Ian Hameroff : Windows Server 2003

Test Drive Server and Domain Isolation!

ianhamer — Mon, 03 Dec 2007 22:26:50 GMT

Yes.

I agree that it took us long enough to get this thing posted since I first mentioned it back in February.

Nevertheless, you can now download the kick ass Server and Domain Isolation demo/lab that Microsoft MVP and Virtualization and Security Guru Ronald Beekelaar built for us:

Server and Domain Isolation Demo

This kit includes everything you need to test drive a Server and Domain Isolation deployment on Windows Server 2003 and Windows XP.

Wait!

Did I say WS03 and XP?

Yes. But, don't fret.

We're working with Ron to get an updated version of the demo that highlights all the great stuff we've done in Windows Vista and Windows Server 2008. This version (no pressure Ron!) should hit the streets around the RTM/Launch of WS08. Stay tuned!

Okay, back to describing the one you now have at your disposal: You'll find 5 pre-configured VHDs and some great documentation that will step you through both basic and advanced S&DI scenarios. Ron's done a great job with visualizations that help tell the story and explain the data flows, etc. when trying out the different scenarios (like the "Start Page" shown below).

All you'll need to do to run the demo is download Virtual PC 2007 (or use an existing Virtual Server or Virtual PC installation) which you can get for free from http://www.microsoft.com/virtualpc.

After you've been wowed by the great stuff you can do with S&DI (which is an out of the box security solution with WS03, XP and Win2K, and WS08 and WinVista), visit our TechNet Server and Domain Isolation site at http://www.microsoft.com/sdisolation to learn more, review customer case studies, and download deployment guidance.

Have fun!

-- hama

Windows File Serving: Now with More Scalability

ianhamer — Wed, 05 Sep 2007 18:56:45 GMT

Okay, okay.

It's been a long while.

I have no excuses. Well, at least good excuses.

I was on vacation last week.

Then there was the ramp-up to the vacation the weeks before.

Before that there was this really good TV show on.

My dog ate my Internet?

No?

Moving on: It's T-minus one day before I embark to South East Asia and my grand tour of Kuala Lumpur and Singapore. I'll be heading over to speak at TechEd SEA 2007, and chillin' with some customers, partners and local SE Asia 'softies.

In preparation for my long sojourn, I was going through my Inbox (post-holiday mind you) and found that I didn't tell you about the recent (well from mid-August) joint white paper Alacritech and Microsoft did about how the Scalable Networking technologies, specifically TCP Chimney, working in concert with Alacritech's TOE NICs help improve Windows Server file server performance and scalability.

Here's a link to the white paper:

Enabling Greater Scalability and Improved File Server Performance with the Scalable Networking Pack and Alacritech Dynamic TCP Offload

Overall our joint testing showed double digit improvements in throughput and scalability over traditional NICs:

Testing showed in every case that the combination of Microsoft’s TCP Chimney Offload and the Alacritech Scalable Network Accelerators provided improvement over standard legacy NICs…as the performance demands on the server increased, the benefit of Microsoft TCP Chimney Offload and Alacritech Scalable Network Accelerators over the legacy NIC became more apparent. In every case the Alacritech Accelerators provided superior throughput over legacy NICs, while at the same time they were able to support more clients and maintain service levels longer. On average the offload solution was able to support 19% more clients and 18% more throughput while maintaining linear scalability. At their highest point, the Alacritech/TCP Chimney Offload solution provided an average of 22% greater throughput then the legacy NIC

Give the paper a read through and let us know what you think.

Meanwhile, stay tune for some updates from SE Asia over the next few weeks.

-- hama

Brand Spanking New Server and Domain Isolation Case Study

ianhamer — Tue, 19 Jun 2007 00:03:51 GMT

Hot off the presses, we've just published a brand spanking new customer case study about how the City of Sapporo (Japan) implemented a Server and Domain Isolation solution.

Here's a link to the case study (which you can also find with several case studies on our our Server and Domain Isolation TechNet site):

Major Japanese Municipal Principal Government Achieves Security Compliance at Nil Cost

Here's a little bit about what you'll learn:

In 2004, the local government of the City of Sapporo, Japan, established a security policy to define and control how the city maintained its information assets. With 12,000 users working in almost 870 departments and limited enforcement resources available in the form of staff and operational procedures, policy compliance proved difficult to achieve. By implementing a Server and Domain Isolation solution based on Microsoft Windows Internet Protocol Security (IPsec) and Active Directory, the City of Sapporo was able to implement cost-effective end-point authentication to dynamically segment its Windows environment into more secure and isolated logical networks, without requiring costly changes to its network infrastructure or applications. The solution has improved information security and reduced the risk of unauthorized access to confidential data on the organization’s Intranet.

