Ian Hameroff : Windows Networking

Article Alert: Policy-Driven Network Access with Windows Server 2008

ianhamer — Sun, 16 Mar 2008 04:41:35 GMT

While it has been nearly three months since I moved from the role as product manager for Windows Server networking to the Exchange Server team, I still get the occasional opportunity to strut my old networking stuff.

One such example is a recent article I co-authored with Amith Krishnan (product manager for Network Access Protection) on creating a policy-driven network access solution using a bunch of the new features of Windows Server 2008. The article -- entitled Policy-Driven Network Access with Windows Server 2008 -- appears in the March edition of Microsoft's TechNet Magazine.

Here's the article synopsis:

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal.

Unfortunately, the online version of article doesn't offer you the opportunity to make comments on the article. So, please feel free to post your thoughts or feedback to this blog posting.

Okay, back to Exchange for me. I'm currently completely week 2 of 3 on the road doing focus groups around our future plans for Exchange Server. Good stuff; albeit exhausting to be traveling across the US, Asia (currently in Tokyo) and then Europe. Yahoo!

-- hama

Now You Can Receive Me In Stereo!

ianhamer — Fri, 26 Oct 2007 23:20:59 GMT

As an FYI, I'm now also blogging on the recently launched Forefront Team Blog on another part of the TechNet blog-o-sphere-o-rama. I posted one that's very relevant to the networking and network security themes of this blog, and thought it would be worth a quasi-cost post plug here:

Happy Birthday Windows Networking!

Enjoy!

- hama

Tech·Ed 2007 - Day 4.5: Tolly Group White Paper Published!

ianhamer — Thu, 07 Jun 2007 19:56:29 GMT

So, I've talked a lot about this white paper that the Tolly Group published in my Networking Session on Tuesday. Well, it is now up and ready for download from our TechNet Networking site!

Here's the direct link:

Enhanced Network Performance with Microsoft Windows Vista and Windows Server 2008

Here's a little excerpt to tantalize your interest:

"Just upgrading client PCs to Microsoft's Windows Vista can yield throughput and time-to-completion improvements of up to 2.5X over Windows XP. Complete migration of servers to Windows Server 2008 can yield throughput and time-to-completion improvements of up to 3.5X over Windows XP/Windows Server 2003."

Don't forget to check out the recent article that John Fontana published that talks about this report:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to prep for my afternoon session on the IPsec Simple Policy Update for Windows XP and Windows Server 2003.

-- hama

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

Tech·Ed 2007 - Day 3: My First Session (Recap)

ianhamer — Wed, 06 Jun 2007 22:37:48 GMT

Technically it is day 4 for me, but I had a little trouble posting yesterday evening since just about all the bandwidth in my hotel was consumed. I ran the handy Speakeasy Speed Test a bunch of times and it was barely making it over 300 Kbps on the download side.

Wow!

It's slightly ironic since I presented on the topic of "Deploying High Performance and Scalable Networking with Windows Server 2008" earlier in the day. BTW, thanks to everyone who attended (nearly 460 people) and for the great evaluation feedback. Before I get to the feedback, here are a few tidbits on what I presented:

I started off with a little quiz for the audience. I flashed on the screen a photo that my wife recently took of a sandwich board sign that sits in front of the local downtown Ramada hotel in Seattle. See if you can workout what's the weird bit about this sign, I'll give you 30 seconds:

Well?

Nice job!

As you can see Max's restaurant may boast both the best breakfast in Seattle and that it is available all day long, but only between the hours of their operation (which happens to be 7a until 130p).

After that little bit of fun, I dove into my session which discussed our new TCP/IP stack in Windows Server 2008 (and Windows Vista), with a specific focus on the features that help improve performance and scalability. This included:

TCP Receive Windows Auto-Scaling
Compound TCP (CTCP)
Wireless improvements
Hardware offload and acceleration
Policy-based Quality of Service (QoS)
IPv6 (yup)

We had a good bunch of questions both during and after the session. And, if you didn't attend TechEd 2007, I'm happy to send you copy of the deck.

I did run a little over time, but the majority of the attendees were good sports and stayed as I rapidly finished up that last few slides.

Here are some the comments from attendees (thanks!):

"Excellent Presentation: I really benifited [sic] technically by attending this session! Great information, I can tell that the presenter put alot [sic] of time into preparing this session!"

