Shaun Cassells at MyITForum.com

SMS 2003 and ConfigMgr 2007, PowerShell, Scripting, Finance, Fitness and Fun

News

Locations of visitors to this page

Understanding Windows Server 2008 Networking and Network Access Protection - Chat Log

Understanding Windows Server 2008 Networking and Network Access Protection
Join our experts and ask your pressing questions about key networking features and roles, like Network Access Protection, in Windows Server 2008.  Take this opportunity to learn more about how you can implement new network features like auto-tuning and the support for the latest in network acceleration and hardware offload technologies, as well as how to centrally manage network utilization with the new Quality of Service (QoS) Group Policies.  This chat also covers the concept of policy-driven network access and illustrates how you can use the solutions Microsoft provides in Windows Server 2008 (like Network Access Protection), and share your ideas and provide feedback.”

Monday, July 16, 2007
10:00 - 11:00 A.M. Pacific Time
1:00 - 2:00 P.M. Eastern Time
17:00 - 18:00 GMT

 Don_MSFT (Moderator): Welcome to today’s chat. Our topic today is Understanding Windows Server 2008 Networking and Network Access Protection. So if you have questions in this area, please hang around and we'll chat with you soon....

Don_MSFT (Moderator): We are pleased to welcome our experts for today. I will have them introduce themselves now.

Ian Hameroff [MSFT] (Expert): Hello everyone, I'm Ian Hameroff from Microsoft Corp. I'm the senior product manager for the networking features in Windows Server 2008.

Kevin Rhodes (Expert): Hi, welcome to the this chat. I am Kevin Rhodes, Program Manager for Network Access Protection.

Jill Beck (Expert): Good morning, my name is Jill Beck and I am a Business Development Manager at Microsoft. I focus on features such as IPsec, IPv6 and the networking stack.

Amith Krishnan (Expert): Hello, I'm Amith Krishnan, Sr. Product Manager for Network Access Protection

Sarah Wahlert [MSFT] (Expert): Hello. I'm Sarah Wahlert and I'm a program manager for firewall and IPsec technologies.

Jason Popp [MSFT] (Expert): Good Morning! I'm Jason Popp and I am the Program Manager for IPsec and Windows Firewall deployments here at Microsoft.

Don_MSFT (Moderator): I'm your moderator, Don Spencer. I’m an editor in the Connected Systems Division.

Greg Lindsay [MSFT] (Expert): Hi Everyone, my name is Greg Lindsay, and I'm a technical writer for Network Access Protection

Ian Hameroff [MSFT] (Expert): Hey folks, feel free to send up your questions relating to NAP and networking features!

Ian Hameroff [MSFT] (Expert):
Q: [4] Is 802.1x and Cisco routers more intuetively integrated with WinServer 2008?

A: Shaun, we have expanded the support for 802.1X in WS08 through new Group Policies, and a new feature called EAPHost to enable different vendor EAP Methods to added to the platform. Take a look at this article for more details on EAPHost: http://www.microsoft.com/technet/technetmag/issues/2007/05/CableGuy/default.aspx

Amith Krishnan (Expert):
Q: [3] hello experts, my question is how well will nap integrates with cisco technologies such as CNAC and cisco VPN and what will the benefits be of such integration

A: Hi .. Cisco and Microsoft announced interoperability solution in September 2006. Here are some of the salient features of the integration.

Kevin Rhodes (Expert):
Q: [1] SCCM went rc1 today. does it work with longhorn beat to provide NAP? Translation, I want to run this in my test lab.. will it work today with beta/RC software?

A: The upcoming release of SCCM is integrated with Network Access Protection (NAP). Together with NAP SCCM can be used to verify patch level on the NAP and check/monitor client compliance to the defined health policies. You can set this up in your lab today with the SCCM RC, Windows Server 2008 Beta and Vista.

