One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier. First we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires and internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network for as long as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected, IT cannot manage them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. This solution is also very appealing to IT Professionals:Managing mobile PCs has always been an issue since they could be disconnected from the corporate network for a long time. With this work access solution, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users (such as distributing updates and Group Policy) is easier since they can be accessed more frequently by IT systems.Deploying Windows 7 will not automatically enable this type of work access connection. You will have the choice to enable it or not and it will require some changes to your backend network infrastructure, including having at least one server running Windows Server 2008 R2 at the edge of your network. The solution takes advantage of Microsoft’s investments in IPSEC and IPv6 to provide secure connectivity even when not on the physical corporate network.
The first is a peer-to-peer model known as Distributed Mode. In this scenario, content is cached at the branch on client computers running Windows 7. To enable distributed mode, each Windows 7 client maintains a cache of the content it has retrieved, and then makes this content available to other clients when they send out requests. The content is only provided if the requestor was authorized by the server at the data center, so authentication and access right security is maintained. As a result, this feature reduces WAN traffic, since cached data gets served locally with the additional side benefit of improving application responsiveness.The disadvantage to this solution is that content is cached on client computers, so if the computer containing the cached content is unavailable, the content must be retrieved over the WAN connection again.
In the Server scenario also known as hosted caching, content is cached at the branch on a server running Windows Server 2008 R2. The advantage to this solution is that the server is always available, so the cached content is always available. The unavailability of any client computer running Windows 7 does not affect the availability of the content cache, or require content to be retrieved over the WAN link again.How it works:The client computer running Window 7 requests information that resides in another location across a WAN network segment.The client computer contacts the computer hosting the information in the other location.The computer hosting the information returns a set of hashes to the client computer.The client computer sends out a request on the local network for any local cached copies of the file by using the hashes retrieved from the computer hosting the information.If the content is on the Hosted Branch Cache server, the Hosted Branch Cache server responds and the client retrieves the content from the local cache.If the content is not on the Hosted Branch Cache server, the Hosted Branch Cache server retrieves the content, caches the content, and the client retrieves the content from the local cache.Subsequent requests for the same content are retrieved from the local cache.
Title: Network Access ProtectionTalking Points: Let’s discuss more in-depth in how Network Access Protection works.Enterprises are constantly being challenged by viruses that invade system because of guests plugging in, employees connecting with VPN, and the everyday attacks on vulnerable computers in the network. In response to viruses and other threats, IT administrators are always on the lookout for tools to detect and manage threats, establish health policies, and require baseline compliance, keep the network resilient, remediate vulnerabilities, and manage the policy enforcement and remediation systems. What is Network Access Protection: One of the most time-consuming challenges that administrators face is ensuring that computers that connect to the private network meet health policy requirements. Network Access Protection for Windows Server 2008 and Windows Vista helps administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources—called health update resources—and can limit the access of noncompliant computers. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or performing some other inappropriate task.Network Access Protection for Windows Server 2008 helps administrators enforce compliance with health policies for network access or communication. Network Access Protection verifies that all communications are authenticated, authorized and healthy. Administrators can use NAP for DHCP, VPN, IPsec, and 802.1x to set the security level that meets the needs of their organization. IT Professionals can set policy-based access controls to define access to their systems.Cisco and Microsoft Integration Story: Cisco and Microsoft worked on a joint architecture for NAC-NAP Interoperability. The new security architecture will enable customers and partners to deploy interoperable Cisco Network Admission Control and Microsoft Network Access Protection.In addition, the two companies have revealed a general road map for bringing Cisco NAC and Microsoft NAP interoperability to market, including a limited beta program set to start later in calendar year 2007. Customers will be able to start deploying the Cisco NAC-Microsoft NAP interoperable solution once Windows Server 2008 is available. Cisco and Microsoft have cross-licensed the Cisco NAC and Microsoft NAP protocols to help ensure interoperability and to enable both companies to respond to future market and customer requirements.Network Access Protection works with agents in the Windows XP SP2 or Windows Vista client operating systems. The client environment includes the System Health Agents (SHAs), a Quarantine Agent (QA) and an Enforcement Client (EC). The Secure Hash Algorithm (SHA) checks the state of a client and declares its health. Each SHA is defined for a system health requirement or a set of system health requirements. For example, there might be an SHA for antivirus signatures and an SHA for operating system updates.