WindowsNetworking.com Monthly Newsletter of July 2010
Sponsored by: Softinventive Lab <http://www.softinventive.com/products/total-network-inventory/>
-----------------------------------------
Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder <http://www.windowsnetworking.com/Deb_Shinder/>, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com
1. The Invasion of the Bandwidth Hogs
---------------------------------------------------------
I just completed an article about the consumerization of IT and its security implications for our sister website, WindowSecurity.com. Look for it to be published soon. But in the meantime, security isn't the only problem that the consumerization trend has created for network administrators. I read recently that during the recent World Cup, the "March Madness" NCAA basketball tournament and other popular sports events, employees watching web video of those games in the workplace brought some networks to their knees.
Workers' expectations that they will be allowed to use company computers – or their own devices, plugged into or wireless connected to the company network – for a certain amount of personal use have gradually crept into the corporate culture. The employee sees it from the perspective of "I'm not behind on my work and I'm on my fifteen minute break or my lunch hour, so what's the difference between me watching the game (or the YouTube videos of my grandkids) and the employee who spends his/her down time standing around the water cooler, gossiping about the boss, or in the lounge, watching the news on TV"?
In a nutshell, the difference (along with security) is bandwidth. Employees A, B and C might be on break, but if they spend that break streaming high-bandwidth videos, how does that impact employees D, E and F who are trying to get real work done and whose connections are slowed by the congestion? This might not be a problem when we're talking about three employees, but multiply that by several hundred or several thousand who are taking their lunch breaks at the same time and those who lunch early or late might find themselves sitting and waiting when they're trying to get a rush project done.
Many employees who wouldn't use the company's computers to do their personal business think nothing of using its network. They bring in their smart phones, laptops or iPads and then connect them via wi-fi to the company network. It's a lot cheaper than buying a high priced data plan from a cellular provider or, if you do have such a plan, using up some of your precious data allocation now that some carriers are eliminating their unlimited plans. Some of them may not have fast Internet connections at home so they bring their laptops to the office to connect and download those big files or watch online video that doesn't work well over their slower connections.They figure they're using their own devices and "only" using the company network to get to the Internet, so no harm is done.
Streaming media is a bandwidth hog that some companies didn't take into consideration when they formulated their employee-friendly usage policies. After all, it all started with employees wanting to be able to check their personal email when on break, something that (unless large attachments were involved) didn't use much bandwidth. If your corporate network has bandwidth to spare, no problem – but some small and medium size businesses are already straining the limits. If you pay for Internet usage on a metered basis, the bandwidth hogs cost you money.
Other consumer oriented applications, such as peer-to-peer (P2P) file sharing and multi-player online games, are also big bandwidth users. It's not just consumer apps and devices that consume excessive amounts of bandwidth, though. Some legitimate business applications are being misused or overused, resulting in strains on the company bandwidth. For example, sometimes when a company implements a new technology such as video conferencing, they go overboard with it and start using it when it's not necessary or even desirable, just out of fascination with the "new toy". Firing up a video conference for every communication that could be just as efficiently handled by a phone call is a waste of bandwidth.
You can, of course, filter particular web sites or block certain protocols on the corporate network. You can use an edge device, in which case you should have one that can identify and report users for all protocols by requiring authentication at the gateway, such as Microsoft TMG and some (but not all) other edge firewalls. You can also block apps/protocols on each computer. You can either block protocols or applications completely or you can use bandwidth shaping to allocate (a.k.a. traffic shaping or packet shaping) bandwidth by giving priority to protocols that are more mission critical. Windows 7/Vista and Windows Server 2008/R2 include support for bandwidth shaping via policy-based Quality of Service (QoS). There are also numerous third party solutions for traffic management.
