Enterprise Networking with Windows Vista
Microsoft Windows Vista includes significantly improved networking technology to enhance end-user productivity, simplify administration, and increase security. This document provides a high-level overview of Windows Vista enterprise networking technologies. This article does not discuss consumer networking scenarios.
On This Page
Next-Generation Networking Innovations in Windows Vista
Connecting users to resources and content in a secure, simple, and manageable way is critical to the success and health of any organization. Users expect their data to be accessible wherever they are, whether they are in their office, at home, at a wireless hotspot, or traveling abroad. Administrators are challenged with providing more advanced networking services, including Voice over IP (VoIP) and multimedia streaming at a high quality of service. Additionally, corporate or government regulations may require stronger security measures to be instituted to protect data from unauthorized access.
Windows Vista represents the largest set of networking innovations since Windows 95, and provides enhancements in many areas to help make access to network resources seamless and more secure while keeping configuration and management efforts to a minimum. Windows Vista provides an enhanced networking experience for both the IT administrator, who is responsible for the security, maintenance, and deployment of networked resources, and the end-user, who expects a rich, seamless, and dependable networking experience.
Next-Generation TCP/IP Stack
Windows Vista includes an updated implementation of the TCP/IP stack known as the Next-Generation TCP/IP stack. The Next-Generation TCP/IP stack has innovative improvements to TCP/IP functionality, which address several of today's top networking issues:
- Greater performance and throughput
- Receive Window Auto-Tuning
- Compound TCP
- ECN support
- Rich APIs for network packet inspection
Greater Performance and Throughput
Maximizing network utilization requires complex tuning of TCP/IP configuration settings. Windows Vista eliminates the need to manually tune TCP/IP settings by detecting network conditions and automatically optimizing performance. On high-loss networks, such as wireless networks, Windows Vista can better recover from single and multiple packet losses. Windows Vista can dynamically increase or decrease the TCP Receive Window to fully utilize the capacity of a connection; users transferring files across a high-speed/high-latency WAN or downloading files from the Internet should notice faster transfer times. With Windows Vista, all users can have the best possible network performance, without needing to understand advanced TCP/IP settings.
Receive Window Auto-Tuning
The TCP Receive Window size is the amount of bytes that a receiving host allows a sending host to send at one time on a TCP connection. To correctly determine the value of the optimum TCP Receive Window size for a connection based on the current conditions of the network, the Next-Generation TCP/IP stack supports TCP Receive Window Auto-Tuning. TCP Receive Window Auto-Tuning continually determines the optimal TCP Receive Window size on a per-connection basis by measuring the bandwidth-delay product (the bandwidth multiplied by the latency of the connection) and the application retrieve rate, and automatically adjusts the maximum TCP Receive Window size on an ongoing basis. With better throughput between TCP peers, the utilization of network bandwidth increases during data transfer. The overall utilization of the network will be better optimized, making the use of Quality of Service (QoS) more important for networks that are operating at or near capacity. For more information, see the "Policy-based Quality of Service" section of this document.
For TCP connections with a large TCP Receive Window size and a large bandwidth-delay product (the bandwidth multiplied by the latency of the connection), Compound TCP (CTCP) in the Next-Generation TCP/IP stack aggressively increases the amount of data sent at one time by monitoring the bandwidth-delay product, delay variations, and packet losses. CTCP also ensures that its behavior does not negatively impact other TCP connections. In testing performed internally at Microsoft, large file backup times were reduced by almost half for a 1 Gigabit-per-second connection with a 50-millisecond round-trip time. Connections with a larger bandwidth-delay product can have even better performance. TCP Receive Window Auto-Tuning optimizes receiver-side throughput and CTCP optimizes sender-side throughput. By working together, they can increase link utilization and produce substantial performance gains for large bandwidth-delay connections. For more information, see Performance Enhancements in the Next-Generation TCP/IP Stack.
When a TCP segment is lost, TCP assumes that the segment was lost due to congestion at a router and performs congestion control, which dramatically lowers the TCP senderâ€™s transmission rate. With Explicit Congestion Notification (ECN) support on both TCP peers and in the routing infrastructure, routers experiencing congestion mark the packets as they forward them. TCP peers receiving marked packets lower their transmission rate to ease congestion and prevent segment losses. Detecting congestion before packet losses are incurred increases the overall throughput between TCP peers. Release Candidate 1 of Windows Vista supports ECN but it is disabled by default. For more information, see Performance Enhancements in the Next-Generation TCP/IP Stack.
