WindowsNetworking.com Newsletter of April 2008

WindowsNetworking.com Monthly Newsletter of June 2009 Sponsored by: GFI

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

GFI LANguard v9 - FREEWARE!

That's right, the new GFI LANguard is now available in FREEWARE version! Use GFI LANguard's enterprise level vulnerability scanning, patch management and network auditing features for free!

Download the FREEWARE version today!

1. DirectAccess, BranchCache and VPN Reconnect - Windows Networking Extravaganza

Windows 7 and Windows Server 2008 R2 have a lot of new features and capabilities that would excite the sensitive areas of any network administrator. But a lot of what is new is not related to networking. Group Policy, Windows Deployment, Backup, and clustering are just some examples. What is in it for us networking guys?

Quite a bit! It has been a long time since the networking guys had so much good stuff coming to them from the Windows client and server sides. Over the last few years we have had a bone thrown at us from time to time, such as Vista or Windows Server 2008. But these are nothing compared to the salvo of goodies we are seeing coming down the pike.

What is this good stuff I am talking about? Why nothing other than the Win7/Win2008R2 networking troika of:

  • DirectAccess
  • BranchCache
  • VPN Reconnect with IKEv2

DirectAccess

DirectAccess is a new VPN protocol that allows domain-joined machines to always be connected to the corpnet and the domain, no matter where the client computer is located. DirectAccess enables bidirectional communications so that network admins can also connect to these machines, no matter where they are located so that they can serviced, updated and checked for compliance on a regular basis, just like machines physically located behind the wall of the corpnet.

DirectAccess depends on IPv6, but is able to take advantage of IPv6 transition technologies so that you can get it up and running, even when working with an IPv4 Internet and IPv4 servers on the corpnet.

BranchCache is a new Wide Area File Services (WAFS) option that comes with the Windows 7 and Windows Server 2008 R2 operating systems. With BranchCache, you do not need to spend tens to hundreds of thousands of dollars on 3rd party WAFS solutions – just deploy Win7 clients and Win2008R2 servers and you get it right out of the box. BranchCache allows Win7 clients at the branch office to obtain content over a slow WAN link to the main office and cache that content locally at the branch office. The Win7 clients can cache the content themselves and make it available to other Win7 clients, or the clients can forward the content to a BranchCache server on the branch office and clients can then obtain the cached content from the server.

Either way, access to content is significantly faster and compression ratios of over 2000:1 are seen when using BranchCache.

VPN Reconnect is a new remote access VPN client/server technology that uses IKEv2 to establish a VPN connection to a Win2008R2 RRAS VPN server. This new VPN tech is designed to provide a smooth VPN experience for users who are likely to lose their VPN connections on a regular basis. Users who use wireless mobile broadband connections (sometimes referred to as WWAN) will benefit the most from this. For example, suppose you use your WWAN connection on a train and that train goes through a lot of tunnels. When going through the tunnel, the WWAN link is disconnected.

When the train comes out of the tunnel, the WWAN link is reestablished. With previous versions of Windows, the VPN connection is not automatically reconnected when the link disappears. However, with VPN Reconnect and IKEv2, both the WWAN and the VPN connection are automatically reestablished. Nice!

There are a few other cool improvements in the network space in Win7 and Win2008R2, such as file sharing and offline files enhancements, URL-based QoS, and DNS security extensions. We will go over those features next month. Nevertheless, the big three are DirectAccess, BranchCache and VPN Reconnect with IKEv2. Look forward to articles on these subjects on the WindowsNetworking.com web site in the near future.

Thanks!
Tom
tshinder@windowsnetworking.com

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Edition Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA or TMG firewall, as well as other Forefront Consulting Services and Microsoft virtualization technology consulting in the USA, call me at 206-443-1117 or visit Prowess Consulting web site.

Got a networking question that you can't find the answer to? Send a note to Dr. Tom at tshinder@windowsnetworking.com and he'll answer your question in next month's newsletter.

=======================
Quote of the Month - "Price is what you pay. Value is what you get." - Warren Buffett (1930 - ) 
======================

2. ISA Server 2006 Migration Guide - Order Today!

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.


   Click here to Order
   your copy today

GFI LANguard v9 - FREEWARE!

That's right, the new GFI LANguard is now available in FREEWARE version! Use GFI LANguard's enterprise level vulnerability scanning, patch management and network auditing features for free!

