How to use Windows 7’s advanced networking system to work from any location
Connect at home, on the move, or in the office
By PC Advisor staff | PC Advisor | Published: 17:44, 06 April 2011
No matter if you're at home, on the move or in the office, Windows 7 lets you connect and get things done. The trend these days is towards remote and mobile computing, and it's important for an operating system to provide the tools necessary to keep you connected and productive wherever you may be. So Microsoft has incorporated a variety of new networking features in Windows 7 that simplify connectivity and help users access resources.
Here we'll take a closer look at some of the innovations. Bear with us if we get a bit technical: this stuff can make all the difference to your work/life balance.
Roaming users generally rely on virtual private networks (VPN) to provide a secure connection between their computer and the internal company network. You don't have to know how it works but it's the magic technology that convinces IT managers to say yes to working from outside the office.
Related Articles on Techworld
When you're sitting in a hotel room, at a customer's office or in your own study and you establish a VPN connection, your PC will generally stay logged on without any problems. However, when you're relying on a Wi-Fi hotspot or mobile broadband dongle to establish a VPN connection while on the move, you may suffer frequent dropped connections and a cumbersome process for re-authenticating and re-establishing the VPN connection each time.
The VPN Reconnect feature allows Windows 7 to automatically re-establish active VPN connections after Internet connectivity is interrupted. As soon as Windows 7 reconnects to the Internet, it will also reconnect to the VPN.
Inevitably, the VPN will still be unavailable as long as the internet connection is down, and the process of reconnecting will take a few seconds after access becomes available again. However, VPN Reconnect at least ensures that your network resources will pop back up as soon as possible without you having to fiddle around with anything.
We promised you some technical details, so: VPN Reconnect is basically an IPsec tunnel using the IKEv2 (Internet Key Exchange) protocol for key negotiation and for transmission of ESP (Encapsulating Security Payload) packets. ESP is part of the industry standard IPsec security architecture, which provides confidentiality, authentication of data origin and connectionless integrity.
In plain English: the system knows where data is coming from and that it hasn't been seen or modified on the way.
Why all this fuss just to maintain your connection? Well, it's a trickier job than it might seem. For example, when viewing streaming video over a VPN connection while you're on a train, you would typically lose all buffered data and have to start the video again every time the connection went down.
The features of the IKEv2 IPSec tunnel and ESP help to ensure a persistent connection, despite wrinkles like the IP address changing during the reconnection (as it well might when you're connecting to someone else's server, such as a Wi-Fi hotspot or mobile phone network), and allow the streaming video to resume from the point it was at when VPN connectivity was lost.
What would be even better than a VPN that automatically reconnects and retains its connection state? How about not needing a VPN in the first place?
DirectAccess is a new feature of Windows 7 that's designed to achieve exactly that. It's potentially one of the most important features of the operating system, both for business users and for system administrators faced - as they increasingly are - with a remote and roaming workforce.
Aside from the issues mentioned above for users trying to stay connected on a VPN and access internal network resources, roaming users pose all kinds of problems for IT people. Mobile computers that aren't connected to the network at a given time will miss out on security updates, software patches and group policy updates. They will get the updates when they eventually connect, but as time goes by, missing critical updates can bring unwanted consequences.
The solution is to allow systems to stay connected as much of the time as possible, without users having to think twice about it. DirectAccess provides a persistent and seamless bi-directional connection between the internal network and the user's Windows 7 system, as long as Windows 7 can connect to the internet. With DirectAccess, remote and roaming users experience the same access to corporate shared resources, intranet sites and internal applications as they would if they were sitting in the office connected directly to the network.
DirectAccess works both ways. Not only can the user's computer access the network seamlessly and securely across any internet connection, but the IT administrator can also connect to DirectAccess client computers even when the user isn't logged on. That means they can monitor, manage and deploy updates to the computer just as easily as if it was in the building.
DirectAccess uses split-tunnel routing to intelligently route network traffic based on its intended destination. Only traffic destined for the corporate network is routed through the DirectAccess server, while traffic intended for the public internet is routed directly to its destination. Split-tunnelling ensures that the resources of the DirectAccess server are not consumed by unnecessary traffic.