Rich APIs for Network Packet Inspection
The Windows Filtering Platform (WFP) is a new architecture in the Next-Generation TCP/IP Stack that provides APIs so that third-party software developers can participate in the filtering decisions that take place at several layers in the TCP/IP protocol stack. The platform also provides support for next-generation firewall features such as authenticated communication and dynamic firewall configuration based on an application's use of the Windows Sockets API (application-based policy). Independent software vendors (ISVs) can more easily create firewalls, anti-virus software, and other types of network applications and services. The Windows Firewall and Internet Protocol security (IPsec) in Windows Vista and Windows Server Code Name "Longhorn" use the WFP API.
For more information, see Windows Filtering Platform.
Additional Networking Innovations
Windows Vista also includes the following additional innovations to address todayâ€™s top networking issues:
- Effortless Connectivity
- Advanced End-to-End Security
- Greater Manageability
- World-Ready Scalability
It can be challenging to access network resources and connections (often with different firewall settings), and users may have difficulty resolving connectivity problems. As a result, users place more calls to support centers, increasing support costs and user frustration. The new user interface in Windows Vista provides a greater user experience by providing an interface which graphically displays the connectivity status of the computer, helps diagnose and resolve connectivity issues, and easily explore network resources.
Advanced End-to-End Security
Administrators can use the updated Windows Firewall with Advanced Security to create network filtering rules or require computer authentication or encryption of network data and help protect the internal network from clients deemed unhealthy using the Network Access Protection (NAP) capability in Windows Server â€œLonghorn.â€ Security enhancements in Windows Vista also improve the security of virtual private networks (VPNs) and take advantage of the latest improvements to wireless security.
Business needs require more network services and end-user expectations of quality and reliability grow each day. IT departments within organizations are required to provide additional network functionality, such as wireless networking and multimedia streaming, while maintaining a high standard of security, reliability, and service levels to the organization. Windows Vista helps reduce the administrative burden by providing greater manageability for networking services, including the ability to manage the configuration of firewall policies and wireless networking via Group Policy or command-line scripting, as well as bandwidth prioritization and throttling through policy-based Quality of Service.
Many organizations are running out of public IPv4 addresses because each computer, network device, and mobile device that is directly connected to the Internet requires a unique public IPv4 address. This situation has forced network administrators to implement inconvenient workarounds, such as Network Address Translation (NAT) devices, which require administration effort and can cause application incompatibilities. Windows Vista natively supports IPv6 to help alleviate these issues. Likewise, as additional network services including higher-throughput applications and encryption are used, there can be a bottleneck at the CPU for processing network packets. Windows Vista supports hardware offload capabilities of network adapters to provide better performance and scalability.
The sections that follow discuss Windows Vista's focus on creating a reliable network and seamless user experience based on simplified user-centric networking, advanced security, and improved manageability and scalability.
Todayâ€™s user is more mobile than ever before, switching from the corporate network to the home network and even connecting to hotspots at coffee shops and airports. Users want their network experience to be as seamless and reliable as possible, and Windows Vista provides such an experience. Windows Vista has many features to keep the user connected and productive:
- Network Center, an easy-to-use interface graphically showing the connection status of the computer
- A simple wizard to create or join networks
- Windows Peer-to-Peer Networking platform support for collaboration
- Network diagnostics to easily troubleshoot and resolve connectivity issues
- Network Location Awareness APIs to provide applications with information on changes to network connectivity
Windows Vistaâ€™s Network Center, shown in Figure 1, provides a clear view of the current connection status, available wireless networks, a network map to show surrounding network resources on a home or unmanaged network, and easy methods to create or join ad-hoc wireless networks. Diagnostic tools built into Network Center simplify troubleshooting connectivity problems and users can browse network resources by starting the new Network Explorer.
Figure 1: Network Center
Simple Network Creation
With Windows Vista, setting up a network among multiple PCs and devices such as printers and wireless access points is simpler and more intuitive. The Network Setup Wizard easily and automatically identifies supported network devices and creates connections to the network. With devices that support Windows Connect Now, users can save network settings to a portable USB flash drive to make adding additional supported computers and devices quick and easy. Simply insert a USB flash drive into a computer or device, and it readies itself to join the network.