Amith Krishnan (Expert):
A: - Single agent on Windows Vista. The integrated solution converges on a single agent included in Windows Vista.
- Cross platform. Microsoft will license elements of the NAP client agent technology to 3rd parties to develop client agents for other, non-Windows operating systems.
- One API on Windows Vista for partners to support. There will be one API on Windows Vista for partners to write to.
- Support for heterogeneous Microsoft NAP Agent/Cisco CTA environments.
- Windows Vista will support multiple EAP methods. This includes Cisco’s EAP-FAST and EAP over UDP.
- Technology cross-licensing and commitment to plug compatibility on the back end. Cisco and Microsoft can offer a combined Network and Posture AAA product based on market and customer demands, utilizing the protocols and technologies they have cross-licensed to each other.
In addition, NAP also works across any Cisco switch that supports 802.1x.

Ian Hameroff [MSFT] (Expert):
Q: [7] iSCSI performance over ten gigabit Ethernet: Windows 2003 could tune up the TcpWindowSize, but Longhorn no longer has that parameter. Instead there is an "automatic" window sizing, which guesses the bandwidth*delay but delay~=0 so uses default!

A: You are correct that we implement TCP Receive-window auto-scaling in Windows Vista and WS08. Are you asking how to override these automatic parameters since you have very low latency but high bandwidth?

Amith Krishnan (Expert):
Q: [3] hello experts, my question is how well will nap integrates with cisco technologies such as CNAC and cisco VPN and what will the benefits be of such integration

A: · Single agent on Windows Vista. The integrated solution converges on a single agent included in Windows Vista.
· Cross platform. Microsoft will license elements of the NAP client agent technology to 3rd parties to develop client agents for other, non-Windows operating systems.
· One API on Windows Vista for partners to support. There will be one API on Windows Vista for partners to write to.
· Support for heterogeneous Microsoft NAP Agent/Cisco CTA environments.
· Windows Vista will support multiple EAP methods. This includes Cisco’s EAP-FAST and EAP over UDPTechnology cross-licensing and commitment to plug compatibility on the back end. Cisco and Microsoft can offer a combined Network and Posture AAA product based on market and customer demands, utilizing the protocols and technologies they have cross-licensed to each other.


Amith Krishnan (Expert):
Q: [3] hello experts, my question is how well will nap integrates with cisco technologies such as CNAC and cisco VPN and what will the benefits be of such integration

A: in addition, NAP integrates with any Cisco switch (or any vendor) that supports 802.1x

Kevin Rhodes (Expert):
Q: Devil What does NAP bring togehter with ConfigMrg 2007?

A: When used together, NAP and SCCM provide the ability to define the patches that a client is supposed to have installed before connecting to your network. SCCM will check to see whether those patches/updates are installed and report that to the NAP infrastructure. The NAP infrastructure will then report and log the clients compliance. Also, if the administrator so chooses, NAP will restrict the access of the client until the appropriate patches and updates are installed. SCCM will automatically install the required updates and patches and then notify NAP when the clients compliance level has changed.

Ian Hameroff [MSFT] (Expert):
Q: [2] Mac Address Filtering with DHCP: Did it ever exist in any Windows DHCP server? Is it an option in WinServer2008? Can it be easliy setup with 2008 and NAP? I'm currenlty using Lucnet QIP just for this purpose as my DHCP server.

A: In Server 2008, you can configure your DHCP servers to call out to a Network Policy Server (NPS) to authorize the DHCP leases. In NPS, you can set policy to deny leases based on mac address. One limitation is that this doesn’t scale well to a large number of MAC filters.


Jason Popp [MSFT] (Expert):
Q: [9] does it changes the way of IPsec work on Windows Server 2008?

A: Hi Danny. NAP does not change the way IPsec works in Windows Server 2008. However we have made anumber of improvements to IPsec in Windows Vista and Windows Server 2008, including full integration with the Windows Firewall and the addition of a new protocol called Authenticated IP which supports new authenticaiton methods such as NAP Health Certificates and User Authentication. I would suggest taking a look at the new feature overviews in the following links for more information:

Jason Popp [MSFT] (Expert):
A: http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx

Kevin Rhodes (Expert):
Q: Music You can set this up in your lab today with the SCCM RC, Windows Server 2008 Beta and Vista. Why does this require VISTA? Most enterprises are still on XPSP2.. without much motivation to migrate.

