Understanding Windows Server 2008 Networking and Network Access Protection (July 16, 2007)

  • Article

Chat Topic: Understanding Windows Server 2008 Networking and Network Access Protection
Date: Monday, July 16, 2007

**Please note:****Portions of this transcript have been edited for clarity

Experts: Ian Hameroff, Kevin Rhodes, Jill Beck, Amith Krishnan, Sarah Wahlert, Jason Popp, Greg Lindsay
Moderator: Don Spencer
Newsgroups:
https://www.microsoft.com/networking
https://www.microsoft.com/nap
https://blogs.technet.com/nap
https://blogs.technet.com/ianhamer
https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17
https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=577&SiteID=17
https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1510&SiteID=17

Don_MSFT (Moderator):
Welcome to today’s chat. Our topic today is Understanding Windows Server 2008 Networking and Network Access Protection.

Don_MSFT (Moderator):
We are pleased to welcome our experts for today. I will have them introduce themselves now.

Introductions

Ian Hameroff [MSFT] (Expert):
Hello everyone, I'm Ian Hameroff from Microsoft Corp. I'm the senior product manager for the networking features in Windows Server 2008.

Kevin Rhodes (Expert):
Hi, welcome to this chat. I am Kevin Rhodes, Program Manager for Network Access Protection.

Jill Beck (Expert):
Good morning, my name is Jill Beck and I am a Business Development Manager at Microsoft. I focus on features such as IPsec, IPv6 and the networking stack.

Amith Krishnan (Expert):
Hello, I'm Amith Krishnan, Sr. Product Manager for Network Access Protection.

Sarah Wahlert [MSFT] (Expert):
Hello. I'm Sarah Wahlert and I'm a program manager for firewall and IPsec technologies.

Jason Popp [MSFT] (Expert):
Good Morning! I'm Jason Popp and I am the Program Manager for IPsec and Windows Firewall deployments here at Microsoft.

Greg Lindsay [MSFT] (Expert):
Hi everyone, my name is Greg Lindsay, and I'm a technical writer for Network Access Protection.

Don_MSFT (Moderator):
I'm your moderator, Don Spencer. I’m an editor in the Connected Systems Division.

Ian Hameroff [MSFT] (Expert):
Hey folks, feel free to send up your questions relating to NAP and networking features!

Start of Chat

Ian Hameroff [MSFT] (Expert):
Q: Are 802.1x and Cisco routers more intuitively integrated with Windows Server 2008?
A: Shaun, we have expanded the support for 802.1x in Windows Server 2008 through new Group Policies, and a new feature called EAPHost to enable different vendor EAP Methods to be added to the platform. Take a look at this article for more details on EAPHost: https://www.microsoft.com/technet/technetmag/issues/2007/05/CableGuy/default.aspx.

Amith Krishnan (Expert):
Q: Hello experts, my question is how well will NAP integrate with Cisco technologies such as CNAC and Cisco VPN, and what will the benefits be of such integration?
A: Hi. Cisco and Microsoft announced an interoperability solution in September 2006. Here are some of the salient features of the integration:
- Single agent on Windows Vista. The integrated solution converges on a single agent included in Windows Vista.
- Cross-platform. Microsoft will license elements of the NAP client agent technology to third parties to develop client agents for other, non-Windows operating systems.
- One API on Windows Vista for partners to support. There will be one API on Windows Vista for partners to write to.
- Support for heterogeneous Microsoft NAP Agent/Cisco CTA environments.
- Windows Vista will support multiple EAP methods. This includes Cisco’s EAP-FAST and EAP over UDP.
- Technology cross-licensing and commitment to plug compatibility on the back end. Cisco and Microsoft can offer a combined Network and Posture AAA product based on market and customer demands, utilizing the protocols and technologies they have cross-licensed to each other. In addition, NAP also works across any Cisco switch that supports 802.1x.

Kevin Rhodes (Expert):
Q: SCCM went RC1 today. Does it work with Longhorn Beta to provide NAP? Translation, I want to run this in my test lab. Will it work today with beta/RC software?
A: The upcoming release of SCCM is integrated with Network Access Protection (NAP). Together with NAP, SCCM can be used to verify patch level on the NAP and check/monitor client compliance to the defined health policies. You can set this up in your lab today with the SCCM RC, Windows Server 2008 Beta, and Windows Vista.