Windows Peer-to-Peer Networking Platform
Peer-to-Peer (P2P) communication and collaboration is becoming more essential than ever to organizational productivity and success. P2P networking enables direct client-to-client communication, providing faster data transmission and offering greater flexibility such as deployment on disconnected or ad-hoc networks. Some of the key target applications include inter-personal communication, content distribution, and home/office productivity. Yet, there are many obstacles to overcome in this area. For instance, a network is not always availableâ€”you cannot share a file with your team members in meeting rooms or cafÃ© without a network. Projecting information is another challenge. A projector is not always available, or even if you have a projector, some documents may not project well.
Windows Vista offers a comprehensive set of facilities supporting P2P application development with the Windows Peer-to-Peer Networking platform. It enables the discovery of endpoints for communication and collaboration over the Internet using the Peer Name Resolution Protocol (PNRP), and over the local subnet using People Near Me (PNM) technology. Windows Vista also supports inviting users to activities and establishing end-to-end application sessions.
Windows Meeting Space
Windows Meeting Space, the new collaboration feature in Windows Vista, is a simple, yet powerful tool that enables face-to-face collaboration among small groups of Windows Vista users at anytime and anywhere. It is built entirely on the Windows Peer-to-Peer Networking platform within Windows Vista. Whether the user is making a presentation or revising a spreadsheet, Windows Meeting Space can help by enabling peer collaboration for as few as two or as many as 10 people. Connections are established quickly, easily, and more securely. One person simply initiates a session in Windows Meeting Space, which then allows designated users to share the same view of an application and to collaborate with each other in real time.
Windows Meeting Space can connect users either through an already existing network or by automatically creating an ad hoc wireless network. An ad hoc wireless network is perfect for collaboration when participants do not have access to a network infrastructureâ€”for example, in a coffee shop or airport which does not have a wireless network. Using Windows Meeting Space on an ad hoc wireless network opens up a range of new and more flexible collaboration possibilities and does not require any networking expertise on the part of the end user.
Network Diagnostics Framework
The Network Diagnostics Framework can help users troubleshoot many common connectivity problems without requiring a call to the support center. For example, if a network cable becomes unplugged, Windows Vista can fully diagnose the problem and instruct the user to reconnect the cable. If the computer cannot connect to the wireless network, Windows Vista in most situations can identify the reason and lead the user in resolving the issue. When unable to connect to a network resource, the user is presented with clear diagnosis and repair options rather than error messages which can be difficult to understand. If Windows Vista can repair the issue automatically, it will; if not, the user is directed to perform simple steps to correct the problem without having to call for support.
Richer diagnostic information is also recorded in the Event Viewer. For example, the wireless LAN diagnostics describes information abut the wireless environment, including networks in range, number of wireless access points in range per wireless Service Set Identifier (SSID), information about the connection process and which phase of the connection attempt failed, and the diagnostics results including suggested repairs. These event records can be used by support professionals within organizations to perform further troubleshooting when network diagnostics were either unable to resolve the problem or if the steps were beyond what the userâ€™s rights allow.
The event logs can significantly shorten the time needed to resolve wireless connection problems, resulting in the reduced cost of support calls and greater user satisfaction and productivity. For example, Figure 2 tells the user exactly why access to a network resource is unavailable. While the user may not be able to correct the problem, the help desk now has enough information to correct the problem quickly. Additionally, these event log entries can be automatically collected by network administrators using Microsoft Operations Manager or other central management tools and analyzed for trends and infrastructure design changes. The wireless diagnostics in Windows Vista is extensible for vendors to add diagnostics capabilities for wireless protocols that are not natively supported.
Figure 2: Network Diagnostics
Many applications connect to the Internet to look for updates, download real-time information, and facilitate collaboration between users. However, creating applications that can automatically adapt to changing network conditions has been difficult for developers. Network Awareness APIs enable applications to sense changes to the network to which the computer is connected, such as placing a laptop into standby mode at work and then opening it at a wireless hotspot. This enables Windows Vista to alert applications of network changes, and these applications can then behave differently to provide a seamless experience.
Windows Vista identifies and remembers each of the networks to which it connects. Network Awareness APIs then allow applications to query for characteristics of each of these networks, including:
- Connectivity . A network may be disconnected, it may provide access to only the local network, or it may provide access to the local network and the Internet.
