Features for Roaming & Branch Office Users

DirectAccess and BranchCache are two new features of Windows 7 that enhance the productivity of enterprise roaming users as well as branch office users

Tuesday, October 06, 2009

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Windows 7 has come up with quite a few new enhancements for enterprise users but most of them are dependent upon Windows Server 2008 R2 to work, except AppLocker and BitLocker.
These two don't need any configuration at the server end thus you can easily deploy them. You can also refer to the hand-on stories we have done around them in this issue. However, for both Branch Caching and DirectAccess, you need to do most of the configuration at the server end. Here, we will discuss about the features from a technology point of view and will cover the in-depth implementation of Branch Caching and DirectAccess in the coming issues.

DirectAccess for roaming users
This feature is meant for corporate users who would like to access their corporate intranet while on the move over the Internet. Well, this might sound like yet another VPN solution, but is actually different. In DirectAccess, you don't need a VPN client to be configured or installed to access your corporate network. Rather, it uses the IPv6 and its native features to tunnel and secures data over the public network. The support for native IPv6 protocol was there in Microsoft OSes for quite some time, but this possibly is the first application by Microsoft which fully and natively works on IPv6 and its features.

By now you must be wondering if DirectAccess natively works on Ipv6, you will require IPv6 aware devices at both end points -enterprise gateway level and at the router or ISP level. No, you can even use DirectAccess over the old IPv4 aware NAT and routing devices. The only requirement is that both the corporate network and the roaming client machine should have IPv6 support.

This wizard takes care of the DirectAccess service installation in Windows Server 2008 R2..

The ISP link with IPv4 is managed by a native technique of IPv6 called Teredo Tunneling, which uses a protocol called 6 to4 to tunnel IPv6 packets through IPv4. It can grant connectivity of two endpoints using IPv6 located behind native devices which are unaware of IPv6. This technology is developed to make sure people can start adopting IPv6 in corporate networks and remote connectivity without even requiring supported end point devices.

Configuring DirectAccess is not that simple. The whole deployment needs meeting a lot of pre-requisites and some of them are unique. For example, for deploying DirectAccess service on top of a Windows Server 2008 R2 box, you need two consecutive public IPs. Why exactly is this kind of a resource required is still a mystery to us. The DirectAccess setup wizard refused to proceed till the time we actually gave them two consecutive public IPs. Plus, a lot of configuration is required which you have to do before DirectAccess setup takes charge and configures the whole thing. From the client end i.e, from the Windows 7 end, all you need to do is to enable the Teredo feature by running the following command from an elevated command prompt:

C:\netsh interface teredo set state enterpriseclient

This command will create a virtual network adapter for which it will get the IPv6 IP and will support Teredo functionality.

This is how distributed caching is different from hosted cache. In the first case, we only have the client machines accessing the cache from all the peers, but in the hosted caching, you can see the data is accessed from a single source.

BranchCache for branch offices
This feature helps enterprises optimize their WAN usage. Though, it can't be compared to a full fledged WAN optimization solution, it does some sort of WAN optimization. Essentially, it's a mechanism by which one can configure a centralized data caching server at the branch office level which connects to the head office. This part is common and there are many solutions which can do the same. The unique part is that, you can even have a setup without central data caching server and can do the caching on individual machines. Also, if all the machines are a part of the same domain, then they can share cached data with each other.

The only disadvantage of this where you don't have a centralized caching solution and have laptops in place instead is that, once laptop goes out of the network you lose the caching data sitting on that particular node. This feature only supports HTTP and SMB protocols which is enough for connecting and accessing file servers and online business applications.The configuration is again very simple. Either it can be done through the Group Policy if you want to do the setting across a large number of machines, else a simple command can enable the Branch Caching on individual machines. The command is as follows:

C:\netsh branchcache set service distributed

Next - BitLocker Enhancements

Page(s)   1