Ian Hameroff [MSFT] (Expert):
Q: iSCSI performance over 10-gigabit Ethernet: Windows Server 2003 could tune up the TcpWindowSize, but Longhorn no longer has that parameter. Instead there is an "automatic" window sizing, which guesses the bandwidth*delay but delay~=0 so it uses the default!
A: You are correct that we implement TCP Receive-window auto-scaling in Windows Vista and Windows Server 2008. Are you asking how to override these automatic parameters since you have very low latency but high bandwidth?

Kevin Rhodes (Expert):
Q: What does NAP bring together with Configuration Manager 2007?
A: When used together, NAP and SCCM provide the ability to define the patches that a client is supposed to have installed before connecting to your network. SCCM will check to see whether those patches/updates are installed and report that to the NAP infrastructure. The NAP infrastructure will then report and log the client’s compliance. Also, if the administrator so chooses, NAP will restrict the access of the client until the appropriate patches and updates are installed. SCCM will automatically install the required updates and patches and then notify NAP when the client’s compliance level has changed.

Ian Hameroff [MSFT] (Expert):
Q: Mac Address Filtering with DHCP: Did it ever exist in any Windows DHCP server? Is it an option in Windows Server 2008? Can it be easily set up with Windows Server 2008 and NAP? I'm currently using Lucent QIP just for this purpose as my DHCP server.
A: In Windows Server 2008, you can configure your DHCP servers to call out to a Network Policy Server (NPS) to authorize the DHCP leases. In NPS, you can set policy to deny leases based on MAC address. One limitation is that this doesn’t scale well to a large number of MAC filters.

Jason Popp [MSFT] (Expert):
Q: Does it change the way that IPsec works on Windows Server 2008?
A: Hi Danny. NAP does not change the way IPsec works in Windows Server 2008. However, we have made a number of improvements to IPsec in Windows Vista and Windows Server 2008, including full integration with the Windows Firewall and the addition of a new protocol called Authenticated IP, which supports new authentication methods such as NAP Health Certificates and User Authentication. I would suggest taking a look at the new feature overviews in the following links for more information: https://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx.

Kevin Rhodes (Expert):
Q: You can set this up in your lab today with the SCCM RC, Windows Server 2008 Beta, and Windows Vista. Why does this require Windows Vista? Most enterprises are still on Windows XP SP2…without much motivation to migrate.
A: Network Access Protection client support is not included in Windows XP SP2. It will be included in the next service pack for Windows XP. For the dates regarding Windows XP SP3, please refer to the Windows lifecycle Web page (https://www.microsoft.com/windows/lifecycle/servicepacks.mspx).

Ian Hameroff [MSFT] (Expert):
Q: iSCSI ver 10 gig Ethernet: Even better would be for the automatic window sizing to "just work" over high-bandwidth/low-latency connections, e.g., use a minimum delay in its calculation, so nothing needed to be futzed for 10 gigabit. Thanks.
A: Thanks Intransa, there are a few options that can help fully leverage the 10-gig pipe. One of these is our TCP Chimney Offload support that allows you offload TCP processing to the NIC so you can saturate the link better.

Greg Lindsay [MSFT] (Expert):
Q: Hello, at the risk of sounding ignorant, how will NAP work with Internet-capable applications such as Outlook doing RPC over HTTP without a VPN? My goal would be to limit the access to Exchange unless the proper Outlook and MS patches are applied.
A: Hi Jim, in order to check for specific patches, you'll need to use the SMS SHA or some other SHA/SHV that specifies the Outlook patch level. For the MS patches, you can use the built-in Windows SHA. You can restrict access to the Outlook server using IPsec policies if you set up NAP IPsec enforcement. There are also other enforcement methods that could work, but these depend on your network infrastructure. You would also want to set up a remote access NAP solution such as VPN.

Greg Lindsay [MSFT] (Expert):
Hi Jim, I think I missed the fact that you said no VPN. You cannot use NAP to regulate access to Internet clients as you describe.

Amith Krishnan (Expert):
Q: Good point from Shaun, will there ever be a patch or SP for NAP on Windows XP?
A: The NAP client for Windows XP is currently in beta and will be released publicly as part of Windows XP SP3.

Amith Krishnan (Expert):
Q: Will NAP for Windows XP be released out of Windows XP SP3? I mean as a stand-alone?
A: It's currently not planned as a stand-alone. Upgrade to Windows XP SP3 is required.

Kevin Rhodes (Expert):
Q: Hello, at the risk of sounding ignorant, how will NAP work with Internet-capable applications such as Outlook doing RPC over HTTP without a VPN? My goal would be to limit the access to Exchange unless the proper Outlook and MS patches are applied.
A: As it is released in Windows Vista and Windows Server 2008, NAP does not have the feature of restricting access to Internet-facing applications that are not fronted by some service that can restrict the access while a health check is made. In this case, for example, if the Exchange server was fronted by the TS gateway, then you could control access through the Windows Server 2008 TS Gateway, which is integrated with NAP. Looking forward, there are possibilities of integrating NAP with Internet proxies, and even applications to do health checks before allowing access.