Windows QoS is built into Group policy, and with it you can control network usage based on applications, users and computers. You can set policies to prioritize traffic according to values within the Type of Service field in IPv4 packet headers and the Traffic Class field in IPv6. You can configure a user-based policy on the domain controller and propagate it to the user's computer, no matter where or how the user logs onto the network. To find out more about policy based QoS, follow this link <http://technet.microsoft.com/en-us/library/dd919203(WS.10).aspx>.
An edge device is most effective if you want to block everyone on the network from using the specified Internet protocols or applications. In some cases, however, there will be some legitimate business use (even for YouTube). Then you'll need to either block by user or use the traffic shaping method to prioritize bandwidth use.
Of course, the technological solutions are only part of the solution. You need an acceptable use policy that addresses the excessive bandwidth consumption problem, as well. Heavy-handed policies that attempt to completely ban all personal use often backfire; the key is to set reasonable rules and to educate employees as to the rationale behind the restrictions. People are much more willing to accept and support rules that they understand.
By Debra Littlejohn Shinder, MVP
See you next month – Deb.
dshinder@windowsnetworking.com
=======================
Quote of the Month - "1f u c4n r34d 7h15, u r34||y n33d 70 637 4 |1f3." – 4n0nym0u5
=======================
2. ISA Server 2006 Migration Guide - Order Today!
---------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. WindowsNetworking.com Articles of Interest
---------------------------------------------------------
* Acronis True Image Enterprise Server - Voted WindowsNetworking.com Readers' Choice Award Winner - Data Recovery Software
<http://www.windowsnetworking.com/news/WindowsNetworking-Readers-Choice-Award-Data-Recovery-Software-Acronis-True-Image-Enterprise-Server-May10.html>
* Using Group Policy: Policy or Preference?
<http://www.windowsnetworking.com/articles_tutorials/Using-Grouep-Policy-or-Preference.html>
* Troubleshooting Windows 7 Wireless Networking Problems (Part 2)
<http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Windows-7-Wireless-Networking-Problems-Part2.html>
* Why is FusionIO so awesome?
<http://www.windowsnetworking.com/articles_tutorials/Why-FusionIO-awesome.html>
* AuthIP – Enhancing IPsec Capabilities and Functionality
<http://www.windowsnetworking.com/articles_tutorials/AuthIP-Enhancing-IPsec-Capabilities-Functionality.html>
* Deploying Windows 7 - Part 28: Managing Software Updates
<http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part28.html>
* Windows 7 Compatibility Testing (Part 6)
<http://www.windowsnetworking.com/articles_tutorials/Windows-7-Compatibility-Testing-Part6.html>
4. Administrator KB Tip of the Month
---------------------------------------------------------
How to hide the Public shortcuts on the folder and favorites list
If you don't use the Public folders provided by Windows, you may want to remove the shortcuts. Most open/save file dialogs and Windows Explorer have a Favorite Links section that includes a shortcut to the Public folders. Plus it's listed on the main folder list, along with shortcuts to the user's folder and to the drives.
Removing the shortcut from the Favorite Links is easy. Just open your Links folder: C:\Users\username\Links. Then delete the Public.lnk.
Taking the shortcut off of the Folders List, however, requires a registry change. You need to delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\ {4336a54d-038b-4685-ab02-99bb52d3fb8b}
For more administrator tips, go to WindowsNetworking.com/WindowsTips
<http://www.windowsnetworking.com/kbase/WindowsTips/>
5. Windows Networking Tip of the Month
---------------------------------------------------------
Something I've learned from talking to a number of people who have rolled out DirectAccess in their organizations is that some of the wireless carriers are not allowing IP Protocol 41 over their networks. I have no idea why they aren't allowing this, but it's causing a problem with wireless DirectAccess clients who need to use 6to4 when assigned a public address when connected to the Internet. What's the solution? Well the fact is that while 6to4 is the default used when connecting over the Internet, that doesn't mean you have to use 6to4. Instead, you can use Teredo or even IP-HTTPS. This month's tip is that you disable the 6to4 IPv6 transition technologies throughout your network. You can do this via Group Policy. This also solves the problem with 6to4 when you use public IP addresses on your intranet, something you see sometimes in large corporate networks and in academic networks. It's safe to disable 6to4 and doing so will save you a ton of trouble.