A: Network Access Protection client support is not included in XPSP2. It will be included in the next service pack for XP. For the dates regarding XPSP3 please refer to the Windows lifecycle web page (http://www.microsoft.com/windows/lifecycle/servicepacks.mspx).

Ian Hameroff [MSFT] (Expert):
Q: [10] iSCSI ver Ten gig E: Even better would be for the automatic window sizing to "just work" over hight bandwidth/low latency connections, e.g. use a minimum delay in its calculation, so nothing needed to be futzed for ten gigabit. Thanks.

A: Thanks Intransa, there are a few options that can help fully leverage the 10 gig pipe. One of these is our TCP Chimney Offload support that allows you offload TCP processing to the NIC so you can saturate the link better.

Greg Lindsay [MSFT] (Expert):
Q: [11] Hello, at the risk of sounding ignorant, how will NAP work with internet capable applications such as outlook doing RPC over HTTP without a VPN? My goal would be to limit the access to exchange unless the proper outlook and MS patches are applied.

A: Hi Jim, in order to check for specific patches, you'll need to use the SMS SHA or some other SHA/SHV that specifies the Outlook patch level. For the MS patches you can use the built-in Windows SHA. You can restrict access to the Outlook server using IPsec policies if you set up NAP IPsec enforcement. There are also other enforcement methods that could work, but these depend on your network infrastructure. You would also want to set up

Greg Lindsay [MSFT] (Expert):
A: Sorry - hit return too soon. I meant to say you will also want to set up a remote access NAP solution such as VPN.

Amith Krishnan (Expert):
Q: [12] Good point from Shaun, will there ever be a patch or SP for NAP on XP?

A: The NAP client will for XP is currently in beta and will be released publically as part of XP SP3

Amith Krishnan (Expert):
Q: [14] Will NAP for XP be released out of SP3? I mean as a standalone?

A: It's currently not planned as a standalone. Upgrade to SP3 is required.

Kevin Rhodes (Expert):
Q: [11] Hello, at the risk of sounding ignorant, how will NAP work with internet capable applications such as outlook doing RPC over HTTP without a VPN? My goal would be to limit the access to exchange unless the proper outlook and MS patches are applied.

A: As it is released in Windows Vista and Windows 2008 NAP does not have the feature of restricting access to internet facing applications that are not fronted by some service that can restrict the access while a health check is made. In this case for example, if the Exchange server was fronted by the TS gateway then you could control access through the Windows Server 2008 TS Gateway, which is integrated with NAP. Looking forward there are possibilities of integrating NAP with internet proxies, and even applications to do health checks before allowing access.

Amith Krishnan (Expert):
Q: [16] Will there be ever a NAP Client for W2k?

A: No plans to release a NAP agent for W2K from Microsoft because of limited demand. But some of our partners in the NAP partner ecosystem is building NAP clients for older OSs like W2K. We also have partners building NAP agents for Non-MS OS like Linux, MAC etc. At Interop 2007, Las Vegas, we demonstrated NAP on Linux.

Greg Lindsay [MSFT] (Expert): Hi Jim, I think I missed the fact that you said no VPN. You cannot use NAP to regulate access to Internet clients as you describe.

Amith Krishnan (Expert):
Q: [18] Are these NAP client agent develop by Partner chargeable?

A: Yes they are right now. However, we are working with other OS vendors to so they NAP agent can be provided for non-MS OS without a charge. As for the NAP agent in Vista and XP, there is no additional charge as they are built into the OS.

Kevin Rhodes (Expert):
Q: [15] Also, how would NAP be useful for older OS.. i mean it is supposed to provide network access protection.. but if I can defeat it by using Older OS.. what's the point?

A: It all depends on the risk analysis and ultimate decisions of the administrator. If the administrator wants to only allow NAP capable clients to access their network, or portions of their network, then NAP allows for that to be enforced and older non-NAP capable clients will not be allowed through. However, if the administrator feels that they must have older OS's that are not capable of doing NAP but must still have complete access to the network, then they can configure the policies to allow that. They can also configure NAP to require OS's that are capable of doing NAP to be checked for health, while allowing OS's that are not capable to get access. There are going to be considerations like these that administrators will have to make as they plan NAP deployments and their longer term OS migration strategy.