Amith Krishnan (Expert):
Q: Will there be ever a NAP Client for Windows 2000?
A: No plans to release a NAP agent for Windows 2000 from Microsoft because of limited demand. But some of our partners in the NAP partner ecosystem are building NAP clients for older OSs like Windows 2000. We also have partners building NAP agents for non-MS OSs like Linux, MAC, etc. At Interop 2007, Las Vegas, we demonstrated NAP on Linux.

Amith Krishnan (Expert):
Q: Are these NAP client agents developed by partners chargeable?
A: Yes, they are right now. However, we are working with other OS vendors too so the NAP agent can be provided for a non-MS OS without a charge. As for the NAP agent in Windows Vista and Windows XP, there is no additional charge as they are built into the OS.

Kevin Rhodes (Expert):
Q: Also, how would NAP be useful for an older OS…I mean, it is supposed to provide network access protection…but if I can defeat it by using an older OS…what's the point?
A: It all depends on the risk analysis and ultimate decisions of the administrator. If the administrator wants to only allow NAP-capable clients to access their network, or portions of their network, then NAP allows for that to be enforced and older non-NAP capable clients will not be allowed through. However, if the administrator feels that they must have older OSs that are not capable of doing NAP but must still have complete access to the network, then they can configure the policies to allow that. They can also configure NAP to require OSs that are capable of doing NAP to be checked for health, while allowing OSs that are not capable to get access. There are going to be considerations like these that administrators will have to make as they plan NAP deployments and their longer-term OS migration strategy.

Ian Hameroff [MSFT] (Expert):
Q: So it sounds like there is no interest in making the native Windows TCP perform well over low-latency networks like 10-gigabit Ethernet? With modern Quad cores, Chimney should no longer be necessary.
A: Not necessarily. You should have the same experience with the TCP/IP functionality on Windows Server 2008 as with Windows Server 2003 with low latency, if not better. While this report doesn't speak to 10GigE, take a look at this recent third-party review of the improvements in throughput, etc. for both low-latency and high-latency scenarios: https://download.microsoft.com/download/4/b/4/4b455e48-72c4-4a04-b9a5-892fd497087a/TollyResults.pdf.

Ian Hameroff [MSFT] (Expert):
Q: Will the Windows Server 2008 stack be modified from the current Windows Server 2003 version? Has the IPv6 resolution speed been increased?
A: Additionally, TCP Chimney Offload does have a place in quad core+ systems. Especially when you consider that 1 GHz of CPU power is required for 1 Gig of networking, you do not want to have the whole of the processing power of the server spent on driving networking traffic. Perhaps I'm not fully understanding your question, and is it that you wish to override the settings for the TCP Receive-window Auto-Scaling like you could set the setting for window size?

Kevin Rhodes (Expert):
Q: Has anyone else had a problem with Windows Vista BSOD after connecting to NAP? I have a few machines we are testing with and only one exhibits this behavior, looking for others to help solve this problem.
A: On the NAP team, we have not had any reports of anything like this from any of our internal deployments (10s of thousands of machines) or from any of our early adoption partners.

Greg Lindsay [MSFT] (Expert):
Q: I can duplicate this at will, would someone like to work with me on this issue? (BSOD post connection to NAP?)
A: Sure, Brett, I will try to help. I am working on some troubleshooting documentation right now.

Ian Hameroff [MSFT] (Expert):
Q: Will the Windows Server 2008 stack be modified from the current Windows Server 2003 version? Has the IPv6 resolution speed been increased?
A: Windows Server 2008 (and Windows Vista) includes a new implementation of the TCP/IP stack (called the "Next Generation TCP/IP Stack"). You can learn more about this and all the enhancements we've delivered at this TechNet site: https://www.microsoft.com/technet/network/tcpip/default.mspx.

Ian Hameroff [MSFT] (Expert):
Q: Will the Windows Server 2008 stack be modified from the current Windows Server 2003 version? Has the IPv6 resolution speed been increased?
A: Also, IPv6 support is much more robust versus Windows Server 2003. Are you asking if DNS quad A record resolution speed has been increased?

