Nov 10, 2009

Connected PCsComputers and Internet access are universally available, but your corporate network resources are probably only available on your office PC and on your laptop. If you wanted to securely use your office resources from another computer — say, your husband’s laptop or your local library’s PC — you were out of luck. Until now.

By using the combination of Windows 7 and Windows Server 2008 R2 services, your IT department can set up what Microsoft calls Secure Remote Connection. With this feature, a user on any Windows 7 system can gain access to the corporate intranet’s resources. In short, with the right back-end setup you can run office-only programs and get to server-based files from any Windows 7 PC. If desired, you could even set up a complete thin-client desktop solution, where the entire business desktop is hosted on the servers and staff run the desktop on any Windows 7 PC with a high-speed Internet connection.

What makes this different from, say, Microsoft’s Windows Server 2008 Terminal Services Gateway or Citrix XenApp? Secure Remote Connection tries to provide a more integrated package on the server side that also doesn’t require any additional software on the Windows 7 desktop.

Microsoft hasn’t yet provided a recipe on how to do this, but we do know what the ingredients are for this virtual desktop dish. On the server side, it starts with Server 2008 R2′s Remote Workspace and Remote Desktop Gateway.

Remote Workspace is the new name for Terminal Services in Windows Server 2008 R2. This package has more than just a new brand-name. It incorporates both the presentation virtualization and the VDI (Virtual Desktop Infrastructure).

This in turn is managed by the Remote Desktop Connection Broker. Under this new virtualization-based approach there are two kinds of thin-client Windows 7 desktops for remote users: persistent (that is, permanent) VMs and pooled VMs.

The Remote Desktop Connection Broker is the hub both for internal and external server-based applications and virtual desktops.

The Remote Desktop Connection Broker is the hub both for internal and external server-based applications and virtual desktops.

In the case of a persistent VM, there is a one-to-one mapping of the thin-client Windows 7 desktop to users. Just as with an ordinary desktop, each user is assigned his own unique desktop. Except, in this case, it’s a virtualized desktop. The user can customize the desktop to his taste, and he can use it on any Windows 7 PC with an Internet connection.

With a pooled VM, a single image is replicated as needed. You can still maintain a unique user state by using profiles and folder redirection, but any changes made during a session disappear when the user logs off.

To use any of this functionality, though, you need more than just the technology. You need to license Microsoft Windows Virtual Enterprise Centralized Desktop (VECD). VECD licensing, which is device-based, is mandatory for any Windows VDI deployment that uses virtual copies of Windows. To manage all this, Windows Server 2008 R2 uses a unified front-end to manage these new Hyper-V based virtual machine remote desktops.

To make sure these remote virtualized desktops (persistent or pooled) get to the right resources, Server 2008 R2 uses the updated Terminal Services Gateway, Remote Desktop Gateway. The major changes from an enterprise point of view is that Remote Desktop Gateway is more efficient in handling and managing idle sessions. This, in turn, saves system resources on the server side, and, in the long run, that saves cash.

Connecting all this with the Windows 7 desktop is an updated version of Remote Desktop Protocol (RDP ). Microsoft claims that this new version of RDP is faster than ever before. In addition, it supports the Aero Glass interface, improved multimedia performance, and it supports redirecting DirectX. So, in theory, you could run games over RDP on a virtual Windows 7 desktop. That’s not a good idea at work, but it does underline RDP’s improved speed improvements.

Helping this performance boost along on the Windows 7 side is DirectAccess. Microsoft calls DirectAccess a virtual private network (VPN) replacement, but that’s not quite right. DirectAccess incorporates a built-in Windows 7 VPN that uses Internet Protocol security (IPSec), an old, but still robust, Microsoft VPN protocol.

What makes DirectAccess more than just a VPN is that it uses Internet Protocol version 6 (IPv6) to make the end-to-end connection between a Windows 7 client and a Windows Server 2008 R2 host. There’s nothing new about IPv6; it’s the next generation of TCP/IP networking, which has never found broad acceptance in North America or Europe. Microsoft is using it now to perform the rare feat of improving both security and speed.

It improves security because it combines the relatively uncommon IPv6 with IPSec. You can also use DirectAccess to authenticate the user and use it to configure what intranet resources specific users can access with it. Last, but far from least, you can also integrate DirectAccess with Network Access Protection (NAP). By doing this, you can make sure that users won’t be allowed in if they’re trying to login from a Windows 7 system without up-to-date patches or an anti-virus program installed.

The performance boost comes from separating corporate traffic from Internet traffic. With DirectAccess, only corporate network traffic actually starts from or goes to the business servers. With a traditional VPN, all traffic, even if it’s just to do a Google search, is routed through the corporate network. By reducing this traffic, DirectAccess reduces traffic both at the corporate gateway and within the LAN, thus preserving resources; it also increases the client PC’s effective network speed by avoiding the overhead of sending ordinary Internet requests though the business network.

By not wasting time with sending Internet traffic through the business network, DirectAccess gives Windows 7 a real speed boost over traditional VPN approaches.