Ian Hameroff [MSFT] (Expert):
Q: [19] So it sounds like there is no interest in making the native Windows TCP perform well over low latency networks like ten gigabit Ethernet? With modern Quad cores Chimney should no longer be necessary.

A: Not necessarily. You should have the same experience with the TCP/IP functionality on WS08 as with WS03 with low latency, if not better. While this report doesn't speak to 10GigE, take a look at this recent third party review of the improvements in throughput, etc. for both low latency and high latency scenarios:http://download.microsoft.com/download/4/b/4/4b455e48-72c4-4a04-b9a5-892fd497087a/TollyResults.pdf

Ian Hameroff [MSFT] (Expert):
Q: [20] Will the WinServer 2008 stack be modified from the current 2003 version? Has the IPv6 resolution speed been increased?

A: Additionally, TCP Chimney Offload does have a place in quad core+ systems. Especially when you consider that 1 GHz of CPU power is required for 1 Gig of networking, you do not want to have the whole of the processing power of the server spent on driving networking traffic. Perhaps I'm not fully understanding your question, and is it that you wish to override the settings for the TCP Receive-window Auto-Scaling like you could set the setting for window size?

Kevin Rhodes (Expert):
Q: [17] Has anyone else had a problem with Vista BSOD after connecting to NAP? I have a few machines we are testing with and only one exhibits this behavior, looking for other's to help solve this problem.

A: On the NAP team have not had any reports of anything like this from any of our internal deployments (10's of thousands of machines) or from any of our early adoption partners.

Ian Hameroff [MSFT] (Expert):
Q: [20] Will the WinServer 2008 stack be modified from the current 2003 version? Has the IPv6 resolution speed been increased?

A: Windows Server 2008 (and Windows Vista) includes a new implementation of the TCP/IP stack (called the "Next Generation TCP/IP Stack". You can learn more about this and all the enhancements we've delivered in at this TechNet site: http://www.microsoft.com/technet/network/tcpip/default.mspx

Ian Hameroff [MSFT] (Expert):
Q: [20] Will the WinServer 2008 stack be modified from the current 2003 version? Has the IPv6 resolution speed been increased?

A: Also, IPv6 support is much more robust versus WS03. Are you asking if DNS quad A record resolution speed has been increased?

Greg Lindsay [MSFT] (Expert):
Q: [22] I can duplicate this at will, would someone like to work with me on this issue? (BSOD post connection to NAP?)

A: Sure Brett I will try to help. I am working on some troubleshooting documentation right now.

Ian Hameroff [MSFT] (Expert):
Q: [23] How do you Differentiate the Linux Server OS from the Windows 2008. How the security features on this proves to be more secure than the Linux ?

A: We believe that there is a significant number of new and enhanced features in Windows Server 2008 that will really set it apart from Linux. My recommendation is to take a look at the reports and white papers we have up on http://www.gethtefacts.com to understand how Windows Server deliveres the security and reliability that you can drive your business with. As for security, there are a long list of improvements and new features that help make WS08 our most secure server OS to date. This includes many networking features, like Services Hardening which utilizes the Windows Firewall to further lock down services and reduce risks. Take a look at this article (albeit on Windows Vista) that talks more about this one of many security features: http://www.microsoft.com/technet/technetmag/issues/2007/01/SecurityWatch/?topics=/technet/technetmag/issues/2007/01/SecurityWatch

Kevin Rhodes (Expert):
Q: [21] Also, can you post links that detail Sever2008 networking and NAP with SCCM. Be great for furture reference (when I read this later)

A: You can go to www.microsoft.com\NAP to learn more about NAP in Windows Server 2008 and Vista. You can also go to http://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/48d73b36-d547-4724-94a7-c7aa2a428295.mspx?mfr=true
to learn more about SCCM and NAP. There is good bit of documentation about NAP and SCCM that is still in the pipeline that will be coming available as Windows Server 2008 is released.