- Connections . Windows Vista may be connected to a network by one of more connections (such as network adapters). Network Awareness APIs enable applications to determine the connections that Windows Vista is currently using to connect to a given network.
- Category . Each network is assigned a category in Windows Vista that identifies the type of network it is. Some of Windows Vista settings will change based upon the category of the network to which it is connected. For example, Windows Firewall with Advanced Security enforces different policies based upon the category of the network to which Windows Vista is currently connected.
There are three categories of networks in Windows Vista:
- Domain . For this category, Windows Vista will automatically identify networks on which Windows Vista can access an Active DirectoryÂ® directory service domain controller for the domain to which the computer is joined. No other networks can be placed in this category.
- Public . Other than domain networks, all networks are categorized as public. Networks that have direct connections to the Internet or are in public places, such as airports and coffee shops, should be left public.
- Private . A network will only be categorized as private if a user or application identifies the network as private. Only networks located behind a private gateway device that is acting as a firewall should be identified as private networks. Users will likely want to identify their home or small business networks as private.
When a user connects to a network that is not part of the domain category, Windows Vista asks the user to identify the network as either public or private. The user must be a local administrator of the computer to identify the network as private. When the type of network to which the computer is connected is identified, Windows Vista is able to modify its configuration, such as firewall and file sharing settings, for the specified network category.
Advanced End-to-End Security
As the need for enterprises to share data within and outside their organizations increases, so does the requirement for greater security. Windows Vista provides enhanced network security features that are comprehensive yet easy to configure. Network security in Windows Vista is enabled in a layered approach, including:
- Protecting the network from unhealthy computers with Network Access Protection
- Blocking specific traffic from accessing or leaving computers, as well as isolating computers from unauthenticated access with the Windows Firewall with Advanced Security
- Using stronger wireless authentication and encryption protocols
Network Access Protection
Many organizations have been impacted by viruses or worms that entered their private networks from a mobile laptop and quickly infected other computers. Windows Vista supports Network Access Protection (NAP) to reduce the risks of connecting unhealthy computers to organization networks directly or across a VPN connection. With a Windows Server "Longhorn"-based NAP infrastructure, if a computer running Windows Vista lacks current security updates, virus signatures, or otherwise fails to meet the requirements for a healthy computer, NAP blocks the computer from having full access to the organization network. If a computer fails to meet the health requirements, it will be connected to a restricted network to download and install the updates or antivirus signatures or make configuration changes that are required to comply with the health requirements. Within minutes, a potentially vulnerable computer can be updated and then granted limited access to the organization network. For more information about NAP, see http://www.microsoft.com/nap.
Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security helps your business face the challenges of modern networking by providing a scalable solution that is tightly integrated with existing security technologies such as IPsec and Network Access Protection.
To help address these challenges, Windows Firewall with Advanced Security offers the following benefits:
- Reduces the risk of network security threats. Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Integration with NAP also helps ensure that client computers remain compliant with system health requirements.
- Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications, providing scalable, tiered access to trusted network resources and/or protecting the confidentiality and integrity of data.
- Extends the value of existing investments. Windows Firewall with Advanced Security is a host-based firewall that is included with Windows Vista and Windows Server â€œLonghorn.â€ Because it tightly integrates with Active Directory and Group Policy, Windows Firewall with Advanced Security is also designed to complement existing third-party network security solutions through a scriptable API.
This powerful layer of security can be managed via Group Policy or command line scripting to provide a simple way to deploy inbound or outbound filtering and traffic protection rules that limit access by specific users, computers, or applications while providing the administrator with an extremely granular level of control. IPsec can request or require authentication by user, computer, and/or health certificate (integrating with NAP) to provide a richer, scenario-based security policy. This enables Windows Vista to fit perfectly into Server and Domain Isolation policies set within an organization.
Server and Domain Isolation
In an Active Directory-based network, you can logically isolate domain and server resources to limit access to authenticated and authorized computers, as shown in Figure 3. For example, you can create a logical network inside the existing physical network where computers share a common set of requirements for secure communications. Each computer in this logically isolated network must provide authentication credentials to other computers in the isolated network in order to establish connectivity.
Figure 3: Logical Isolation of Domain and Server Resources
This isolation prevents unauthorized computers and programs from gaining access to resources inappropriately. Requests from computers that are not part of the isolated network are ignored. Server and Domain Isolation can help protect specific high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users.