Ian Hameroff [MSFT] (Expert):
Q: How do you differentiate the Linux Server OS from Windows Server 2008? How do the security features on this prove to be more secure than Linux?
A: We believe that there is a significant number of new and enhanced features in Windows Server 2008 that will really set it apart from Linux. My recommendation is to take a look at the reports and white papers we have up on https://www.getthefacts.com to understand how Windows Server delivers the security and reliability that you can drive your business with. As for security, there are a long list of improvements and new features that help make Windows Server 2008 our most secure server OS to date. This includes many networking features, like Services Hardening, which utilizes the Windows Firewall to further lock down services and reduce risks. Take a look at this article (albeit on Windows Vista) that talks more about this one of many security features: https://www.microsoft.com/technet/technetmag/issues/2007/01/SecurityWatch/?topics=/technet/technetmag/issues/2007/01/SecurityWatch.

Kevin Rhodes (Expert):
Q: Also, can you post links that detail Windows Server 2008 networking and NAP with SCCM? This will be great for future reference (when I read this later).
A: You can go to https://www.microsoft.com/NAP to learn more about NAP in Windows Server 2008 and Windows Vista. You can also go to https://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/48d73b36-d547-4724-94a7-c7aa2a428295.mspx?mfr=true to learn more about SCCM and NAP. There is a good bit of documentation about NAP and SCCM that is still in the pipeline that will be coming available as Windows Server 2008 is released.

Ian Hameroff [MSFT] (Expert):
Q: Thanks, I just read the Tolly paper, but it does not mention *10* Gigabit Ethernet. We use *10* Gigabit Ethernet, not *1* Gigabit. So sounds like we are out of luck for now--stick with Windows Server 2003, I suppose?
A: Great that you had a chance to read, and as I mentioned before, this was more of an example of how we see improvements over Windows Server 2003 with the network stack auto-tuning features. Again, it would be good to understand what in particular you are looking to do to further boast performance on 10 GigE. For example, if you look at Compound TCP, you can see improvements in throughput thanks to this improvement in dealing with send-side congestion control.

Don_MSFT (Moderator):
Q: I missed the beginning part of this chat. Is there an archive for this chat session so we can read?
A: Hi BC. The chat transcript will be posted at https://www.microsoft.com/technet/community/chats/trans/default.mspx, probably in the next week or so.

Ian Hameroff [MSFT] (Expert):
Q: Has QoS been made aware of network connection speeds for the different hop segments?
A: We have a new set of features around QoS in Windows Server 2008, called Policy-based QoS (https://www.microsoft.com/technet/community/columns/cableguy/cg0306.mspx). While this does not incorporate "dedication" of different connection speeds across hops, you can more easily (and centrally using AD GPOs) set DSCP values on packets sent from the host as well as throttle traffic leaving the host. These DSCP values (which is an Internet standard/RFC) will then be used by the routing fabric to determine the priority queue when forwarding.

Kevin Rhodes (Expert):
Q: Could you explain the pros/cons of using WSUS vs. SCCM as an SHV for security updates?
A: I am not an expert on the differences between these two technologies. From a NAP perspective, the SHA sends data to its corresponding SHV, and the SHV then tells NAP whether the client passed or failed the health check. So beyond that it comes down to the level of features and functionality between the two solutions. I think that SCCM is going to provide more flexibility in how patches and software updates are managed in the network and the level of granularity to which policies can be defined. For more information, you should take a look at the comparison between the two products at product information sites.

Sarah Wahlert [MSFT] (Expert):
Q: How was this firewall concept of Windows Server 2008 different from that in Windows Server 2003? According to Information given on the Microsoft Web site, it says that Microsoft has designed this Windows Server 2008 to protect from all kinds of security hacks.
A: Windows Firewall has been extended in Windows Vista and Windows Server 2008 to include more granular filtering options and tighter integration with IPsec. You can find more information at https://www.microsoft.com/windowsfirewall. Additionally, Windows Firewall now enforces a set of service hardening rules that prevents Windows services from communicating on the network in unexpected ways.

Kevin Rhodes (Expert):
Q: What do SHA and SHV stand for?
A: SHA (System Health Agent); SHV (System Health Validator). For more information on all the terms in NAP, you can go to https://www.microsoft.com/NAP.

Ian Hameroff [MSFT] (Expert):
Q: Cool feature on QoS…can this be set up to reflect SCCM package distribution priority settings?
A: Great to hear you're interested in the new QoS features! Not sure how this would work with SCCM programmatically, but you could certainly set a higher priority for your delivery servers.