"Ian ROCKED! It is difficult to get people excited about a network stack but he did it. I was hoping for more demos but the data/tests he discussed did include real-world info and that was good."

"Ian's session was enjoyable. He made it interesting and kept the presentation going at a fast pace. He had a way of taking highly technical designs and statistics and simplifying them so we could understand the benefits. He went over by 10 minutes and almost everyone stayed in the room waiting for him to finish. Thanks Ian."

"A lot of information to go over in a short amount of time."

There was also some good constructive feedback on the need for some more demos, a different description for the session, and improving the room layout. Thanks for that feedback! It really helps me do a better job with my future presentations (which one of mine is about to start!).

Windows Server 2008 Network Security Webcast

ianhamer — Sat, 26 May 2007 01:07:37 GMT

The next few days in the US is Memorial Day weekend, also known as the unofficial start to summer. The means there will be plenty of barbeques, parties, and a Monday off.

Well, if you find yourself without something to done during this extended weekend, why not checkout this 90 minute TechNet webcast Amith Krishnan (NAP product manager) and I recorded back on May 17th:

TechNet Webcast: Windows Server 2008: Advancing Network Security (Level 300)

Here's the abstract of what was covered:

Among the long list of enhancements and innovations coming in Windows Server 2008 are a number of networking advancements and policy-driven network security features. In this webcast, we discuss the next generation of networking features in Windows Server 2008 and the network security solution scenarios these features enable. We examine the new Windows Firewall with Advanced Security, Server and Domain Isolation, and Network Access Protection (NAP). Discover how you can use these new networking innovations to provide your users with a more secure, reliable, and cost-effective connection experience.

We answered a bunch of questions on the call, but happy to answer any more you might have after watching the replay.

Enjoy, and have a great extended weekend!

-- hama

The 2007 Tour: From SecMan to WinHEC to Interop and on to TechEd

ianhamer — Wed, 23 May 2007 21:36:07 GMT

May.

What a crazy month!

What is it that they say?

"May comes in with a joint launch for Forefront and System Center, and goes out with a Windows Server 2008 demo for a BillG keynote at WinHEC in LA"

Maybe I'm confusing the old adage about the month of March.

Anyhow, here's a quick recap.

On May 15th, I had the distinct honor of delivering a Windows Server 2008 Security and Policy-Enforcement demo in Bill Gates' final WinHEC keynote. I already blogged about the experience, et al on the Windows Server Division's blog, but here's a real neat one:

That guy in the red circle (which I added) is me! This was the WinHEC 2007 home page on Tuesday, May 15th. I didn't even know about it until a colleague over in the Windows Server launch team sent an email blast out to the whole world.

This was followed by lots of jibs and jibes and photo doctoring.

Anyhow...it was really cool to meet the big man and show off the sweet security stuff (like NAP) in Windows Server 2008.

Well, right after WinHEC comes Interop.

Yeah, that Las Vegas conference has managed to survive.

At this year's shindig, Microsoft and TCG (Trusted Computing Group) announced that TNC (Trusted Network Connect) -- the third of the three main NAC solutions on the market -- will standardize on NAP's Statement of Health (SoH) protocol, extending NAP interop with Juniper Networks and the rest of the TCG-TNC ecosystem.

You can learn more about this in this new white paper:
Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

Next: I'm making an appearance on an upcoming Scalable Networking webcast that's being sponsored by Alacritech. We'll be chatting about TCP Chimney Offload with Alacritech's Scalable Network Accelerator line of TOE NICs.

You can learn more about this Wednesday, May 30th webcast and how to register at the following link: Enhancing Your Data Center Performance with Microsoft TCP Chimney Offload

Okay.

After all this is TechEd 2007 in sunny (and humid) Orlando, Florida.

Among the normal stuff we do at this annual company confab, I'm delivering three sessions:

SVR310 - Deploying High Performance and Scalable Networking with Windows Server 2008
Tuesday, June 5th at 2:45PM-4:00PM (Eastern) in room S220 D

SEC08-TLC - Enabling Policy-Driven Network Access
Wednesday, June 6th at 2:00PM-3:15PM (Eastern) in the Theater #2 in the Yellow TLC

SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP
Thursday, June 7th at 2:45PM-4:00PM (Eastern) in room N220 E

Following TechEd, who knows?

