Wednesday, June 24, 2009

WindowsNetworking.com - June 2009 Newsletter

-----------------------------------------
WindowsNetworking.com Monthly Newsletter of June 2009
Sponsored by: GFI
-----------------------------------------

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder
<http://www.windowsnetworking.com/Thomas_Shinder/> MD, MVP. Each month we will
bring you interesting and helpful information on the world of Windows
Networking. We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to:
tshinder@windowsnetworking.com


1. DirectAccess, BranchCache and VPN Reconnect - Windows Networking Extravaganza
---------------------------------------------------------

Windows 7 and Windows Server 2008 R2 have a lot of new features and capabilities that would excite the sensitive areas of any network administrator. But a lot of what is new is not related to networking. Group Policy, Windows Deployment, Backup, and clustering are just some examples. What is in it for us networking guys?

Quite a bit! It has been a long time since the networking guys had so much good stuff coming to them from the Windows client and server sides. Over the last few years we have had a bone thrown at us from time to time, such as Vista or Windows Server 2008. But these are nothing compared to the salvo of goodies we are seeing coming down the pike.

What is this good stuff I am talking about? Why nothing other than the Win7/Win2008R2 networking troika of:

* DirectAccess
* BranchCache
* VPN Reconnect with IKEv2

*DirectAccess*

DirectAccess is a new VPN protocol that allows domain-joined machines to always be connected to the corpnet and the domain, no matter where the client computer is located. DirectAccess enables bidirectional communications so that network admins can also connect to these machines, no matter where they are located so that they can serviced, updated and checked for compliance on a regular basis, just like machines physically located behind the wall of the corpnet.

DirectAccess depends on IPv6, but is able to take advantage of IPv6 transition technologies so that you can get it up and running, even when working with an IPv4 Internet and IPv4 servers on the corpnet.

BranchCache is a new Wide Area File Services (WAFS) option that comes with the Windows 7 and Windows Server 2008 R2 operating systems. With BranchCache, you do not need to spend tens to hundreds of thousands of dollars on 3rd party WAFS solutions - just deploy Win7 clients and Win2008R2 servers and you get it right out of the box. BranchCache allows Win7 clients at the branch office to obtain content over a slow WAN link to the main office and cache that content locally at the branch office. The Win7 clients can cache the content themselves and make it available to other Win7 clients, or the clients can forward the content to a

BranchCache server on the branch office and clients can then obtain the cached content from the server.

Either way, access to content is significantly faster and compression ratios of over 2000:1 are seen when using BranchCache.

VPN Reconnect is a new remote access VPN client/server technology that uses IKEv2 to establish a VPN connection to a Win2008R2 RRAS VPN server. This new VPN tech is designed to provide a smooth VPN experience for users who are likely to lose their VPN connections on a regular basis. Users who use wireless mobile broadband connections (sometimes referred to as WWAN) will benefit the most from this. For example, suppose you use your WWAN connection on a train and that train goes through a lot of tunnels. When going through the tunnel, the WWAN link is disconnected.

When the train comes out of the tunnel, the WWAN link is reestablished. With previous versions of Windows, the VPN connection is not automatically reconnected when the link disappears. However, with VPN Reconnect and IKEv2, both the WWAN and the VPN connection are automatically reestablished. Nice!

There are a few other cool improvements in the network space in Win7 and Win2008R2, such as file sharing and offline files enhancements, URL-based QoS, and DNS security extensions. We will go over those features next month. Nevertheless, the big three are DirectAccess, BranchCache and VPN Reconnect with IKEv2. Look forward to articles on these subjects on the Windowsnetworking.com Web site in the near future.

Thanks!
Tom
See you next month!
Tom


Thanks and see you next month!
Tom
tshinder@windowsnetworking.com

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Edition <http://www.blackhat.com/html/bh-usa-09/train-bh-usa-09-tm-ms-bbe.html> Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA or TMG firewall, as well as other Forefront Consulting Services in the USA, call me at 206-443-1117. Oh yes - we also do Microsoft virtualization technology consulting.
Or visit our Web site - Prowess Consulting (<http://www.prowessconsulting.com>)

Got a networking question that you can&#146;t find the answer to? Send a note to Dr. Tom at tshinder@windowsnetworking.com and he'll answer your question in next month's newsletter.

=======================
Quote of the Month - "Price is what you pay. Value is what you get." - Warren Buffett (1930 - )
=======================


2. ISA Server 2006 Migration Guide - Order Today!
---------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.

3. WindowsNetworking.com Articles of Interest
---------------------------------------------------------

* Group Policy Preferences: Get Them Running Today!
<http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Preferences-Get-Them-Running-Today.html>

* 10 Ways to Troubleshoot DNS Resolution Issues
<http://www.windowsnetworking.com/articles_tutorials/10-Ways-Troubleshoot-DNS-Resolution-Issues.html>

* Working with Read Only Domain Controllers (Part 1)
<http://www.windowsnetworking.com/articles_tutorials/Working-Read-Only-Domain-Controllers-Part1.html>

* Certification Review: Microsoft Network Infrastructure MCTS / MCITP Certification
<http://www.windowsnetworking.com/articles_tutorials/Certification-Review-Microsoft-Network-Infrastructure-MCTS-MCITP-Certification.html>

* A First Look at Windows 7 Backup (Part 2)
<http://www.windowsnetworking.com/articles_tutorials/First-Look-Windows-7-Backup-Part2.html>

* A First Look at Windows 7 Backup (Part 1)
<http://www.windowsnetworking.com/articles_tutorials/First-Look-Windows-7-Backup-Part1.html>

* Deploying Windows 7 - Part 2: Using DISM
<http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part2.html>


4. KB Article of the Month
---------------------------------------------------------

How to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and SSTP

This article describes how to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and Secure Socket Tunneling Protocol (SSTP). The computer certificate is also known as a machine certificate.

