A Guide to Windows 7 Networking
- 20 October, 2009 11:32
Whether at home or at the office, networking has gone mainstream. Once upon a time, a computer had value as a stand-alone machine running applications, but that time has passed. Without an ability to access the Internet, retrieve e-mail, chat via instant messaging, and connect with file shares and software, the computer is little more than an expensive paperweight.
Clearly, the trend is toward remote and mobile computing, and it's important for an operating system to provide the tools necessary to remain connected and productive from anywhere. Microsoft is incorporating a variety of new networking features in Windows 7 that simplify connectivity and help users access network resources no matter where they are connecting from. Here we'll take a closer look at some of the innovative networking features to be found in Windows 7 (we may get a little bit technical at times).
Let's start with an enhancement aimed primarily at home users and home businesses: With Windows 7, Microsoft introduces the concept of HomeGroup. The HomeGroup feature serves two primary purposes: (1) to make sharing files and resources between computers on a home network easier, and (2) to protect shared files and resources from guests or wireless-network intruders.
Many homes have multiple computers, and users want to be able to share music and pictures, or network all of the computers so as to print to a single printer. This type of local area networking has been possible in Windows for years, but it has often been easier said than done, leading to many hours of user frustration.
Open HomeGroup from the Control Panel. Click on Create a HomeGroup to begin the process. You can determine the types of files or content that you want to share with the HomeGroup by checking or unchecking the appropriate boxes.
After you click Next to create the HomeGroup, Windows 7 will automatically generate a password that other users will need in order to join the HomeGroup and share the resources. Windows 7 Starter and Windows 7 Home Basic versions cannot create a HomeGroup, but computers running any version of Windows 7 can join a HomeGroup. One significant drawback to the HomeGroup concept is that it works only with Windows 7, so any Windows XP or Windows Vista systems in the home will not be able to participate.
Using a HomeGroup simplifies the process of sharing files, folders, and other network resources with trusted computers on your home network. At the same time, it enables you to allow visiting guests to connect to your wireless network for Internet access without also granting them access to the shared content and resources. It also prevents any unauthorized rogue wireless connections from gaining access to shared resources.
Roaming users rely on VPNs (virtual private networks) to provide a secure connection between their computer and the internal company network. When a user is sitting in a hotel room, or in a conference room at a customer site, and establishes a VPN connection, the user's PC will generally remain connected unless there is some other network issue that interrupts the connection.
However, users who rely on wireless broadband connectivity to establish a VPN connection while on the move are faced with frequent dropped connections and a cumbersome process for reauthenticating and reestablishing the VPN connection each time.
The VPN Reconnect feature allows Windows 7 to automatically reestablish active VPN connections when Internet connectivity is interrupted. As soon as Windows 7 reconnects with the Internet, Windows 7 will also reconnect with the VPN. The VPN will still be unavailable as long as the Internet connection is down, and the process of reconnecting will take a few seconds after Internet access becomes available again, but VPN Reconnect will ensure that users stay connected with the network resources they need access to.
VPN Reconnect is basically an IPSec tunnel using the IKEv2 (Internet Key Exchange) protocol for key negotiation and for transmission of ESP (Encapsulating Security Payload) packets. ESP is part of the IPSec security architecture that provides confidentiality, authentication of data origin, and connectionless integrity.
In situations such as viewing streaming video over a VPN connection while riding on a commuter train, users typically lose all buffered data and have to start the video over every time connectivity is lost. The features of the IKEv2 IPSec tunnel and ESP help ensure a persistent connection even if the IP address changes during the reconnect and allows the streaming video to resume from the point it was at when VPN connectivity was lost.
What's better than a VPN that automatically reconnects and retains its connection state? How about not needing a VPN in the first place? DirectAccess is one of the most compelling and game-changing features of Windows 7, both for users and for administrators faced with a remote and roaming work force.
Aside from the issues mentioned above for users trying to stay connected on a VPN and access internal network resources, roaming users also pose a problem for administrators. Mobile computers that aren't connected to the network miss out on security updates, software patches, and Group Policy updates. They will get the updates when they eventually connect, but days or weeks might go by with those remote systems missing critical updates.
DirectAccess provides a persistent and seamless bidirectional connection between the internal network and the Windows 7 system, as long as that Windows 7 system can connect to the Internet. With DirectAccess, remote and roaming users experience the same access to corporate shares, intranet sites, and internal applications as they would if they were sitting in the office connected directly to the network.