You can use two types of isolation to protect a network:
- Domain Isolation . To isolate a domain, you use Active Directory domain membership to ensure that domain-member computers accept only authenticated and secured communications from other domain-member computers. The isolated network consists of only computers that are part of the domain. Domain Isolation uses IPsec policy to provide protection for traffic sent between domain members, including all client and server computers.
- Server Isolation . Server Isolation works like Domain Isolation. In Server Isolation, only specific domain-joined servers or applications are configured to require IPsec policy to accept authenticated communications from other domain-member computers, whereas Domain Isolation requires authenticated communications for all domain-member computers. For example, you might configure Domain Isolation to protect a database server from unauthorized connections from computers outside the domain, then further isolate these high-valued servers from all users except within a specific gropu.
You can enforce Server and Domain Isolation through Group Policy by configuring IPsec settings on local computers that are enforced by Windows Firewall with Advanced Security. For more information about Server and Domain Isolation, see http://www.microsoft.com/sdisolation.
Network-Aware Firewall Policies
The Windows Firewall with Advanced Security is an example of a network-aware application. The administrator can create a profile for each network category, with each profile containing different firewall policies. For example, the Windows Firewall can automatically allow incoming traffic for a specific desktop management tool when the computer is on a domain network but block that traffic when the computer is connected to a public or private network. In this way, Network Awareness can provide flexibility on your organization network without sacrificing security when mobile users travel. The Network Awareness APIs complement the robust and flexible filtering built into Windows Firewall with Advanced Security, which lets you filter programs, services, or ports for specific IP address scopes, interfaces types, users, groups, computers, and levels of protectionâ€”all based on the network category for the network the computer is connected to. A public network profile should have stricter firewall policies to protect against unauthorized access. A private network profile, on the other hand, may have less restrictive firewall policies to allow file and print sharing, peer-to-peer discovery, and connectivity with Windows Connect Now devices. Figure 4 shows the Windows Firewall with Advanced Security interface and the profiles for the three different network categories.
Figure 4: Windows Firewall with Advanced Security
Wireless Single Sign On
The deployment of wireless networks has promoted the use of Layer 2 network authentication, such as IEEE 802.1X, to ensure that only an authenticated user or device is allowed on the protected network and that their data is secure at the radio transmission level. The wireless Single Sign On feature executes Layer 2 network authentication at the appropriate time for a given network security configuration, while at the same time seamlessly integrating with the user's Windows logon experience.
Administrators can use Group Policy or command-line scripting to deploy wireless Single Sign On profiles to client machines. Once a Single Sign On profile is configured, wireless network authentication will precede the Windows logon. This feature enables scenarios such as Group Policy updates, logon scripts, and wireless domain joins, which require network connectivity prior to user logon.
Windows Vista has wide support for the latest wireless security protocols and standards, including:
- Extensible Authentication Protocol -- Transport Layer Security (EAP-TLS)
- Protected Extensible Authentication Protocol -- TLS (PEAP-TLS)
- PEAP -- Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2)
- Wi-Fi Protected Access 2 (WPA2) (Enterprise and Personal)
- Wi-Fi Protected Access (WPA) (Enterprise and Personal)
- Wired Equivalent Privacy (WEP)
This broad support ensures interoperability between Windows Vista and almost any wireless infrastructure. Personal networks at home or in small businesses can also be more secure through WPA2-Personal and WPA-Personal using a pre-shared key. The capabilities of the wireless network adapter are examined by Windows Vista and the most secure protocol is chosen by default when connecting to or creating wireless networks. Wireless security in Windows Vista is also extensible. Using the EAPHost framework, Windows Vista is able to support custom authentication mechanisms defined by a hardware vendor or by an organization.
Windows Vistaâ€™s wireless networking includes many improvements to the behavior of the wireless client to mitigate common wireless attacks. The client will automatically connect only to networks that the user or network administrator has explicitly requested or identified as preferred networks. The client also provides a warning if the user is about to initiate a connection to an unsecured network. Additionally, the client will actively probe for fewer preferred networks and only if instructed to do so by the user.
Manageability is a critical factor in providing appropriate levels of service and ensuring security measures are enforced while reducing operations costs. Windows Vista has been designed to support high levels of manageability to help reduce the cost of deploying wireless networks and providing quality of service for applications or end-users.
