benefits of disabling a wired
network connection while still allowing users to connect easily to wired networks.

Summary
Windows 7 and Windows Server 2008 R2 offer the following features to help remote
users feel like they’re working in the office by keeping them connected and making the
most out of intermittent and low-bandwidth links:

• DirectAccess, VPN Reconnect, and Mobile Broadband make getting connected

and staying connected easy or completely automatic.

• BranchCache and file sharing enhancements make the most out of low-
bandwidth connections.
10 Windows 7 and Windows Server 2008 R2 Networking Enhancements for Enterprises

By providing a secure and flexible infrastructure, Windows 7 and Windows Server 2008
R2 provide IT professionals with the following benefits:

• DirectAccess and VPN Reconnect increase the time mobile users are connected
to the internal network, improving manageability.

• DNSSEC allows client computers to authenticate DNS servers, and DNS servers
to authenticate each other, reducing the risk of man-in-the-middle attacks.

• Mobile Broadband simplifies configuration of wireless broadband adapters.

Finally, these benefits reduce costs for IT professionals:

• BranchCache, URL-based QoS, and file sharing enhancements optimize

bandwidth utilization.

• Support for green IT allows users to save power while still enabling
administrators to manage computers across the network.

In summary, the networking improvements in Windows 7 and Windows Server 2008 R2

improve user productivity and decrease management costs, adding significant value to
Microsoft’s newest client and server operating systems.
i
IDC Worldwide Quarterly PC Tracker, December 2008.
ii
IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813, Dec 2007.