As
organizations find their workforce becoming more and more mobile,
Microsoft has made significant improvements to mobility in Windows
Server 2008 R2. New technologies provide a more seamless experience for
users with laptops to move from office, to home, to Internet Wi-Fi hot
spots and maintain connectivity to network resources. These improvements
do require mobile users to run the latest Windows 7 client operating
system on their laptop system to gain access to these new services;
however, once implemented, users find the functionality to greatly
support easier access to network resources no matter where the user
resides.
Windows Server 2008 R2 DirectAccess
One of the
significant remote access enhancements in Windows Server 2008 R2 is the
DirectAccess technology. DirectAccess provides a remote user the ability
to access network resources such as file shares, SharePoint shares, and
the like without having to launch a virtual private network (VPN) to
gain access into the network.
DirectAccess is an
amazing technology that combines sophisticated security technology and
policy-based access technology to provide remote access to a network;
however, organizations do find it challenging to get up to speed with
all the technology components necessary to make DirectAccess work. So,
although many organizations will seek to achieve DirectAccess
capabilities, it might be months or a couple of years before all the
technologies are in place for the organization to easily enable
DirectAccess in their enterprise environment.
Some of the technologies required to make DirectAccess work include the following:
PKI certificates—
DirectAccess leverages PKI certificates as a method of identification
of the remote device as well as the basis for encrypted communications
from the remote device and the network. Thus, an organization needs to
have a good certificate infrastructure in place for server and client
certificate-based encrypted communications.
Windows 7 clients—
DirectAccess only works with clients that are running Windows 7. The
client component for encryption, encapsulation, and policy control
depend on Windows 7 to make all the components work together.
IPSec—
The policy control used in DirectAccess leverages IPSec to identify the
destination resources that a remote user should have access to. IPSec
can be endpoint to endpoint (that is, from the client system all the way
to the application server) or IPSec can be simplified from the client
system to a DirectAccess proxy server where the actual endpoint
application servers do not need to be IPSec enabled. In any case, IPSec
is a part of the security and policy structure that ensures the remote
client system is only accessing server resources that by policy the
remote client should have access to as part of the DirectAccess session
connection.
IPv6— Lastly,
DirectAccess uses IPv6 as the IP session identifier. Although most
organizations have not implemented IPv6 yet and most on-ramps to the
Internet are still IPv6, tunneling of IPv6 is fully supported in Windows
7 and Windows Server 2008 R2 and can be used in the interim until IPv6
is fully adopted. For now, IPv6 is a requirement of DirectAccess and is
used as part of the remote access solution.
Windows 7 VPN Reconnect
VPN Reconnect is not a
Windows Server 2008 R2–specific feature but rather a Windows 7 client
feature; however, with the simultaneous release of the Windows 7 client
and Windows Server 2008 R2, it is worth noting this feature because
Microsoft will be touting the technology and network administrators will
want to know what they need to do to implement the technology. VPN
Reconnect is simply an update to the VPN client in Windows 7 that
reestablishes a VPN session on a client system in the event that the
client system’s VPN session is disconnected.
VPN Reconnect effectively
acknowledges that a client VPN session has been disconnected and
reestablishes the session. Many longtime administrators might wonder why
this is new because client systems in the past (Windows XP, Vista, and
so forth) have always had the ability to retry a VPN session upon
disconnect. However, the difference is that instead of simply retrying
the VPN session and establishing a new VPN session, the VPN Reconnect
feature of Windows 7 reestablishes a VPN session with the exact same
session identification, effectively allowing a session to pick up
exactly where it left off.
For example, a Windows 7
client user can be transferring a file on a wired VPN connected session
and then switch midstream to a Wi-Fi VPN-connected session, and the file
transfer will continue uninterrupted.
VPN Reconnect utilizes the IKE
v2 protocol on the client and on the Windows Server 2008 R2 side with an
established session identification so that upon reconnect, the session
ID remains the same.
Windows 7 Mobile Broadband
Another Windows 7–specific
technology for mobile users is Windows 7 Mobile Broadband. Again,
something that has nothing to do specifically with Windows Server 2008
R2, Windows 7 Mobile Broadband is an update to the carrier-based (for
example, AT&T, Sprint, Verizon) mobile connection devices and
services in Windows 7.
In the past, a user
plugged in a Mobile Broadband card to their Windows XP or Vista system
and then had to launch an application such as the AT&T Connection
Manager. With Windows 7 and the latest Mobile Broadband drivers for the
device and for Windows 7, the insertion of the Mobile Broadband card
into a mobile system automatically connects the user to the Internet.
Just like if the user turns on a Wi-Fi adapter in a system and
automatically establishes a connection to a Wi-Fi access point, Mobile
Broadband automatically connects the user to the Internet.
When the Windows 7
Mobile Broadband adapter is disconnected from the user’s system, the
Mobile Broadband session disconnects, and if the system has a Wi-Fi or
wired Ethernet connection available, the user’s system automatically
connects to an alternate connection point. Combine Mobile Broadband with
VPN Reconnect or with DirectAccess and a mobile user has seamless
connection access back into their organization’s network.