[BUILD1] Try to Connect to a Network: When a Windows client computer connects though DHCP, a VPN, or a router, the computer’s health state is validated against the health policies as defined by the administrator. [BUILD2] System Health Agent: The access device then forwards the network access request on to the NPS. The NPS includes the System Health Validator (SHV) and the Quarantine Server (QS). The QS coordinates the SHVs which certify declarations made by health agents.Active Directory stores user and computer accounts and their network access properties for authenticated network access. The NPS itself does not make the authentication decision, but evaluates the connection and then forwards the credentials on to Active Directory.[BUILD3] Remediation Server: If a computer is not compliant, it is sent to a restricted network, where the remediation servers can apply security updates or whatever else is needed to enable compliance. Remediation servers consist of servers, services, or other resources that a noncompliant computer on the restricted network can access. These resources might store the most recent software updates or components needed to make the computer comply with health requirements. For example, a secondary DNS server, an antivirus signature file server, and a software update server could all be remediation servers. Administrators can help ensure compliance with health policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server. Computers that do not comply with health policies may have limited access until the software and configuration updates are completed. Again, computers that are compatible with Network Access Protection can automatically become compliant and the administrator can define policy exceptions.[BUILD4] Computer that meets Health Policy: If a client is compliant, then the system is given access to the corporate network. Additional Information:Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn) www.microsoft.com/technet/Add-301.ppt , Add-302.pptwww.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdfhttp://www.microsoft.com/presspass/press/2006/sep06/09-06SecStandardNACNAPPR.mspx
If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
[Build 1] – The following slide provides a high level overview of the components in RDS. We will look at the new RDSH and RDVH technologies in depth later on.Remote Desktop Session Host Server provides a similar set of functionality as Terminal Server.RD Virtual Host Server is a hyper-v based server that is used to provide VDI functions.RemoteApp and Desktop Web Access Server provides a web based interface for RemoteApp enabled applications as well as one click access to virtual desktops. Highlight that you need Windows 7 on the client to take full advantage of Desktop Connections.RD Gateway to offer secure remote access to RDS servers and infrastructureAll components require an RDS licensing serverPermissions and policy is stored in Active Directory[Build 2]Remote Desktop Client gets connection information from the RD Web Access Server. If the client is outside the network the client connects through the RD Gateway server, if they are internal then can connect directly to an RDSH or RDVH server. In both cases the server that the client connects to is negotiated by the RD connection Broker. The connection broker plays a central role in RDS to make sure clients get connected to appropriate resources. It also helps clients reconnect to disconnected or interrupted session, and makes sure that clients are connecting to the correct servers for VDI resources. At a high level the remote client uses the RD Gateway to obtain access to the RDSH RD Session Host and RDVH servers.The RD Connection Broker connects clients to sessions and VMs on the RDSH and RDVH servers.All Remote Desktop Servers require validation with an RD Licensing Server.
Publishing Server:Implemented in the RD Connection Broker role serviceCommunicates with RemoteApp servers, as well as its own configuration to create a list of available objects Personal desktop Pooled desktop ApplicationPublishes this information via RD Web Access to:- Traditional web site (or Sharepoint site)- RemoteApp & Desktop Connections (Web feeds)Connection Broker Configuration- Remote Desktop Users:Users who will enumerate objects Session Broker Computers:Computers which have resources Web Access Administrators:Users who can configure the web partWeb Access Computers:Computers which run Web Access (local computer)
If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
The RDS client has been enhanced to support rich multimedia and provide a more seamless end user experience. In the next section will take a look at how these enhancements improve the user experience and provide a full fidelity desktop. have been easily & seamlessly control the language setting (e.g. right to left) for RemoteApp programs using the local language bar.