At least I (mostly) know what's going on between now and then!

Joint IPv6 White Paper Scales to 256-Bit Length Addresses

ianhamer — Tue, 01 May 2007 07:46:06 GMT

Okay, that was a little bit sensational, if not an outright fib.

What's no joke is a newly published joint white paper Juniper Networks and Microsoft have co-developed to talk about deploying end-to-end IPv6 scenarios.

Heck, we felt that whole end-to-end bit was such a good thing we named the white paper after it (which you can find here):

Enabling the Next Generation of Networking with End-to-End IPv6

In addition to us lackeys from the product groups, we had folks from the US Federal/public sector teams at both Juniper and Microsoft collaborate on this paper to ensure it spoke to the requirements that you folks in the federal agencies and related industries are facing as you seek to deploy IPv6.

Hey, how are those deployments going, by the way?

Here's a sampling of the white paper brought to you by way of the infamous executive summary:

As connectivity converges and develops ubiquity many devices are added to the Internet. This trend has created projections of address shortages. Internet Protocol version 6 (IPv6) has promised a solution to this issue. In this paper, Microsoft and Juniper combine their leading networking knowledge to show customers how to adopt IPv6 technology. The paper first looks at the changing expectations of IPv6 with the growth of IPv6-enabled applications like Microsoft Windows Meeting Space in Windows Vista. Next the paper discusses the relationship of each component in an IPv6 implementation. The paper closes with some suggestions on functionality, equipment and deployment scenarios that highlight key aspects of a robust end-to-end IPv6 transition.

As the summary mentions, the white paper covers off a bunch of flexible deployment strategies that leverage transitional technologies baked into Windows Vista and Windows Server "Longhorn" to full blown dual-stacking Juniper gear working in concert with the native IPv6 support in the aforementioned Windows releases (like the graphic below illustrates).

STOP THE PRESSES! DID YOU ACTUALLY THINK YOU'D GET AWAY WITHOUT GETTING AN IPsec PITCH? SUCKER!

I'll admit the above was a bit silly, if not juvenile, but this is the little fun I get to have blogging offline while drinking horrific coffee cruising at 35,000 ft en route to Los Angeles to support the big joint Forefront/System Center launch on Wednesday.

Well, back to the IPsec pitch. As you all know, my day job is minding the Internet protocols suite in Windows Server. Since there are way too many to count on the knurled fingers of the guy siting next to me (yeah, this dude was chewing and picking at his nails for a good 30 minutes until we took off and the engine noise lulled him to sleep), we primarily focus on a few key ones that enable our major networking scenarios (like Server and Domain Isolation and NAP which uses IPsec).

I happen to think IPv6 migration is a pretty significant scenario that can also benefit from the cost-effective end-point authentication features of IPsec (as it was originally intended and realized with IPv6). I also happen to know that IPsec can potentially introduce a full list of interoperability challenges that you may not wish to tackle. We're trying to work out how to strike the right balance between true end-to-end host authentication (not just at the network on ramps) while still preserving the network management and optimization features you've deployed are will consider deploying (say, WAN optimization).

Well, it's important to look to the larger challenges (and risks) you are looking to address and we could certainly use your feedback to make sure we drive the right set of features into the platform and through our partner eco-system. I'm not going to reiterate the IPsec makes IPv6 better pitch, since I already blogged on this many times. Instead, I ask you to share your thoughts about how you think IPsec can help make your future IPv6 work more secure and scalable.

Well, time to close up since we're about to land at LAX. Hope to see you at the launch event on Wednesday!

Get Your NAP (Step-by-Step) On!

ianhamer — Fri, 27 Apr 2007 20:11:45 GMT

A great thing about reaching the B3 milestone for Windows Server "Longhorn" is all the new (and improved) documentation that we get to publish. One such example is a set of new Network Access Protection (aka NAP) "step-by-step" guides to help you setup and test your favorite NAP scenario.

For your perusal, we have four new guides to match the four flavors of NAP enforcement:

DHCP
VPN
802.1X
IPsec (my personal fav)

This is quite timely -- not only because we just release Beta 3 of Windows Server "Longhorn" -- because just yesterday afternoon I spoke on a panel about securing data in a highly mobile environment as part of the CSO Summit going on here on campus. After the panel chatted about such new and updated data security features like BitLocker and RMS, we switched gears to talk about data in motion.