Ian Hameroff [MSFT] (Expert):
Q: [28] Thanks, I just read the Tolly paper, but it does not mention *ten* Gigabit Ethernet. We use *ten* Gigabit Ethernet, not *one* Gigabit. So sounds like we are out of luck for now - stick with Windows 2003 I suppose?

A: Great that you had a chance to read, and as I mentioned before, this was more of an example of how we see improvements over WS03 with the network stack auto-tuning features. Again, it would be good to understand what in particular you are looking to do to further boast perf on 10 GigE. For example, if you look at Compound TCP, you can see improvements in throughput thanks to this improvements in dealing with send-side congestion control.

Don_MSFT (Moderator):
Q: [30] I missed the beginning part of this chat. Is there archive for this chat session so we can read?

A: Hi BC. The chat transcript will be posted at http://www.microsoft.com/technet/community/chats/trans/default.mspx, probably in the next week or so.

Ian Hameroff [MSFT] (Expert):
Q: [25] Has QoS been made aware of network connection speeds for the different hop segments?

A: We have a new set of features around QoS in WS08, called Policy-based QoS (http://www.microsoft.com/technet/community/columns/cableguy/cg0306.mspx). While this does not incorporate "dedication" of different connection speeds across hops, you can more easily (and centrally using AD GPOs) set DSCP values on packets sent from the host as well as throttle traffic leaving the host. These DSCP values (which is an Internet standard/RFC) will then be used by the routing fabric to determine the priority queue when forwarding.

Kevin Rhodes (Expert):
Q: [27] Could you explain the pros/cons of using WSUS vs. SCCM as a SHV for security updates?

A: I am not an expert on the differences between these two technologies. From a NAP perspective, the SHA sends data to its corresponding SHV and the SHV then tells NAP whether the client passed or failed the health check. So beyond that it comes down to the level of features and functionality between the two solutions. I think that SCCM is going to provide more flexibility in how patches and software updates are managed in the network and the level of granularity to which policies can be defined. For more information you should take a look at the comparison between the two products at product information sites.

Sarah Wahlert [MSFT] (Expert):
Q: [32] How was this firewall concept of the windows 2008 server differentiate from its 2003. According to Information given on the microsoft website. It says that the Microsoft has designed this Windows 2008 to protect from all kinds of security hack. how is goes

A: Windows Firewall has been extended in Windows Vista and Windows Server 2008 to include more granular filtering options and tighter integration with IPsec. You can find more information at www.microsoft.com/windowsfirewall. Additionally, Windows Firewall now enforces a set of service hardening rules that prevents Windows services from communicating on the network in unexpected ways.

Amith Krishnan (Expert):
Q: [37] Initalism Q: What do SHA and SHV stand for?

A: SHA - System Health Validator:

Amith Krishnan (Expert):
A: SHV- System Health Validator

Amith Krishnan (Expert):
Q: [37] Initalism Q: What do SHA and SHV stand for?

A: SHV- System Health Validator

Kevin Rhodes (Expert):
Q: [37] Initalism Q: What do SHA and SHV stand for?

A: SHA (System Health Agent); SHV (System Health Validator). For more information on all the terms NAP you can go to www.microsoft.com/NAP.

Ian Hameroff [MSFT] (Expert):
Q: [34] Cool feature on QoS.. can this be setup to reflect SCCM pacakge distribution priority settings?

A: Great to hear you're interested in the new QoS features! Not sure how this would would work with SCCM programmatically, but you could certainly set higher a priority for your delivery servers.

Amith Krishnan (Expert):
Q: [38] Follow up question to #27 - Question #21 mentioned the best documentation out there about using SCCM as a SHV. What is the best documentation to see how WSUS v3.0 works as a SHV with NAP?

A: We are in the process of putting the document together. Please check www.microsoft.com/nap in a month for the post. Also, feel free to mail asknap@microsoft.com for the document

Ian Hameroff [MSFT] (Expert):
Q: [25] Has QoS been made aware of network connection speeds for the different hop segments?

