WindowsNetworking.com Newsletter of April 2008

WindowsNetworking.com Monthly Newsletter of July 2010 Sponsored by: Softinventive Lab

Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com

Fully automated network computer inventory right at your working place in a couple minutes.

Total Network Inventory is a PC audit and network inventory software for office and large-scale enterprise networks. Total Network Inventory interrogates all computers and notebooks on a network and reports back with complete information about the OS, service packs, hotfixes, hardware, software, running processes, etc. on remote machines. This information is added to the centralized database and then network administrators can generate reports about each or all of the PCs on a network.

Download free trial.

1. The Invasion of the Bandwidth Hogs

I just completed an article about the consumerization of IT and its security implications for our sister website, WindowSecurity.com. Look for it to be published soon. But in the meantime, security isnít the only problem that the consumerization trend has created for network administrators. I read recently that during the recent World Cup, the "March Madness" NCAA basketball tournament and other popular sports events, employees watching web video of those games in the workplace brought some networks to their knees.

Workersí expectations that they will be allowed to use company computers - or their own devices, plugged into or wireless connected to the company network - for a certain amount of personal use have gradually crept into the corporate culture. The employee sees it from the perspective of ďIím not behind on my work and Iím on my fifteen minute break or my lunch hour, so whatís the difference between me watching the game (or the YouTube videos of my grandkids) and the employee who spends his/her down time standing around the water cooler, gossiping about the boss, or in the lounge, watching the news on TV"?

In a nutshell, the difference (along with security) is bandwidth. Employees A, B and C might be on break, but if they spend that break streaming high-bandwidth videos, how does that impact employees D, E and F who are trying to get real work done and whose connections are slowed by the congestion? This might not be a problem when weíre talking about three employees, but multiply that by several hundred or several thousand who are taking their lunch breaks at the same time and those who lunch early or late might find themselves sitting and waiting when theyíre trying to get a rush project done.

Many employees who wouldnít use the companyís computers to do their personal business think nothing of using its network. They bring in their smart phones, laptops or iPads and then connect them via wi-fi to the company network. Itís a lot cheaper than buying a high priced data plan from a cellular provider or, if you do have such a plan, using up some of your precious data allocation now that some carriers are eliminating their unlimited plans. Some of them may not have fast Internet connections at home so they bring their laptops to the office to connect and download those big files or watch online video that doesnít work well over their slower connections.They figure theyíre using their own devices and ďonlyĒ using the company network to get to the Internet, so no harm is done.

Streaming media is a bandwidth hog that some companies didnít take into consideration when they formulated their employee-friendly usage policies. After all, it all started with employees wanting to be able to check their personal email when on break, something that (unless large attachments were involved) didnít use much bandwidth. If your corporate network has bandwidth to spare, no problem - but some small and medium size businesses are already straining the limits. If you pay for Internet usage on a metered basis, the bandwidth hogs cost you money.

Other consumer oriented applications, such as peer-to-peer (P2P) file sharing and multi-player online games, are also big bandwidth users. Itís not just consumer apps and devices that consume excessive amounts of bandwidth, though. Some legitimate business applications are being misused or overused, resulting in strains on the company bandwidth. For example, sometimes when a company implements a new technology such as video conferencing, they go overboard with it and start using it when itís not necessary or even desirable, just out of fascination with the ďnew toy.Ē Firing up a video conference for every communication that could be just as efficiently handled by a phone call is a waste of bandwidth.

You can, of course, filter particular web sites or block certain protocols on the corporate network.You can use an edge device, in which case you should have one that can identify and report users for all protocols by requiring authentication at the gateway, such as Microsoft TMG and some (but not all) other edge firewalls. You can also block apps/protocols on each computer. You can either block protocols or applications completely or you can use bandwidth shaping to allocate (a.k.a. traffic shaping or packet shaping) bandwidth by giving priority to protocols that are more mission critical. Windows 7/Vista and Windows Server 2008/R2 include support for bandwidth shaping via policy-based Quality of Service (QoS). There are also numerous third party solutions for traffic management.

Windows QoS is built into Group policy, and with it you can control network usage based on applications, users and computers. You can set policies to prioritize traffic according to values within the Type of Service field in IPv4 packet headers and the Traffic Class field in IPv6. You can configure a user-based policy on the domain controller and propagate it to the userís computer, no matter where or how the user logs onto the network. To find out more about policy based QoS, follow this link.

An edge device is most effective if you want to block everyone on the network from using the specified Internet protocols or applications. In some cases, however, there will be some legitimate business use (even for YouTube). Then youíll need to either block by user or use the traffic shaping method to prioritize bandwidth use.

Of course, the technological solutions are only part of the solution. You need an acceptable use policy that addresses the excessive bandwidth consumption problem, as well. Heavy-handed policies that attempt to completely ban all personal use often backfire; the key is to set reasonable rules and to educate employees as to the rationale behind the restrictions. People are much more willing to accept and support rules that they understand.

By Debra Littlejohn Shinder, MVP
See you next month - Deb.
dshinder@windowsnetworking.com

=======================
Quote of the Month - "1f u c4n r34d 7h15, u r34||y n33d 70 637 4 |1f3." - 4n0nym0u5
======================

2. ISA Server 2006 Migration Guide - Order Today!

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.


   Click here to Order
   your copy today

Fully automated network computer inventory right at your working place in a couple minutes.