I was not surprised to see that most people (including CSOs in the communications sector) were mostly concerned about the impact of "guest workers" on their network leading to information compromise and leakage. About 3/4 of the folks in attendance indicated that was their primary motivator for evaling such things as end-point auth and network access control solutions.

When I started to talk about what were doing with NAP and other type solutions (read: Server and Domain Isolation) many wanted to know both what they could do now (like with Server and Domain Isolation -- which is available from Windows 2000 through Windows Server "Longhorn") and how they could "kick the tires"

Well.

These step-by-step guides are a great way to get things rolling. Simply download Beta 3, install our kick arse Virtual PC 2007 (available at no cost) and pick your favorite step-by-step. Clearly the 802.1X scenario will present some challenges since you really can't virtualize a switch (easily).

Check this stuff out and I'd enjoy hearing what you're feedback!

WinServer "Longhorn" B3: This time it's "Ready, Set, (Download), and Evaluate!"

ianhamer — Thu, 26 Apr 2007 04:01:00 GMT

That's right Windows Server "Longhorn" fans, Beta 3 is ready for your evaluation!

Simply visit http://www.microsoft.com/getbeta3, and you're halfway there to trying out the first major public preview of our next generation of Windows Server.

As our press release touts:

"[With] Beta 3, customers will see new features and enhancements that include stronger security, better performance, new server roles and features, and additional server management and remote administration tools."

What that translates to is, well, a lot of new features and functionality that are ready for "tire kicking."

Heck, we even provided a little cheat sheet to help you zero in on some of the key new features:

New and improved features in Beta 3 include the following:

Windows PowerShell is now included in the product.

Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.

The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.

The Server Manager console includes additional remote administration tools to provide a more integrated management environment.

Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.

NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Hey, there are two key features of mine on that list! NAP and the Windows Firewall with Advanced Security.

Now, there's been enough written about that NAP thingy, so I'll concentrate on the Windows Firewall instead. You didn't misread the bullet above -- we have switched it on by default to help further the defense-in-depth security controls for Windows Server as well as help reduce attack surface area right out of the gate.

We started down this road with the "Post -Setup Security Update" feature in Windows Server 2003 Service Pack 1 that switched on the newly added Windows Firewall right after install so you could safely venture on to the Internet to retrieve latest updates without increasing the risk of an unpatched vuln being exploited over the network. As you might recall, this feature was described as follows:

"Windows Firewall provides network protection after install while users update their system with the latest patches using the new Post-Setup Security Updates feature.

[Post-Setup Security Updates was] designed to protect the server from the risk of infection between the time the server is first started and the application of the most recent security updates are applied from Windows Update. If Windows Firewall is enabled and the administrator did not explicitly enable Windows Firewall using an unattended-setup script or Group Policy, Post-Setup Security Updates opens the first time an administrator logs on."

The team has been working diligently to test all the major Windows Server scenarios/workloads/roles/etc under this new "on by default" model to ensure we were able to map out the key IP service ports and related communication parameters. We've also done some neat stuff with Server Manager feature (cool stuff!) to help apply the appropriate firewall policies per the role(s)/workload(s) you enable.

I strongly encourage you to check this feature out, and learn about how this default to on works with the applications you run on top of Windows Server!

Well, my battery is just about to die (I'm at SFO getting ready to head back to SEA from the Gartner Symposium/ITxpo event here this week -- more on that later), so I better stop here so I can get this thing posted!

Networkin' Forums-o-Plenty!

ianhamer — Thu, 19 Apr 2007 01:30:10 GMT

Great news networking fans, we've doubled the number of of Windows Server "Longhorn" focused TechNet forums focused on networking related workloads and features. In addition to the Platform Networking forum launched a number of months back, we really kicked off a new Network Infrastructure Servers forum to focus on our four main networking server roles:

DHCP
DNS
RRAS
NPS (formerly known as IAS Server, and more commonly called RADIUS by the masses)

The beauty of these forums is they are a great way to connect with folks like me (if you think that's a great deal and all) and members of the Windows networking engineering team. Oh yeah, we've got a lot of non-Softies logging hours on the forums help address question you may have while checking out all the new networking features in Windows Server "Longhorn" and Windows Vista.

Oh.

Yeah.