DirectAccess works both ways. Not only can the computer access the network seamlessly across any Internet connection, but the IT administrator can also connect to DirectAccess client computers--even when the user is not logged on. With DirectAccess, IT Administrators can monitor, manage, and deploy updates to DirectAccess client computers as long as they are connected to the Internet.
DirectAccess uses IPsec for authentication and encryption. DirectAccess can also integrate with Network Access Protection (NAP) to require that DirectAccess clients be compliant with system health requirements before being allowed to connect to the network. IT administrators can restrict access through DirectAccess and configure the servers that users and individual applications can access.
Built on IPv6
IPv6 is required for DirectAccess. DirectAccess connectivity is built on the foundation of globally routable IP addresses that IPv6 provides. IPv6 has been around for a while, and most systems and network devices are IPv6-capable, but the actual adoption of IPv6 as a replacement for IPv4 networking has been slow.
Microsoft was aware that IPv6 is not available everywhere, so the company designed DirectAccess to take advantage of IPv6 transition tools such as 6to4, Teredo, and ISATAP. Within the network, DirectAccess relies on NAT-PT (Network Address Translation-Protocol Translation) to provide connectivity between DirectAccess and IPv4 resources.
DirectAccess uses split-tunnel routing to intelligently route network traffic based on the intended destination. Only traffic destined for the corporate network is routed through the DirectAccess server, while traffic intended for resources on the public Internet is routed directly to its destination. Split-tunneling ensures that the resources of the DirectAccess server are not consumed by unnecessary network traffic.
Windows Server 2008 R2 Required
DirectAccess cannot function in a vacuum on a Windows 7 system. It requires a DirectAccess server to connect to, and a DirectAccess server means Windows Server 2008 R2. The DirectAccess server must have two network interface cards: one connected to the public Internet and one to provide access to the internal intranet resources. DirectAccess also requires at least two consecutive IPv4 addresses on the network interface card connected to the Internet.
The IPv6 translation technologies mentioned above (6to4, Teredo, and ISATAP) must be implemented on the DirectAccess server. Only a PKI (Public Key Infrastructure) environment can issue the necessary certificate for authentication and security, and a DNS server running on Windows Server 2008 or Windows Server 2008 R2 is required as well.
Users who experience problems connecting to DirectAccess can use the appropriate troubleshooting wizard to identify and resolve problems. Open the Network and Sharing Center and click on Troubleshoot problems; then select the Connection to a Workplace Using DirectAccess wizard to begin troubleshooting.
No matter how much network bandwidth an organization has, it is safe to assume it is not unlimited. As more users access the network, or more users connect to bandwidth-intensive data like streaming audio and video, the network bandwidth is nibbled away until it is gone, forcing the router to queue data, which in turn slows down network communications.
Even without maxing out the internal network capacity, this type of queuing often takes place where the internal network meets the external network. The internal network may be operating at 1GBps speeds, but the connection to the public Internet might be 10MBps. Network packets from the internal network are queued by the router and transmitted on a first-come-first-serve basis as bandwidth becomes available on the external connection.
Not all network destinations are created equal, though, or treated equally. Requests to an application server used to process orders or data being sent to a mission-critical database should take precedence over traffic destined for Google or Facebook, say.
Administrators can configure Quality of Service (QoS) to prioritize the traffic and ensure that the high-priority traffic gets preferential treatment. Windows will assign outgoing packets a DSCP (Differentiated Services Code Point) number that the router can use to determine the priority of the packets. As the network gets bogged down and packets are queued up, the default first-in-first-out functionality is overridden, and high-priority packets are sent out first.
The QoS functionality has been a part of previous versions of Windows, but it required that priority be assigned based on specific IP addresses and port numbers. However, multiple Web sites may use the same IP address, and one Web site may have multiple IP addresses, making QoS difficult to utilize in some instances.
With Windows 7, Microsoft has added an ability to configure QoS based on URL. Administrators can ensure that traffic intended for intranet applications or important Web sites gets processed ahead of lower-priority traffic (see the last figure above) without having to configure the precise IP address and port of the destination sites.
URL-based QoS can also be used to intentionally downgrade the priority of nonbusiness-related sites such as ESPN or Facebook. Assigning these URLs a low priority will force those packets to be handled with even less urgency than normal traffic.
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice, and reviews on information security and unified communications technologies on his site at tonybradley.com.