Total Network Inventory is a PC audit and network inventory software for office and large-scale enterprise networks. Total Network Inventory interrogates all computers and notebooks on a network and reports back with complete information about the OS, service packs, hotfixes, hardware, software, running processes, etc. on remote machines. This information is added to the centralized database and then network administrators can generate reports about each or all of the PCs on a network.

Download free trial.

3. WindowsNetworking.com Articles of Interest

4. Administrator KB Tip of the Month

How to hide the Public shortcuts on the folder and favorites list
If you donít use the Public folders provided by Windows, you may want to remove the shortcuts. Most open/save file dialogs and Windows Explorer have a Favorite Links section that includes a shortcut to the Public folders. Plus itís listed on the main folder list, along with shortcuts to the userís folder and to the drives.

Removing the shortcut from the Favorite Links is easy. Just open your Links folder: C:\Users\username\Links. Then delete the Public.lnk.

Taking the shortcut off of the Folders List, however, requires a registry change. You need to delete the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\ {4336a54d-038b-4685-ab02-99bb52d3fb8b} 

For more administrator tips, go to WindowsNetworking.com/WindowsTips

5. Windows Networking Tip of the Month

Something Iíve learned from talking to a number of people who have rolled out DirectAccess in their organizations is that some of the wireless carriers are not allowing IP Protocol 41 over their networks. I have no idea why they arenít allowing this, but itís causing a problem with wireless DirectAccess clients who need to use 6to4 when assigned a public address when connected to the Internet. Whatís the solution? Well the fact is that while 6to4 is the default used when connecting over the Internet, that doesnít mean you have to use 6to4. Instead, you can use Teredo or even IP-HTTPS. This monthís tip is that you disable the 6to4 IPv6 transition technologies throughout your network. You can do this via Group Policy. This also solves the problem with 6to4 when you use public IP addresses on your intranet, something you see sometimes in large corporate networks and in academic networks. Itís safe to disable 6to4 and doing so will save you a ton of trouble.

Fully automated network computer inventory right at your working place in a couple minutes.

Total Network Inventory is a PC audit and network inventory software for office and large-scale enterprise networks. Total Network Inventory interrogates all computers and notebooks on a network and reports back with complete information about the OS, service packs, hotfixes, hardware, software, running processes, etc. on remote machines. This information is added to the centralized database and then network administrators can generate reports about each or all of the PCs on a network.

Download free trial.

6. WindowsNetworking Links of the Month

7. Ask Sgt. Deb

QUESTION:

Hey Deb,

I know that you get a lot of DirectAccess questions and I will understand if you do not want to answer this one in the newsletter. But I went to TechEd in New Orleans this year and saw a lot of the talks on DirectAccess, including two of them that your husband did. DirectAccess really looks like the answer to a lot of problems we have had in our company regarding VPN and user productivity when theyíre out of the office. My boss thinks itís a great idea and his boss has a friend who is already using it and he thought it was fantastic! So now itís my job to figure out what I need. Right now my network is using Windows Server 2003 domain controllers and we have a mix of Windows 2000, Windows 2003 and Windows Server 2008 servers. We do not have any Windows Server 2008 R2 servers and we do not use IPv6 on our network. Our client machines are mostly Windows XP, but weíre planning on moving to Windows 7 by the end of the year. Do you think that DirectAccess will work for us?

Thanks! - Donny K.

ANSWER:

Hi Donny!

Great question. Any chance you saw me at TechEd? I was at the Remote Desktop Server booth and I got to meet a lot of great people there. If not, I hope to be at TechEd in Atlanta next year so maybe weíll cross paths there.
Regarding your DirectAccess questions, your network is a mix of IPv6 capable (the Windows Server 2008 servers) and IPv4 only servers. That means that you wonít be able to use the Windows DirectAccess solution because you need an IPv6 capable network to make that work. However, you can use the Unified Access Gateway (UAG) 2010 DirectAccess solution with the network that you have. Here are some facts that will help you in your planning process:

  • UAG DirectAccess has NAT64/DNS64 technologies, so you can have Windows 2000 and Windows 2003 servers on your network without any problems
  • You can use Windows 2003 DNS servers on your network and it will work with UAG DirectAccess
  • You can use Windows 2003 Active Directory domain controllers and it will work with UAG DirectAccess
  • Your domain functional level isnít an issue - you can use any domain functional level and itíll work with UAG DirectAccess
  • Windows XP wonít work as a DirectAccess client.  When you upgrade to Windows 7, make sure you use Windows 7 Enterprise or Ultimate Edition.
  • While UAG will support your IPv4 only servers, you will need to test your client-side applications to make sure that they are IPv6 aware. The reason for that is the DirectAccess client only uses IPv6 to communicate with the UAG DirectAccess server.

Overall, I think you're in great shape for providing your users DirectAccess connectivity to your corporate network. Let me know if you have any problems getting things set up and Iíll make sure to connect you to the right resources to make things go as smoothly as possible.

Fully automated network computer inventory right at your working place in a couple minutes.

Total Network Inventory is a PC audit and network inventory software for office and large-scale enterprise networks. Total Network Inventory interrogates all computers and notebooks on a network and reports back with complete information about the OS, service packs, hotfixes, hardware, software, running processes, etc. on remote machines. This information is added to the centralized database and then network administrators can generate reports about each or all of the PCs on a network.

Download free trial.