WindowsNetworking.com Monthly Newsletter of June 2009 Sponsored by: GFI
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Windows 7 and Windows Server 2008 R2 have a lot of new features and capabilities that would excite the sensitive areas of any network administrator. But a lot of what is new is not related to networking. Group Policy, Windows Deployment, Backup, and clustering are just some examples. What is in it for us networking guys?
Quite a bit! It has been a long time since the networking guys had so much good stuff coming to them from the Windows client and server sides. Over the last few years we have had a bone thrown at us from time to time, such as Vista or Windows Server 2008. But these are nothing compared to the salvo of goodies we are seeing coming down the pike.
What is this good stuff I am talking about? Why nothing other than the Win7/Win2008R2 networking troika of:
DirectAccess is a new VPN protocol that allows domain-joined machines to always be connected to the corpnet and the domain, no matter where the client computer is located. DirectAccess enables bidirectional communications so that network admins can also connect to these machines, no matter where they are located so that they can serviced, updated and checked for compliance on a regular basis, just like machines physically located behind the wall of the corpnet.
DirectAccess depends on IPv6, but is able to take advantage of IPv6 transition technologies so that you can get it up and running, even when working with an IPv4 Internet and IPv4 servers on the corpnet.
BranchCache is a new Wide Area File Services (WAFS) option that comes with the Windows 7 and Windows Server 2008 R2 operating systems. With BranchCache, you do not need to spend tens to hundreds of thousands of dollars on 3rd party WAFS solutions just deploy Win7 clients and Win2008R2 servers and you get it right out of the box. BranchCache allows Win7 clients at the branch office to obtain content over a slow WAN link to the main office and cache that content locally at the branch office. The Win7 clients can cache the content themselves and make it available to other Win7 clients, or the clients can forward the content to a BranchCache server on the branch office and clients can then obtain the cached content from the server.
Either way, access to content is significantly faster and compression ratios of over 2000:1 are seen when using BranchCache.
VPN Reconnect is a new remote access VPN client/server technology that uses IKEv2 to establish a VPN connection to a Win2008R2 RRAS VPN server. This new VPN tech is designed to provide a smooth VPN experience for users who are likely to lose their VPN connections on a regular basis. Users who use wireless mobile broadband connections (sometimes referred to as WWAN) will benefit the most from this. For example, suppose you use your WWAN connection on a train and that train goes through a lot of tunnels. When going through the tunnel, the WWAN link is disconnected.
When the train comes out of the tunnel, the WWAN link is reestablished. With previous versions of Windows, the VPN connection is not automatically reconnected when the link disappears. However, with VPN Reconnect and IKEv2, both the WWAN and the VPN connection are automatically reestablished. Nice!
There are a few other cool improvements in the network space in Win7 and Win2008R2, such as file sharing and offline files enhancements, URL-based QoS, and DNS security extensions. We will go over those features next month. Nevertheless, the big three are DirectAccess, BranchCache and VPN Reconnect with IKEv2. Look forward to articles on these subjects on the WindowsNetworking.com web site in the near future.
Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Edition Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.
For ISA or TMG firewall, as well as other Forefront Consulting Services and Microsoft virtualization technology consulting in the USA, call me at 206-443-1117 or visit Prowess Consulting web site.
Got a networking question that you can't find the answer to? Send a note to Dr. Tom at email@example.com and he'll answer your question in next month's newsletter.
3. WindowsNetworking.com Articles of Interest
How to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and SSTP
This article describes how to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and Secure Socket Tunneling Protocol (SSTP). The computer certificate is also known as a machine certificate.
Secure Socket Tunneling Protocol (SSTP) is a new virtual private network (VPN) tunneling protocol that is available in the "Routing and Remote Access Services" role in Windows Server 2008. The protocol is also available for use in Windows Vista Service Pack 1 (SP1).
SSTP uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and through Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
The "Routing and Remote Access" service in Windows Server 2008 configures a computer certificate from the certificate store (also known as the machine store) in the HTTP.sys file to accept an HTTPS connection. This computer certificate is also sent to the client during the Secure Sockets Layer (SSL) negotiation phase.
If you, as an administrator, have already installed a computer certificate and configure the "Routing and Remote Access" service, you can change the computer certificate without reconfiguring the "Routing and Remote Access" service. This article discusses how to change the computer certificate.
Head on over to this page and get the details on handling this certificate.
This is not a Windows tip, but it is a nice tip none the less because it is something that most people who are not working as full time network admins would think about. A couple weeks ago my wife was trying to connect a new computer to a guest DMZ segment I created so that visitors could bring their laptops to our office and plug in and access the Internet without us having to worry about them bringing malware into our production network.
This network has a switch that is plugged into the firewall. The WAP and a couple of network drops are also plugged into the switch. She first tried to join the network by connecting to the WAP. That did not seem to work, so she connected to one of the local drops. That did not work either.
She opened a command prompt on the client and tried to ping Google. That did not work. She then tried to ping the local interface on the firewall. That did not work either. She looked at the cable connecting to the switch and the port was lit, and checked the connection to the firewall and that port was lit too.
I finally got off the phone and took a look. Yep, the pings did not work. However, that might have been a name resolution issue. I pinged the IP address of a DNS server I know responds to pings and that did not work. I did not ping the firewall since, for security reasons, I do not allow pings to the firewall. I did an arp g to find out if there is even layer 2 connectivity. Nope - no MAC addresses in my list.
So what was the problem? All the lights were on but no one was home! Then I remembered that the switch we are using is a Linksys. Ha! Linksys is a Cisco product and thus I figured it is probably buggy (Im no Cisco fan) and it needed to be rebooted. BAM! That was it. I unplugged the power on the switch and then plugged it back in. Now the computers on the guest DMZ could connect to the network and the Internet again.
I am thinking about putting together an SSTP VPN server and wondered if there was anything special I needed in order to make it work? I am using an ISA firewall right now as my front-end firewall and was wondering if it was possible to terminate the SSTP VPN connections at the firewall?
Thanks! - Nick E.
SSTP (Secure Socket Tunneling Protocol) is supported by Windows Vista and above clients and Windows Server 2008 and above VPN servers. In order to make it work you should consider the following:
Your users will enjoy using SSTP, as it should work from just about anywhere. We have some great articles on getting SSTP to work on Windows Server 2008 at WindowsNetworking.com so you should take a look at those before starting.
Till next time! - Tom
Got a question for Dr. Tom? Send it to firstname.lastname@example.org.