If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
Windows Server 2008 R2 has many features that are designed to specifically work with client computers running Windows 7. The features that are only available with running Windows 7 client computers with server computers running Windows Server 2008 R2 include: Simplified remote connectivity for corporate computers by using the Direct Access feature. (next slides) Improved performance for branch offices by using the Branch Caching feature. (a little further down) More efficient power management by using the new power management Group Policy settings for Windows 7 clients. Improved virtualized presentation integration by using the new desktop and application feeds feature. This allows TS/VDI administrators to construct centrally managed virtualized desktop and application resources, then assign those resources to users who subscribe to them in a ‘feed’ paradigm. Subscribing to a feed means you’re constantly updated when IT updates or manages the resource. For most users, this will also be invisible as Windows 7 integrates virtual applications in the same way it does locally installed apps.AD’s new GPOs also enhance security with the new BitLocker to Go feature which not only allows Windows 7 users to extend BitLocker encryption to portable drives (like USB flash drives or CompactFlash cards), but also lets administrators set policies on this feature as well for data syncing. The Offline Files feature allows administrators to designate files that are stored on network shared folders for use even when the network shared folders are unavailable (offline). For example, a mobile user disconnects a laptop computer from your intranet and works from a remote location. In Window Server 2008 RTM and Windows Vista this feature is configured in online mode by default. In Windows Server 2008 and Windows 7, this feature is configured in offline mode by default.
Windows 7 And Windows Server 2008 R2 Combined Value
Windows 7 and Windows Server 2008 R2 Combined Value<br />Amit Gatenyo<br />Infrastructure & Security Manager, Dario<br />Microsoft Regional Director – Windows Server & Security<br />054-2492499<br />Amit.firstname.lastname@example.org<br />Udi Leutashi<br />Solutions Architect<br />Dario IT Solutions<br />054-9700781<br />Udi.email@example.com<br />
Information Workers’ World Has Been Changing<br />CENTRAL OFFICE<br />BRANCH OFFICES<br />REMOTE WORK<br />MOBILE & DISTRIBUTED WORKFORCE<br />
The Evolving Needs of Organizations<br />IT Professional needs:<br />Secure and flexible infrastructure for“work anywhere”<br />Reduce costs<br />Mobile & Remote Work-Force needs:<br />Work anywhere<br />Fast access<br />
Remote Access for Mobile Workers Make Users Productive Anywhere <br />Windows Server 2008 R2 and Windows 7 Solution<br />Situation Today<br />Direct Access ™<br />Home<br />Office<br />Home<br />Office<br />Difficult for users to access corporate resources from outside the office<br />Challenging for IT to manage, update, patch mobile PCs while disconnected from company network<br />New network paradigm enables same experience inside & outside the office<br />Seamless access to network resources increases productivity of mobile users<br />Infrastructure investments also make it easy to service mobile PCs anddistribute updates and polices<br />
DirectAccess™<br />IPv4 Devices<br />IPv6 Devices<br />Support IPv4 via 6to4 transition services or NAT-PT<br />IT desktop management<br />DirectAccess provides transparent, secured access to intranet resources without a VPN<br />Allows desktop management of DirectAccess clients<br />Native IPv6 with IPSec<br />AD Group Policy, NAP, software updates<br />IPv6 Transition Services<br />Supports direct connectivity to IPv6-based intranet resources<br />DirectAccess<br />Server<br />Internet<br />Supports variety of remote network protocols<br />Allows IPSec encryption and authentication<br />Windows 7 Client<br />
IT Pro Benefits<br />Improved manageability of remote users <br />IT simplification and cost reduction<br />Consistent security for all access scenarios<br />Seamless & secure access to corporate resources<br />Consistent connectivity experience in / out office<br />Combined with other Windows 7 features enhances the end to end IW experience<br />DirectAccess Benefits<br />End User Benefits<br />