Amith Krishnan (Expert):
Q: Follow up question to #27--Question #21 mentioned the best documentation out there about using SCCM as an SHV. What is the best documentation to see how WSUS v3.0 works as an SHV with NAP?
A: We are in the process of putting the document together. Please check https://www.microsoft.com/nap in a month for the post. Also, feel free to mail asknap@microsoft.com for the document.

Ian Hameroff [MSFT] (Expert):
Q: Has QoS been made aware of network connection speeds for the different hop segments?
A: There is a fairly easy way to do this via the management console. Take a look at this link for more details: https://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.mspx?mfr=true.

Ian Hameroff [MSFT] (Expert):
Q: How do you remove a Read-Only Domain Controller (RODC) if one is stolen or otherwise removed from your network?
A: And, here's another link: https://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true.

Don_MSFT (Moderator):
Here are links to some Web sites that might be of use to you:
https://www.microsoft.com/networking
https://www.microsoft.com/nap
https://blogs.technet.com/nap
https://blogs.technet.com/ianhamer
https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17
https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=577&SiteID=17
https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1510&SiteID=17

Kevin Rhodes (Expert):
Q: Does SHV check the client health of the SMS client? Seeing as how WMI and SMS 2003 have severe limiting issues with that in today's deployments.
A: The SCCM SHA is part of the SCCM client. It may do some internal health checks, but I don't think there are any policies that they provide specifically to check the health of the SCCM client itself. More information may be available at the Web site https://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/48d73b36-d547-4724-94a7-c7aa2a428295.mspx?mfr=true.

Ian Hameroff [MSFT] (Expert):
Q: In Windows Server 2003, if a Web site is blocked from a client using proxy software, we can view the Web sites. Is it possible to block usage of proxy software from Server, apart from Software Policy Restriction?
A: Are you attempting to bypass your network's proxy server?

Ian Hameroff [MSFT] (Expert):
Q: Regarding Question No 33: Yes, like the software usage of Ultra surf will bypass the proxy of the Server and allow the access to all the Web sites. We can block the usage of this software, but are there any options to stop bypassing the Windows Server 2008 Proxy?
A: I don't believe Windows Server 2008 has a built-in proxy server service. Instead, this would be functionality provided by something like ISA Server 2006. You could utilize many of the scripts and enhancements to ISA Server 2006 to help add to the plan related to SRP. Check out https://www.isaserver.org for hints.

Amith Krishnan (Expert):
Q: Also, how is the centralized reporting for NAP? Does it have a SQL backend for data collected displayed via SQL reporting services or some other method?
A: There is a SQL backend for data collection via SQL. The same is being used for reporting by Microsoft IT.

Jill Beck (Expert):
Q: Are you asking if DNS quad A record resolution speed has been increased? I am now (H).
A: For home, even though Teredo gets provisioned by default, no AAAA query is issued. For enterprise, if there is not an IPv6 deployment, no AAAA will be issued. If, however, one deploys ISATAP or 6to4, AAAA will be issued.

Ian Hameroff [MSFT] (Expert):
Q: For some networks that still prefer to use peep to peep network instead of deploying domain, is there a way they can use Windows Server 2008?
A: You can still deploy Windows Server 2008 in a workgroup fashion, although you do gain a greater level of manageability when using Active Directory. If this is a same scale network, consider evaluating Windows Server Small Business Server when it comes available for Windows Server 2008.

Kevin Rhodes (Expert):
Q: Does SHA have extensibility? I mean, can I have it start fixing other common core OS issues that happen in large Enterprise environments? Something NAP could fix?
A: The NAP infrastructure is open for integration by ISVs and third parties so they can write their own SHAs to integrate with NAP. So NAP is extensible this way. The SHA that is included in Windows Vista or SCCM is not extensible itself. Whether you would look to an SHA to address the OS issues you are referring to will depend on what those specific issues are and how appropriate it would be to do it that way.

Greg Lindsay [MSFT] (Expert):
Q: Will Windows Server 2008 have native VLAN support for NiCs, and will that still be a matter of having a software package from the producer of the NiC?
A: Hi Tom, VLAN support is in the NiC driver. Most NiCs that I've seen support VLANs natively, but not all support multiple VLANs. As I understand it, the NiC driver must recognize the VLAN information contained in an Ethernet frame.

Amith Krishnan (Expert):
Q: How well do NAP and SHV/SHA work with Virtual Machines?
A: Very well. We use it for our demos all the time.

Amith Krishnan (Expert):
Q: What are the network bandwidth requirements for NAP? I mean, how much info is sent on a recurring basis? Looking to see what network flood might occur (if any).
A: Very very little. Less than 4K per transaction.