6. WindowsNetworking Links of the Month
---------------------------------------------------------
* Tips for NSLOOKUP
<http://blogs.technet.com/b/wsnetdoc/archive/2009/05/18/tips-for-nslookup.aspx>
* IT Pro at Home: Tips and Tricks
<http://technet.microsoft.com/en-us/windows/dd799317.aspx?ITPID=tnflash>
* Hyper-V Best Practices
<http://blogs.technet.com/b/vikasma/archive/2008/06/26/hyper-v-best-practices-quick-tips-1.aspx>
* Troubleshooting MS Network Client 3.0 and DHCP
<http://support.microsoft.com/kb/130875>
* Support for IPv6 in Windows Server 2008 R2 and Windows 7
<http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx>
* Troubleshooting NAP Enforcement
<http://technet.microsoft.com/en-us/magazine/2008.04.cableguy.aspx>
7. Ask Sgt. Deb
---------------------------------------------------------
* QUESTION:
Hey Deb,
I know that you get a lot of DirectAccess questions and I will understand if you do not want to answer this one in the newsletter. But I went to TechEd in New Orleans this year and saw a lot of the talks on DirectAccess, including two of them that your husband did. DirectAccess really looks like the answer to a lot of problems we have had in our company regarding VPN and user productivity when they're out of the office. My boss thinks it's a great idea and his boss has a friend who is already using it and he thought it was fantastic! So now it's my job to figure out what I need. Right now my network is using Windows Server 2003 domain controllers and we have a mix of Windows 2000, Windows 2003 and Windows Server 2008 servers. We do not have any Windows Server 2008 R2 servers and we do not use IPv6 on our network. Our client machines are mostly Windows XP, but we're planning on moving to Windows 7 by the end of the year. Do you think that DirectAccess will work for us?
Thanks! – Donny K.
* ANSWER:
Hi Donny!
Great question. Any chance you saw me at TechEd? I was at the Remote Desktop Server booth and I got to meet a lot of great people there. If not, I hope to be at TechEd in Atlanta next year so maybe we'll cross paths there.
Regarding your DirectAccess questions, your network is a mix of IPv6 capable (the Windows Server 2008 servers) and IPv4 only servers. That means that you won't be able to use the Windows DirectAccess solution because you need an IPv6 capable network to make that work. However, you can use the Unified Access Gateway (UAG) 2010 DirectAccess solution with the network that you have. Here are some facts that will help you in your planning process:
* UAG DirectAccess has NAT64/DNS64 technologies, so you can have Windows 2000 and Windows 2003 servers on your network without any problems
* You can use Windows 2003 DNS servers on your network and it will work with UAG DirectAccess
* You can use Windows 2003 Active Directory domain controllers and it will work with UAG DirectAccess
* Your domain functional level isn't an issue – you can use any domain functional level and it'll work with UAG DirectAccess
* Windows XP won't work as a DirectAccess client. When you upgrade to Windows 7, make sure you use Windows 7 Enterprise or Ultimate Edition.
* While UAG will support your IPv4 only servers, you will need to test your client-side applications to make sure that they are IPv6 aware. The reason for that is the DirectAccess client only uses IPv6 to communicate with the UAG DirectAccess server.
Overall, I think you're in great shape for providing your users DirectAccess connectivity to your corporate network. Let me know if you have any problems getting things set up and I'll make sure to connect you to the right resources to make things go as smoothly as possible.
TechGenix Sites
---------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
ISAserver.org <http://www.isaserver.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
WindowsNetworking.com is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@windowsnetworking.com
Copyright c WindowsNetworking.com 2010. All rights reserved.
No comments:
Post a Comment