The importance of networking and mobility has encouraged many organizations to deploy wireless networks so that employees can maintain connectivity during meetings throughout their office building, campus, or public hotspots. Wireless networks offer significant benefits, including increased productivity, but they can introduce security risks and administration complications.
Windows Vista includes a native wireless networking architecture (Native Wi-Fi) as part of its core networking support. This provides many benefits, including flexible deployment across many hardware brands and models, similar user experiences regardless of the hardware, and more reliable third-party wireless adapter drivers.
Although wireless networks can be protected with authentication and encryption, implementing that security can be so difficult that administrators often leave such critical layers of security out of their networks. Windows Vistaâ€™s wireless features can be managed via Group Policy or command-line scripting to easily deploy configuration settings and security requirements across the entire organization. In addition, as there are more requirements to extend networking services to include Voice over IP (VoIP) and multimedia streaming, it is important to be able to provide a method to control and prioritize outgoing and incoming traffic to computers on the network. Policy-based Quality of Service enables the administrator to manage the amount of bandwidth that applications use.
Configuring and Deploying Wireless Network Settings with Group Policy
Windows Vista includes new Group Policy settings that enable administrators to configure policies for wireless client behavior. In addition, Windows Vista includes a command-line interface that enables full management of wireless networks from the command prompt or through scripting.
Using the Group Policy snap-in for the Microsoft Management Console (MMC), administrators can define how wireless clients connect to, and operate on, wireless networks. For example, a company may define a policy that requires all wireless connections to use a certain security configuration, that all connections must be limited to a certain wireless network, or that the connection can only be made to secured networks. Because these settings are made via Group Policy, the end-user can be prevented from changing these settings.
Windows Vista includes an enhanced network command-line interface (the Netsh tool) that enables automation and scripting to assist in configuring wireless network connections. Using the command-line interface, administrators can verify, change, or remove the clientâ€™s wireless network configuration profiles. These profiles can also be exported to and imported from other computers to expedite provisioning of multiple computers. Figure 5 shows a Wireless Network Group Policy being created for a wireless network configuration.
Figure 5: Creating a New Wireless Network Policy
Policy-based Quality of Service
Policy-based Quality of Service in Windows Vista enables domain-wide management of how computers utilize network bandwidth. This technology can solve network problems and enable scenarios such as:
- Ensuring business critical applications and traffic get needed priority. For example, a custom line-of-business application requires priority over normal network traffic.
- Customizing bandwidth requirements for groups of users and machines. For example, sales and marketing require prioritized use of a line-of-business application.
- Enabling real-time traffic by prioritizing applications for higher priority, such as VoIP.
- Minimizing the impact of latency-insensitive traffic through prioritization and throttling. For example, backup data transfers can cause congestion.
Network quality can diminish because high-bandwidth applications tend to consume all available bandwidth, and applications are not written to give central bandwidth control to IT administrators. Adding more bandwidth does not usually solve these problems. Instead, adding more bandwidth only leads to applications consuming the newly available capacity. IT administrators need a central means to control and allocate bandwidth resources based on the needs of their business.
Policy-based Quality of Service enables the administrator to utilize current bandwidth more efficiently by enabling flexible and centrally-configurable bandwidth management through Quality of Service policies easily via Group Policy. With Policy-based Quality of Service, the administrator can prioritize and/or throttle outbound network traffic without requiring applications to be modified for Policy-based Quality of Service support. Policies can either mark outbound traffic with a Differentiated Services Code Point (DSCP) value for routers to prioritize or have Windows Vista throttle the amount of outbound traffic sent, regardless of the router configuration. A combination of both techniques provides the administrator with even greater flexibility. The policies can be based on a mix of any of these conditions:
- Groups of users or machines (Active Directory container, such as an domain, site, or OU)
- Sending application
- Source or destination IP address (including network prefix length notation, such as 192.168.1.0/24)
- Source or destination TCP or UDP port number
Figure 6 shows how a policy can be easily created.
Figure 6: Creating a Quality of Service Policy
For more information about Windows Vista and Policy-based Quality of Service, see Quality of Service in Windows Server "Longhorn" and Windows Vista at http://www.microsoft.com/downloads/details.aspx?familyid=0230e025-9549-400b-807e-97e8a0cb9703.