Don't forget the Network Access Protection and Terminal Services forums either.

Come to think of it, just check'em all out at:
http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17

WinServer Longhorn and WinVista: Like to Two Peas in a Pod...er...On a Network

ianhamer — Wed, 07 Mar 2007 03:16:35 GMT

Your humble blogger returns after surviving a cross-country trip to ol' New York on "vacation". Vacation is in quotes because, well, I need one now that I'm back.

On to business!

While I was out, J. Nicholas Hoover of InformationWeek published a "Top Seven" (Letterman fans unite) on Windows Vista features that need a little help from Windows Server "Longhorn" to light up:

Seven Windows Vista Features That Depend On Longhorn Server

This is pretty cool because it highlights things like:

Network Access Protection:
"Microsoft's access control method--network access protection--is built into Vista and Longhorn. NAP lets administrators define policies that, for example, require that anyone who wants to connect to a network run Vista with the latest patches plus valid anti-spyware and anti-spam applications, or be denied access."
Policy-based Quality of Service:
"Microsoft mostly left quality of service--controlling bandwidth priority for certain apps and users--to networking vendors. Now it's making that better with Vista and Longhorn via an upgraded network protocol stack."
IPv6:
"IPv6 is an Internet Protocol upgrade that promises to dramatically increase the number of viable addresses, and it's native in Vista and Longhorn."

The article (in the short space of 985 words) does generalize a bit. Like the comment that NAP for XP doesn't necessarily "interoperate with some popular enforcement mechanisms and won't work without Longhorn." So, it's important to check out the links I provided above for some additional, deeper details on these technologies and features.

Going back to my example, NAP "technically" only requires a single WinServer "Longhorn" server running the Network Policy Server (NPS) role. You'd likely have a few more of these around for fault tolerance and to scale out across large networks. Secondly, we're doing a lot to ensure the XP NAP add-on client will provide a good deal of parity to the built-in client for Windows Vista.

One other reference that is worth a deeper review is related to the work we've done with Policy-based Quality of Service (QoS). Hoover generalizes about how "Longhorn will assign priority and bandwidth limits to applications on a network" and that it only works "if there's a Vista client on the other end."

Well, that's mostly true.

Here's the scoop. Yes, we now have mechanisms within Windows Vista and Windows Server "Longhorn" to provide centralized management of QoS policies. We call that bit Policy-based QoS. As the link above details, this provides a means to "stamp" outgoing packets with a DiffServ (DSCP) value (one of them Internet standards) so your routing fabric knows how to manage the priority of this traffic using it's existing QoS queues. For this "stamping" to occur, the host needs to be either a Windows Vista client or a Windows Server "Longhorn" server (no current plans for down-level support). If the host on the other end is not one of these (or even Windows) this will have no impact on the QoS policy. The routers just need to support DSCP (which is quite common since this was outlined in RFC 2474 in 1998).

As for the bandwidth throttling, this do not require a specific host or router/switch on the other end either. The client (or server) will simply slow the pace based on the policy created (see below for an example) for the application or network address/port/service you define.

There are a bunch of other things we do to improve network performance and scalability that improve even further when you have Windows Vista on the client and Windows Server "Longhorn" on the back end. Check out the webcast I did back in October 2006 that covers off these "better together" networking scenarios.

Overall, it is super cool to have these numerous networking features highlighted in this top seven list. Thanks Nick! I just wanted to make sure you had all the details at your disposal.

WinVista VPN Client-o-Rama

ianhamer — Tue, 27 Feb 2007 19:24:09 GMT

One of the most common questions we are getting from customers who are preparing to upgrade their environment to Windows Vista is: "Will my VPN client from <insert vendor> work with Vista?"

Good question. Nah, that's a great question. Why? Well, considering the sear number of laptops and all the mobile computing enhancements in Windows Vista, it's no surprise that users would be "on the road" and wanting to gain access back to the mothership.

To help you find out the release schedules of VPN clients that will be 100% compatible with our latest client OS, we've setup a living KB article entitled:

Windows Vista-compatible third-party virtual private network (VPN) client schedules

For fans of the Article IDs, it's 929490. The article has already been updated a bunch of times as we get the latest info in from vendors like Checkpoint, Cisco, and Aventail. As you can imagine, we've been working with these vendors (IPsec and SSL-VPNs alike) for several years during the ramp up to release of WinVista. Many of them are now just putting the final touches on their client software and hammering through the last set of test plans before releasing to customers.