What's neat?

They did all this on Windows Server 2003, Windows XP and Windows 2000.

Does that mean there's nothing in Windows Vista or Windows Server 2008 that you should be interested?

Not true.

With Windows Vista and Windows Server 2008, we make deploying a solution like the one outlined in the above case study easier to configure, deploy and maintain. Neat stuff!

And, they've also laid a foundation that can be used to help enforce network access once Windows Server 2008 ships and introduces Network Access Protection.

Enjoy!

-- hama

New White Paper on Intel's I/OAT with the Scalable Networking Pack

ianhamer — Thu, 14 Jun 2007 06:54:14 GMT

I'm back, healthy and attempting to catch up from TechEd 2007. While it was a killer time down in Orlando, there was plenty of good stuff piled up on my desk (and in my inbox) on my return to Redmond.

One of those items on the "good stuff" pile, was a newly published white paper my marketing peers at Intel and I put together to describe how Intel's I/OAT technology works with the Scalable Networking Pack for Windows Server 2003 (and as part of Windows Server 2003 SP2).

And now, without further ado, here's a link to the paper:

Introduction to Intel I/O Acceleration Technology and the Microsoft Windows Server 2003 Scalable Networking Pack

To help whet your appetite to download, here's the abstract:

This white paper examines the need for IT organizations to eliminate the I/O bottlenecks that can occur in the face of ever larger volumes of network traffic. The paper describes how Intel I/O Acceleration Technology (Intel I/OAT), which uses features of the Microsoft Windows Server 2003 Scalable Networking Pack, moves network data more efficiently through Intel Xeon processor-based servers for fast, scalable, and reliable networking. Intel I/OAT provides network acceleration that scales seamlessly across multiple Ethernet ports and is a safe and flexible choice because it is tightly integrated into Microsoft Windows Server 2003 and other popular operating systems.

Hey, don't forget to check out the other resources up on our Scalable Networking TechNet site, and also look for even more exciting networking offload support coming in Windows Server 2008.

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

WinServer 2003 SP2 Comes Alive!

ianhamer — Wed, 14 Mar 2007 02:35:19 GMT

So. Yes. Okay. I'm a Peter Frampton fan. And, when I learned that our planned release of Windows Server 2003 Service Pack 2 (SP2) had, well, released today, it made me think of Frampton's "Frampton Comes Alive!" album from 1976.

Why?

I don't know.

Seriously.

I did happen to go to Plattsburgh State University (of New York) where several of the tracks were recorded (well before my tenure there). Maybe that's it.

Moving on to the business at hand.

WS03SP2 includes a bunch of stuff related to networking, including the following features:

Scalable Networking Pack (TCP Chimney Offload, Receive-side Scaling and NetDMA)
IPsec Simple Policy Update (aka Improved IPsec filter management) for making Server and Domain Isolation deployments easier with WS03 and XP
Wi-Fi Protected Access 2 (WPA2) support for XP x64 and WS03
Enabling ‘Firewall Per Port’ Authentication which means "Firewall per port authentication secures traffic between the Extranet environment and internal assets that are protected via IPsec Domain Isolation."

And, there's a whole lot more that makes Server Pack 2 worth a good look and eventual deployment.

"So, how do I get it?"

It's already available off of Windows Update/Microsoft Update. At first (as pictured below) it was placed under the High-priority updates, but it is now a "Software, Optional".

Nevertheless, we'll be making this an automatic update in the a few months, much like we did with Windows Server 2003 SP1 and XP SP2.

You can also visit the official SP2 site on TechNet and find all different versions of the SP for WS03 and XP x64 Edition:

http://www.microsoft.com/technet/windowsserver/sp2.mspx

The above link includes links the downloads (regular and ISO flavors), overview docs, like the overview and what's new in SP2, and deployment guidance. There's also a great "Top 10 Reasons to Install" which happens to feature two of my favorites as #3 and #4:

Download SP2 and start evaluating. Especially since the WDS features will help you get Windows Vista deployed and, well, heck, it's got a lot of networking goodness to keep you happy while we finish up Windows Server "Longhorn".