BranchCache™ <br />Windows 7 Solution<br />Caches content downloaded from file and Web servers<br />Users in the branch can quickly open files stored in the cache<br />Frees up network bandwidth for other uses<br />Technical Details<br />Authenticates current state of data and access rights of the user against the server<br />Supports commonly used protocols: HTTP(S), SMB<br />Support network security protocols (SSL, IPsec)<br />Requires Windows Server 2008 R2 in the data center and hosted cache<br />
Network Access Protection<br />Today’s Challenges<br />Unprotected Network Taps Within An Organization’s Buildings<br />Administrators Have Limited Control About Health Of Systems Joining Network<br />Result: Hardware/Network Upgrades And Increased Operational Costs, Reduced Productivity<br />Solution – End-to-End, Authenticated, Tamper-resistant Communication<br />Improved Isolation Using IPsec<br />Network Access Protection Across IPsec, 802.1X, DHCP, VPN<br />Increased Manageability<br />
Remediation<br />Servers<br />Example: Patch<br />Corporate Network<br />Network Access Protection<br />Policy Servers<br />such as: Patch, AV<br />3<br />1<br />2<br />Not policy compliant<br />4<br />DHCP, VPN<br />Switch/Router <br />Windows<br />Client<br />Restricted<br />Network<br />NPS<br />Policy compliant<br />5<br />If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)<br />DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)<br />Network Policy Server (NPS) validates against IT-defined health policy<br />If policy compliant, client is granted full access to corporate network<br />Client requests access to network and presents current health state<br />2<br />3<br />4<br />5<br />1<br />
Business and Technical Benefits<br />Reduce the risk of network security threats<br />An additional layer of defense-in-depth<br />Reduced attack surface area<br />Increased manageability and more healthy clients<br />Safeguard sensitive data and intellectual property<br />Authenticated, end-to-end network communications<br />Scalable, tiered access to trusted networked resources<br />Protect the confidentiality and integrity of data<br />Extend the value of existing investments<br />No additional hardware or software required<br />Get more value from Active Directory and Group Policy<br />Complements existing 3rd network security solutions<br />
Software Control via AppLocker<br />Windows Server 2008 R2 and Windows 7 Solution<br />Situation Today<br />AppLocker™<br />Eliminate unwanted/unknown applications in your network<br />Enforce application standardization within your organization<br />Easily create and manage flexible rules using Group Policy<br />Users can install and run unapproved applications<br />Even standard users can install some types of software<br />Unauthorized applications may:<br />Introduce malware<br />Increase helpdesk calls<br />Reduce user productivity<br />Undermine compliance efforts<br />
EncryptionEnhance Security & Control<br />Windows Server 2008 R2 and Windows 7 Solution<br />Situation Today<br />BitLocker ToGo™<br />+<br />Worldwide Shipments (000s)<br />Protect data on internaland removable drives<br />Mandate the use of encryption with Group Policies<br />Store recovery information inActive Directory for manageability <br />Simplify BitLocker setup and configuration of primary hard drive<br />
Remote Desktop Services Architecture<br />User - Personal VM assignment<br />RDVH (Hyper-V)<br />AD<br />VHD<br />VHD<br />Pooled VMs Assignment<br />RDV Agent<br />VHD<br />VHD<br />Retrieve List of Remote apps / sessions<br />RemoteApp<br />RD Connection Broker<br />Session Desktop<br />RDSH<br />RD Web Access<br />RD Gateway<br />RDP over HTTPS<br />HTTPS<br />Win7: RemoteApp &<br />Desktop Connections<br />RD Client <br />MSTSC<br />XP / Vista: IE<br />
RDP over HTTPS<br />Udi Leutashi<br />Solutions Architect<br />Dario IT Solutions<br />054-9700781<br />Udi.firstname.lastname@example.org<br />
Make programs available via RD Web Access or RemoteApp & Desktop Connection (Windows 7)<br />Create MSI or RDP files<br />RemoteApp Overview<br />Applications launched from Web Page, RDP files or MSI shortcuts<br />Programs look like they are running locally<br />NEW in R2:<br />Per-user RemoteApp<br />filtering<br />RD Client<br />RD Session Host / RD Virtualization Host<br />