As organizations grow, they may become concerned about potential scalability issues when supporting their network. For example, they may begin running out of available IP addresses. Many organizations utilize Network Address Translation (NAT) mechanisms to provide a larger set of private IPv4 addresses to their internal network, but NATs require additional management, and they can provide their own set of connectivity issues with applications which do not support them. While organizations may be interested in providing additional network services such as IPsec, they may also be concerned about the impact on CPU load. Windows Vista addresses network scalability concerns by supporting IPv6 and hardware offload capabilities.
Comprehensive IPv6 Support
To solve problems with limited public IPv4 addresses, many governments, Internet Service Providers (ISPs), and other organizations are transitioning to IPv6, the next version of the network protocol that drives the Internet. Windows Vista supports both IPv4 and IPv6 together through a dual IP layer architecture. IPv6 it is enabled by default without any additional steps necessary by the administrator, and the dual IP layer support enables you to gradually migrate using IPv6 transition technologies that can tunnel IPv6 traffic across a private IPv4 network or the IPv4 Internet. Windows Vista natively supports Point-to-Point Protocol for IPv6 (PPPv6) and Layer Two Tunneling Protocol (L2TP)/IPsec VPNs, enabling remote access users to take advantage of the benefits of IPv6 networks. IPv6 provides the following benefits for TCP/IP-based networking connectivity:
Large address space The 128-bit address space for IPv6 provides ample room to provide every device on the present and foreseeable future Internet with a globally reachable address.
Efficient routing With a streamlined IPv6 header and IPv6 addressing that supports hierarchical routing infrastructures, IPv6 routers on the Internet can forward IPv6 traffic faster than their IPv4 counterparts.
Ease of configuration IPv6 hosts can configure themselves by either interacting with a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server or by interacting with their local router and using stateless address autoconfiguration.
Enhanced security The IPv6 standards solve some of the security issues of IPv4 by providing better protection against address and port scanning attacks and by requiring that all IPv6 implementations support IPsec for cryptographic protection of IPv6 traffic.
IPv4 and IPv6 are supported natively within the single Next Generation TCP/IP stack. Applications that are written solely for IPv4 will still function as expected. Applications provided with Windows Vista have been updated to support the newer Windows Sockets functions that are independent of IPv4 or IPv6. In Windows Vista, applications and services that support both IPv4 and IPv6 will by default prefer the use of IPv6 over IPv4. This behavior can be configured by the administrator.
To ease the transition to IPv6, Windows Vista supports the Teredo IPv6 transition technology, which performs NAT traversal for IPv6 traffic. Teredo provides connectivity for server or peer-based applications running on computers that are located behind NATs, without having to modify applications or configure NATs. In Release Candidate 1 of Windows Vista, Teredo is enabled by default but inactive. In order to become active, a user must either install an application that needs to use Teredo, or choose to change firewall settings to allow an application to use Teredo. For more information about Teredo, see Using IPv6 and Teredo at http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/ipv6_teredo.mspx.
Hardware Offload and Receive-side Scaling
Windows Vista provides support for offloading network traffic processing to specialized network adapters. New offload capabilities introduced with Windows Vista include IPv6 and TCP Chimney offload. These architectural innovations provided in Windows Vista optimize performance and network throughput to achieve the performance and operational gains made possible by todayâ€™s high-speed networks. Utilizing compatible network adapter hardware can remove bottlenecks related to network packet processing such as CPU overhead and available memory bandwidth without requiring changes to existing applications or network management tools. The network stack within Windows Vista also supports Receive-side Scaling, which dynamically balances inbound network connections so the load can be shared across multiple processors or cores, reducing potential bottlenecks in processing network traffic.
Windows Vista represents the most significant update to Windows networking since Windows 95 and users will find it easier to take advantage of wired and wireless networks as they travel. With the new auto-tuning TCP/IP stack, file transfers will be faster than before. Enterprises will appreciate the reduced security risks, including improved protection from threats introduced by mobile and wireless users. Systems administrators will find Windows Vista easier to manage bandwidth with the ability to create granular security policies for network traffic as well as Quality of Service for mission-critical applications. These new features in Windows Vista let you do more with your network infrastructure while minimizing administration time and maximizing end-user productivity. For more information on whatâ€™s new in Windows Vista networking, please see http://www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx.