Better Together with Windows 7

Making the Experience Better Together with Windows 7

Windows Server 2008 R2 has many features that are designed specifically to work with client computers running Windows 7. Windows 7 is the most current version of the Windows operating system from Microsoft.

Features that are only available when running Windows 7 client computers with server computers running Windows Server 2008 R2 include:

• Simplified remote connectivity for corporate computers by using the DirectAccess feature
  One common problem facing most organizations is remote connectivity for their mobile users. One of the most widely used solutions for connecting remote users is a virtual private network (VPN) connection. Depending on the type of VPN, users may need to install VPN client software on their mobile computer and then establish the VPN connection over the Internet. The DirectAccess feature in Windows 7 and Windows Server 2008 R2 allows Windows 7 client computers to directly connect to intranet-based resources without the complexity of establishing a VPN connection. The user has the same connectivity experience both in and outside of the office. The following figure contrasts the current VPN-based solutions with the DirectAccess solution.

DirectAccess was designed as a seamless, always-on remote access solution that removes user complexity, gives you easy and efficient management and configuration tools, and does not compromise the secure aspects of remote connectivity. To do this, DirectAccess incorporates the following important features:

• Authentication. DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using a smart card.
• Encryption. DirectAccess uses Internet Protocol security (IPsec) for encrypted communications across the Internet.
• Access control. IT can configure which intranet resources different users can access using DirectAccess. IT can grant DirectAccess users unlimited access to the intranet, or only allow them to access specific servers or subnets. Additionally, you can apply custom security policies to specific applications. For example, you can require an application sending and receiving sensitive data to use IPsec encryption, while requiring that other applications use IPsec authentication or no IPsec protection.
• Integration with Network Access Protection (NAP). NAP, built into Windows Server 2008 R2 and Windows 7, can be used with DirectAccess to verify that client computers meet your system health requirements, such as having security updates and anti-malware definitions installed, before allowing them to make a DirectAccess connection.
• Separation of intranet and Internet traffic. By default, only traffic destined for your intranet is sent through the DirectAccess server. With a traditional VPN, Internet traffic is typically also sent through your intranet, slowing Internet access for users. You can also change this default behavior to match that of a typical VPN.

Another difference between DirectAccess and VPNs is that DirectAccess connections are established before the user is logged on. This means that you can manage a remote computer connected by DirectAccess even if the user is not logged on; for example, to apply Group Policy settings. However, for the user to access any intranet resources, they must be logged on.

DirectAccess provides the following benefits:

• Seamless connectivity. DirectAccess is on whenever the user has an Internet connection, giving users access to internal network resources whether they are traveling, at the local coffee shop, or at home.
• Remote management. IT administrators can connect directly to DirectAccess client computers to monitor them, manage them, and deploy updates, even when the user is not logged on. This can reduce the cost of managing remote computers by keeping them up-to-date with critical updates and configuration changes.
• Improved security. DirectAccess uses IPsec for authentication and encryption. Optionally, you can require smart cards for user authentication. DirectAccess integrates with NAP to perform compliance checking on client computers before allowing them to connect to internal resources. IT administrators can configure the DirectAccess server to restrict the servers that users and individual applications can access.

For more information, see http://www.microsoft.com/directaccess.

 

• Secured remote connectivity for private and public computers
  Another common problem for remote users is the ability to access intranet-based resources from computers that are not owned by the user’s organization, such as public computers or Internet kiosks. Without a mobile computer provided by their organization, most users are unable to access intranet-based resources. A combination of the Remote Workspace, Presentation Virtualization, and Remote Desktop Gateway features allows users on Windows 7 clients to remotely access their intranet-based resources without requiring any additional software to be installed on the Windows 7 client. This allows your users to remotely access their desktop as though they were working from their computer on the intranet. From the user’s perspective, the desktop on the remote Windows 7 client transforms to look like the user’s desktop on the intranet, including icons, Start menu items, and installed applications that are identical to the user’s experience on his or her own computer. When the remote user closes the remote session, the remote Windows 7 client desktop environment reverts to the previous configuration.

• Improved remote desktop integration and user experience
  Windows Server 2008 R2 Service Pack 1 introduces Microsoft RemoteFX, a new set of platform technologies that enable a media-rich user environment for virtual and session-based desktops. Windows Server 2008 R2 also introduces the RemoteApp & Desktop Connection feature, which helps integrate desktops and applications virtualized by using Remote Desktop Services with the Windows 7 user interface. This integration makes the user experience for accessing remote desktops or applications the same as running the applications locally.

• Improved security for branch offices
  Windows Server 2008 introduced the read-only domain controller feature, which allows a read-only copy of Active Directory to be placed in less secure environments such as branch offices. Windows Server 2008 R2 introduces support for read-only copies of information stored in Distributed File System (DFS) replicas. Read-only DFS replicas helps protect your digital assets by allowing branch offices read-only access to information that you replicate to the offices by using DFS. Because the information is read-only, users are unable to modify the content stored in read-only DFS replicated content and thereby protects data in DFS replicas from accidental deletion at branch office locations.

• Improved performance for branch offices
  Driven by challenges of reducing cost and complexity of Branch IT, organizations are seeking to centralize applications. However, as organizations centralize applications the dependency on the availability and quality of the WAN link increases. A direct result of centralization is the increased utilization of the WAN link, and the degradation of application performance. Recent studies have shown that despite the reduction of costs associated with WAN links, WAN costs are still a major component of enterprises’ operational expenses.

The BranchCache feature in Windows Server 2008 R2 and Windows 7 Client reduces the network utilization on WAN links that connect branch offices and improve end user experience at branch locations, by locally caching frequently used content on the branch office network.  As remote branch clients attempt to retrieve data from servers located in the corporate data center, they store a copy of the retrieved content on the local branch office network. Subsequent requests for the same content are served from this local cache in the branch office, thereby improving access times locally and reducing WAN bandwidth utilization between the branch and corpnet. BranchCache caches both HTTP and SMB content and ensures access to only authorized users as the authorization process is carried out at the servers located in the data center. BranchCache works alongside SSL or IPSEC encrypted content and accelerates delivery of such content as well.

BranchCache can be implemented in two ways:

• The first involves storing the cached content on a dedicated BranchCache server located in the branch office which improves cache availability. This scenario will likely be the most popular and is intended for larger branch offices where numerous users might be looking to access the BranchCache feature simultaneously. A BranchCache server at the remote site ensures that content is always available as well as maintaining end-to-end security for all content requests.
• The second deployment scenario centers around peer content requests and is intended solely for very small remote offices, with roughly 5-10 users that don’t warrant a dedicated local server resource. In this scenario, the BranchCache server at corpnet receives a client content request, and if the content has been previously requested at the remote site will return a set of hash directions to the content’s location on the remote network, usually another worker’s computer. Content is then served from this location. If the content was never requested or if the user who previously requested the content is off-site, then the request is fulfilled normally across the WAN
   

• Higher fault tolerance for connectivity between sites
  One of the most common scenarios facing organizations today is connectivity between sites and locations. Many organizations connect their sites and locations by using VPN tunnels over public networks, such as the Internet.  One problem with existing VPN solutions is that they are not resilient to connection failures or device outages. When any outage occurs, the VPN tunnel is terminated and the VPN tunnel must be reestablished, resulting in momentary connectivity outages. The Agile VPN feature in Windows Server 2008 R2 allows a VPN to have multiple network paths between points in the VPN tunnel. In the event of a failure, Agile VPN automatically uses another network path to maintain the existing VPN tunnel, with no interruption of connectivity.