IPsec is used for authentication and encryption. DirectAccess can also integrate with Network Access Protection (NAP) to require that DirectAccess clients be compliant with system health requirements before being allowed to connect to the network. IT administrators can restrict access through DirectAccess and configure the servers that users and individual applications can access.
Put simply, DirectAccess makes it matter less whether your PC is in the office, on the road or at another location. And the way we're all working these days, that's extremely significant.
Computing innovations are often interdependent and Microsoft's replacement for VPNs is no exception. For DirectAccess to work, it requires a number of supporting technologies.
First of all, it has to be able to address your particular computer directly. That means you need a 'globally routable' IP address, and that in turn depends on IPv6 - the relatively new system that's set to replace IPv4, the basis of most existing Internet connectivity. IPv6 has been around for a while, and most systems and network devices are IPv6-capable by now, but it's proved to be a slow process getting people to actually adopt IPv6 and leave IPv4 behind.
When creating DirectAccess, Microsoft was well aware that IPv6 wasn't yet available to everyone, so it designed DirectAccess to take advantage of IPv6 transition tools such as 6to4, Teredo and ISATAP that IT managers are using to smooth the journey from the old system to the new. Within the network, DirectAccess relies on NAT-PT (Network Address Translation-Protocol Translation) to provide connectivity between DirectAccess and IPv4 resources.
You also need to be aware that DirectAccess can't function in a vacuum on a Windows 7 system. It requires a DirectAccess server to connect to, and running a DirectAccess server means running Windows Server 2008 R2.
The DirectAccess server must have two network interface cards: one connected to the public internet and one to provide access to the internal intranet resources. DirectAccess also requires at least two consecutive IPv4 addresses on the network interface card that's connected to the internet.
The IPv6 translation technologies mentioned above (6to4, Teredo and ISATAP) must be implemented on the DirectAccess server. Only a PKI (Public Key Infrastructure) environment can issue the necessary certificate for security and authentication, and a DNS server running on Windows Server 2008 or Windows Server 2008 R2 is required as well.
Setting up DirectAccess sounds complex, but Microsoft's intention is that as the user of a Windows 7 client PC you won't find it any more complicated to connect via DirectAccess than to other kinds of network. If you experience problems connecting, you can use the appropriate troubleshooting wizard to identify and resolve problems. Open the Network and Sharing Center and click on Troubleshoot problems, then select the Connection to a Workplace Using DirectAccess wizard to begin troubleshooting.
No matter how much network bandwidth an organisation has, it's safe to assume it is not unlimited. As more users access the network, or more users connect to bandwidth-intensive data such as streaming audio and video, the network's capacity is nibbled away until it's gone. It's then up to the router to queue data, which in turn slows down network communications.
Even when the internal network capacity isn't maxed out, this type of queueing often takes place where the internal network meets the external network. The internal network may be operating at 1Gbps speeds, but the connection to the public internet might be 10Mbps, for example. So networkpackets from the internal network are queued by the router and transmitted on a first-come-first-served basis as bandwidth becomes available on the external connection.
The trick here is to be smart about letting the most important data jump the queue. Not all network destinations are created equal and they shouldn't be treated equally. Requests to an application server used to process orders, or data being sent to a mission-critical database, should take precedence over traffic destined for Google or Facebook, for example. The technology that makes these decisions is known as Quality of Service (QoS).
Administrators can configure QoS to prioritise traffic and ensure that vital communications get preferential treatment. Windows will assign outgoing packets a DSCP (Differentiated Services Code Point) number that the router uses to determine the priority of the packets. As the network gets bogged down and packets are queued up, the default first-in-first-out functionality is overridden and high-priority packets are sent first.
QoS functionality has been a part of previous versions of Windows, but it required priority to be assigned based on specific IP addresses and port numbers. The problem with this is that multiple websites may use the same IP address and one website may have multiple IP addresses, making it impossible to ensure QoS can prioritise the right traffic.
With Windows 7, Microsoft has added an ability to configure QoS based on URLs (Internet addresses). Administrators can ensure that traffic intended for intranet applications or important websites gets processed ahead of lower-priority traffic without having to configure the specific IP addresses and ports of the destination sites.
URL-based QoS can also be used to intentionally downgrade the priority of typically non-business-related sites, such as Facebook or BBC iPlayer. Assigning these URLs a low priority will force those packets to be handled with even less urgency than normal traffic.