A: There is a fairly easy way to do this via the management console. Take a look at these links for more details: http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.mspx?mfr=true

Don_MSFT (Moderator): Here are links to some Web sites that might be of use to you:
<http://www.microsoft.com/networking>
<http://www.microsoft.com/nap>
<http://blogs.technet.com/nap>
<http://blogs.technet.com/ianhamer>
<http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17>
<http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=577&SiteID=17>
<http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1510&SiteID=17>>

Ian Hameroff [MSFT] (Expert):
Q: [29] how to remove a Read-Only Domain Controller (RODC) if one is stolen or otherwise removed from your network.

A: And, here's another link: http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true

Kevin Rhodes (Expert):
Q: [39] Does SHV check client health of SMS client? Seeing as how WMI and SMS 2003 have sever limiting issues with that in today's deployments.

A: The SCCM SHA is part of the SCCM client. It may do some internal health checks, but I don't think there are any policies that they provide specifically to check the health of the SCCM client itself. More information may be available at the website http://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/48d73b36-d547-4724-94a7-c7aa2a428295.mspx?mfr=true>

Ian Hameroff [MSFT] (Expert):
Q: [33] In Windows 2003 if a website is blocked from client using proxy softwares we can view the websites. is it possible to block usage of proxy software from Server. Apart from Software Policy Restriction ?

A: Are attempting to bypass your network's proxy server?

Amith Krishnan (Expert):
Q: [44] Also, how is the centralized reporting for NAP? Does it have a SQL backend for data collected displayed via SQL reporting services or some other method?

A: There is a SQL backend for data collection via SQL. The same is being used for reporting by Microsoft IT.

Jill Beck (Expert):
Q: [26] Are you asking if DNS quad A record resolution speed has been increased? I am now

A: For home, even though Teredo gets provisioned by default, no AAAA query is issued. For enterprise, if there is not an IPv6 deployment, no AAAA will be issued. If however, one deploys ISATAP or 6to4, AAAA will be issued.

Ian Hameroff [MSFT] (Expert):
Q: [45] For some networks that still prefer to use peep to peep network instead of deploying domain, is there a way they can use the server 2008 ?

A: You can still deploy WS08 in a workgroup fashion, although you do gain a greater level of manageability when using Active Directory. If this is a same scale network, consider evaluating Windows Server Small Business Server when it comes available for WS08.

Kevin Rhodes (Expert):
Q: [43] Does SHA have extensibility? I mean can I have it start fixing other common core OS issues that happen in large Enterprise environments? SOmething NAP could fix?

A: The NAP infrastructure is open for integration by ISV's and third parties so they can write their own SHA's to integrate with NAP. So NAP is extensible this way. The SHA that is included in Vista or SCCM is not extensible themselves. Whether you would look to an SHA to address the OS issues you are referring to will depend on what those specific issues are and how appropriate it would be to do it that way.

Greg Lindsay [MSFT] (Expert):
Q: [41] Will 2008 have native VLAN support for NiCS and will that still be a matter of having a software package from the producer of the NiC ?

A: Hi Tom, VLAN support is in the NIC driver. Most NICs that I've seen support VLANs natively, but not all support multiple VLANs. As I understand it, the NIC driver must recognize the VLAN information containted in an ethernet frame.

Amith Krishnan (Expert):
Q: [48] How well does NAP and SHV / SHA work with Virtual Machines?

A: Very well. We use it for our demos all the time.

Ian Hameroff [MSFT] (Expert):
Q: [47] Regarding Question No 33. Yes, Like the software usage of Ultra surf will bypass the proxy of the Server and allow the access to all the websites. We can block the usage of this software but is there any options to stop bypassing the Windows 2008 Proxy ??

A: I don't believe Windows Server has a built in proxy server service. Instead, this would be functionality provided by, like ISA Server 2006. You could utilize many of the scripts and enhancements to ISA Server 2006 to help add to the plan related to SRP. Checkout isaserver.org for hints

Amith Krishnan (Expert):
Q: [49] What is the network bandwidth requirments for NAP? I mean, how much info is sent on reoccuring basis? Looking to see what network flood might occur (if any)

A: Very very little. Less than 4K per transaction.

 

 

 

Comments

Steve Schofield Weblog said:

Here are some good articles on networking. Network Latency and Throughput http://msdn2.microsoft.com

# December 2, 2007 4:26 PM