It's important to note that the information provided on this KB article is provided by the third-parties, not Microsoft. So, my recommendation is you check out this article, zero in on the details for your particular VPN solution, and follow the links provided to the vendor's site for more details.

On another note, there are lots of alternatives if you're feeling the VPN compatibility blues. For example, you should do a good inventory of what you actually need to make available remotely and see if alternative (yet still secure) solutions could be a better route (including potential cost savings).

For example, most of the remote access requirements here at Microsoft are related to Exchange. It's likely no surprise that 'softies are email junkies. We can't get enough. Seriously, we need help. Anyhow, instead of opening up a fat VPN tunnel for just email access, we use the Outlook Anywhere (formerly known as RPC over HTTP) to, effectively, provide an application specific SSL based solution for remote email access. Neat stuff and it doesn't change the end-user experience. I just pop open Outlook (even though it's likely already open) and once I have a routable IP address...BAM...I'm getting my email fix.

A second option is to look at using the reverse proxy/application publishing features of ISA Server 2006 and IAG 2007. We've used some of this for securely exposing applications, like our expense report tool, without needing to fully VPN in. We can still employ strong, multi-factor user authN, but it's still not a full VPN tunnel being setup.

Lastly, there are our Secure Remote Access solutions that are already ready for Windows Vista:

Check this stuff out, as well as the Windows Vista app compat kits recently release.

Hey TCP! What Have You Done for Me Lately?

ianhamer — Thu, 25 Jan 2007 04:46:26 GMT

Let's face it, the Internet is running on some old protocols. TCP, for example, was originally proposed in an RFC that dates back to 1981. That's not to say these protocols and communication services aren't up to the task at the ripe old age of 25 or so years old. Instead, it begs the question: how can this heavily embedded, well accepted method for connecting two hosts evolve to meet the changing networking landscape?

That was a question posed in a recent series of of Network World "Network Optimization Newsletters" under the topic of "Time for new TCP"?

In the latest round of reader responses, entitled "More thoughts on alternates to today's TCP", Joe Skorupa of Gartner spoke very positively of the work we did on the new TCP/IP stack in Windows Vista and Windows Server "Longhorn" (affectionately called "NetIO" and pictured below)

Here's what Joe had to say:

"If you want to improve TCP, just implement the fixes detailed in a series of IETF standards (including RFCs 3390, 2582, 2883 3517 and 4138). They include fast ramp, selective acknowledgement, large transmit and receive windows and explicit congestion notification. These are now standards, are well understood and have been tested by a large community and have been shown to work well," Skorupa explains. "Additionally, many [WAN optimization controller] vendors incorporate most of these features and Microsoft’s new TCP stack for Vista/Longhorn has excellent support for this approach."

Joe's referring to the long list of performance improvements already available to users of Windows Vista (like me...okay, that's not fair to rub that in, but the consumer launch is coming up real fast) and will be a standard experience in Windows Server "Longhorn".

Sound good to you? Start your testing today!

Missed TechEd '06? Fret Not...IT's Showtime!

ianhamer — Fri, 15 Sep 2006 03:03:00 GMT

Beyond the shock and awe you are currently experiencing from the fact I have now completed two posts with less than three weeks between, you should checkout the recently published videos from a bunch of great TechEd 2006 Boston sessions.

Thanks to Microsoft EMEA's TechNet "IT's Showtime", you now have the ability to watch the dynamic-duo of Chris Mitchell (GPM for Internet Protocols) and your humble blogger (um, that's me) delivering our patented Longhorn networking session at anytime and on-demand!

Here's the link:

Next-Generation Networking Features with Chris Mitchell and Ian Hameroff

Now, I just read the email sent by the team in EMEA that announced the availability of these videos. Man, was I surprised to discover the IT's Showtime content owners decided to put Chris' picture next my name. Not sure if that was on purpose, but I have asked them to see if they switch it to me (or at least someone else <g>).

Enjoy the show, which includes a bunch of demos and a bunch of bad jokes. You can find the full list of TechEd '06 sessions now available on-demand here:

http://www.microsoft.com/emea/itsshowtime/result_search.aspx?event=28&x=27&y=5