Download the FREEWARE version today!

3. WindowsNetworking.com Articles of Interest

4. KB Article of the Month

How to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and SSTP

This article describes how to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and Secure Socket Tunneling Protocol (SSTP). The computer certificate is also known as a machine certificate.

Secure Socket Tunneling Protocol (SSTP) is a new virtual private network (VPN) tunneling protocol that is available in the "Routing and Remote Access Services" role in Windows Server 2008. The protocol is also available for use in Windows Vista Service Pack 1 (SP1).

SSTP uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and through Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.

The "Routing and Remote Access" service in Windows Server 2008 configures a computer certificate from the certificate store (also known as the machine store) in the HTTP.sys file to accept an HTTPS connection. This computer certificate is also sent to the client during the Secure Sockets Layer (SSL) negotiation phase.

If you, as an administrator, have already installed a computer certificate and configure the "Routing and Remote Access" service, you can change the computer certificate without reconfiguring the "Routing and Remote Access" service. This article discusses how to change the computer certificate.

Head on over to this page and get the details on handling this certificate.

5. Windows Networking Tip of the Month

This is not a Windows tip, but it is a nice tip none the less because it is something that most people who are not working as full time network admins would think about. A couple weeks ago my wife was trying to connect a new computer to a guest DMZ segment I created so that visitors could bring their laptops to our office and plug in and access the Internet without us having to worry about them bringing malware into our production network.

This network has a switch that is plugged into the firewall. The WAP and a couple of network drops are also plugged into the switch. She first tried to join the network by connecting to the WAP. That did not seem to work, so she connected to one of the local drops. That did not work either.

She opened a command prompt on the client and tried to ping Google. That did not work. She then tried to ping the local interface on the firewall. That did not work either. She looked at the cable connecting to the switch and the port was lit, and checked the connection to the firewall and that port was lit too.

I finally got off the phone and took a look. Yep, the pings did not work. However, that might have been a name resolution issue. I pinged the IP address of a DNS server I know responds to pings and that did not work. I did not ping the firewall since, for security reasons, I do not allow pings to the firewall. I did an arp –g to find out if there is even layer 2 connectivity. Nope - no MAC addresses in my list.

So what was the problem? All the lights were on but no one was home! Then I remembered that the switch we are using is a Linksys. Ha! Linksys is a Cisco product and thus I figured it is probably buggy (I’m no Cisco fan) and it needed to be rebooted. BAM! That was it. I unplugged the power on the switch and then plugged it back in. Now the computers on the guest DMZ could connect to the network and the Internet again.

GFI LANguard v9 - FREEWARE!

That's right, the new GFI LANguard is now available in FREEWARE version! Use GFI LANguard's enterprise level vulnerability scanning, patch management and network auditing features for free!

Download the FREEWARE version today!

6. WindowsNetworking Links of the Month

7. Ask Dr. Tom

QUESTION:

I am thinking about putting together an SSTP VPN server and wondered if there was anything special I needed in order to make it work? I am using an ISA firewall right now as my front-end firewall and was wondering if it was possible to terminate the SSTP VPN connections at the firewall?

Thanks! - Nick E.

ANSWER:

Hey Nick!

SSTP (Secure Socket Tunneling Protocol) is supported by Windows Vista and above clients and Windows Server 2008 and above VPN servers. In order to make it work you should consider the following:

  • You will need to deploy a Web site certificate on the SSTP server
  • You will need to configure SSTP to use that certificate - Windows Server 2008 R2 makes configuring the certificate much easier
  • The CRL must be available to the clients. If you are using a private CA, then you should publish your CA
  • The clients need outbound access to TCP port 443
  • The clients can be behind either a NAT firewall or proxy (or directly connected to the Internet). However, if the clients are behind a Web proxy, they must not be forced to authenticate the proxy

Your users will enjoy using SSTP, as it should work from just about anywhere. We have some great articles on getting SSTP to work on Windows Server 2008 at WindowsNetworking.com so you should take a look at those before starting.

Till next time! - Tom

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.

GFI LANguard v9 - FREEWARE!

That's right, the new GFI LANguard is now available in FREEWARE version! Use GFI LANguard's enterprise level vulnerability scanning, patch management and network auditing features for free!

Download the FREEWARE version today!