Secure Socket Tunneling Protocol (SSTP) is a new virtual private network (VPN) tunneling protocol that is available in the "Routing and Remote Access Services" role in Windows Server 2008. The protocol is also available for use in Windows Vista Service Pack 1 (SP1).

SSTP uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and through Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.

The "Routing and Remote Access" service in Windows Server 2008 configures a computer certificate from the certificate store (also known as the machine store) in the HTTP.sys file to accept an HTTPS connection. This computer certificate is also sent to the client during the Secure Sockets Layer (SSL) negotiation phase.

If you, as an administrator, have already installed a computer certificate and configure the "Routing and Remote Access" service, you can change the computer certificate without reconfiguring the "Routing and Remote Access" service. This article discusses how to change the computer certificate.

Head on over to http://support.microsoft.com/kb/947027 and get the details on handling this certificate.


5. Windows Networking Tip of the Month
---------------------------------------------------------

This is not a Windows tip, but it is a nice tip none the less because it is something that most people who are not working as full time network admins would think about. A couple weeks ago my wife was trying to connect a new computer to a guest DMZ segment I created so that visitors could bring their laptops to our office and plug in and access the Internet without us having to worry about them bringing malware into our production network.

This network has a switch that is plugged into the firewall. The WAP and a couple of network drops are also plugged into the switch. She first tried to join the network by connecting to the WAP. That did not seem to work, so she connected to one of the local drops. That did not work either.

She opened a command prompt on the client and tried to ping Google. That did not work. She then tried to ping the local interface on the firewall. That did not work either. She looked at the cable connecting to the switch and the port was lit, and checked the connection to the firewall and that port was lit too.

I finally got off the phone and took a look. Yep, the pings did not work. However, that might have been a name resolution issue. I pinged the IP address of a DNS server I know responds to pings and that did not work. I did not ping the firewall since, for security reasons, I do not allow pings to the firewall. I did an arp –g to find out if there is even layer 2 connectivity. Nope – no MAC addresses in my list.

So what was the problem? All the lights were on but no one was home! Then I remembered that the switch we are using is a Linksys. Ha! Linksys is a Cisco product and thus I figured it is probably buggy (I'm no Cisco fan) and it needed to be rebooted. BAM! That was it. I unplugged the power on the switch and then plugged it back in. Now the computers on the guest DMZ could connect to the network and the Internet again.


6. WindowsNetworking Links of the Month
---------------------------------------------------------

* mRemote
<http://www.mremote.org/wiki/Default.aspx?Page=Overview&AspxAutoDetectCookieSupport=1>

* Changing Screen Resolution in Windows 7
<http://www.elmajdal.net/Win7/Changing_Screen_Resolution_in_Windows_7.aspx>

* How to Perform an In Place Upgrade from Windows 7 Beta to Windows 7 Release Candidate
<http://www.elmajdal.net/Win7/In-Place_Upgrade_From_Windows_7_Beta_To_Windows_7_RC.aspx>

* Download Windows Server 2008 SP2
<http://www.microsoft.com/windowsserver2008/en/us/sp2.aspx>

* Download Release Candidate of Windows Server 2008 R2
<http://www.microsoft.com/windowsserver2008/en/us/R2-Download.aspx>

* DirectAccess Early Adopters Guide
<http://www.microsoft.com/downloads/details.aspx?FamilyID=2fdc531d-9138-454f-a820-78211755b52a&displaylang=en>


7. Ask Dr. Tom
---------------------------------------------------------

* QUESTION:

I am thinking about putting together an SSTP VPN server and wondered if there was anything special I needed in order to make it work? I am using an ISA firewall right now as my front-end firewall and was wondering if it was possible to terminate the SSTP VPN connections at the firewall?
Thanks! - Nick E.

* ANSWER:

Hey Nick!

SSTP (Secure Socket Tunneling Protocol) is supported by Windows Vista and above clients and Windows Server 2008 and above VPN servers. In order to make it work you should consider the following:

* You will need to deploy a Web site certificate on the SSTP server
* You will need to configure SSTP to use that certificate &#150; Windows Server 2008 R2 makes configuring the certificate much easier
* The CRL must be available to the clients. If you are using a private CA, then you should publish your CA
* The clients need outbound access to TCP port 443
* The clients can be behind either a NAT firewall or proxy (or directly connected to the Internet). However, if the clients are behind a Web proxy, they must not be forced to authenticate the proxy

Your users will enjoy using SSTP, as it should work from just about anywhere. We have some great articles on getting SSTP to work on Windows Server 2008 at <http://www.windowsnetworking.com> so you should take a look at those before starting.

Till next time! - Tom

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com


TechGenix Sites
---------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
ISAserver.org <http://www.isaserver.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
WindowsNetworking.com is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@windowsnetworking.com
Copyright c WindowsNetworking.com 2009. All rights reserved.

No comments:

Post a Comment