By not wasting time with sending Internet traffic through the business network, DirectAccess gives Windows 7 a real speed boost over traditional VPN approaches.

You’re not using IPv6? Not a problem. DirectConnect has support for IP-HTTPS. This is a new tunneling protocol that’s only supported by Windows 7 and Windows Server 2008 R2; it enables the office PC and server to tunnel IPv6 packets inside an IPv4-based HTTPS session. This provides both the necessary IPv6 support, while also helping your company’s PCs to make connections through a Web proxy server or a firewall that might block an ordinary VPN connection.

Here’s the broad outline of how it works. First, you set up your Windows Server 2008 R2 hosts so that they can handle DirectConnect, Remote Workspace and Remote Desktop Gateway. If you elect to use virtual machines for off-site Windows 7 users, you also need to jump through the VECD hoops. That done, you’ll be ready to let any of your Windows 7 users – with the proper authentication – start using your corporate resources.

Once set up properly, this powerful combination of Windows 7 and Server 2008 R2 should enable your workers to do their work from almost any location. While this is likely to require upgrading your servers, by improving both remote security and network speed, it should result in a bottom line IT win when all is said and done.

Want more like this? Sign up for the weekly IT Expert Voice Newsletter so you don't miss a thing!

COMMENTS

  • Is this not what a VPN does already? I do this from Linux already and can corporate access resources native as if I were sitting in the office. And without requiring IT to configure a special Windows Server 2008 backend.

    Change the name, it still does exactly what a VPN already does. I guess Microsoft is still intent on reinventing the wheel.

  • Nov 10, 2009 | sjvn says:

    No, this really is a lot more than just a VPN. A VPN just gives you a connection. This combines a thin-desktop (well thinish), a VPN, virtual desktops, and it pulls it off without the need for any special set-up on the client side if you do it right. You could pull something like this together on Linux with say a VPN and VNC with Red Hat Virtual Manager on the server side, but you would have to piece it together. If this takes off, others will follow.

    Steven

  • Nov 10, 2009 | _xxx says:

    no, this is not VPN service, this is tight-integrated remote desktop that feels like you’re actualy running the apps on your wife’s PC.

  • I don’t get it Steve, there’s nothing special going on here that can’t be done with Linux.

  • Nov 10, 2009 | Sean Connolly says:

    RE: Using Secure Remote Connection to Access Office Resources Connected PCs

    Steve: Use Linux:
    1. Set up sshd on the server.
    2. Client must support X-Windows.
    3. At the client
    $ ssh -C -X -l yourloginname serverIP
    Now you can run X-Windows apps on the server, but with
    the window on the client
    4. At the client
    $ thunderbird &
    …and Thunderbird runs on the server, but displays on
    the client.

    All of this functionality comes on any Linux distribution. I use Fedora.

    Sean

  • Nov 10, 2009 | Martin says:

    It sounds like VPN with RDP on top. Nothing new or special. More work for sysadmins setting this service.
    And since when is IPsec Microsoft protocol? AFAIK IPsec was developed by Internet Engineering Task Force.

  • Nov 11, 2009 | sjvn says:

    Microsoft’s implementation of IPSec isn’t quite the same as the IETF spec.

    And, yes, you can certainly build similar solutions with existing software on other platforms including Windows, Citrix, Solaris, or Linux. What’s new is the packaging of security, VPN, IPv6, virtual desktops and that you don’t need any prep. on the client side. Sure, you could piece this together, and for those with the expertise, that might be the best way to go. But, if you’re in a Microsoft shop and you’re going to be using Win7 and Server 2008 R2 anyway, this do-it-all combo is a good choice.

  • Nov 11, 2009 | Confused says:

    Are you the same sjvn that I see writing pro-Linux articles? It was really strange for me to see you write a promotion of the monopolistic behaviors Microsoft has been accused of.

    Quoting:
    “Secure Remote Connection tries to provide a more integrated package on the server side that also doesn’t require any additional software on the Windows 7 desktop.”

  • Nov 12, 2009 | sjvn says:

    I write about operating systems from MVS and CP/M-80 to Windows 7 and Ubuntu 9.10 and everything in-between. Always have, always will.

    Steven

  • Nov 15, 2009 | Esther Schindler says:

    Actually, I first met sjvn when he and I were both writing about IBM OS/2. I know just how long a history he has in explaining networking operating systems and making them understandable to mere mortals!

  • based on what I have read, the infrastructure setup to get all of this working isn’t trivial, and I would think you would have to have a boatload of users to justify this. A lot of the new Win7 features depend on having multiple 2008 R2 servers behind them, and that might take a while for corporate IT folks to test all of that gear out

  • Nov 18, 2009 | sjvn says:

    You’re quite right David. This is an ‘enteprise’ sized package.

  • Nov 19, 2009 | Pam Baker says:

    The updated version of Remote Desktop Protocol (RDP)is quite impressive. I think large enterprises will be most happy to see this (providing it isn’t used for gaming on company time).

  • Nov 20, 2009 | sjvn says:

    You’re right Pam. RDP has gotten _much_ faster. I–or someone–should write about it at some point. This is not the same old slow protocol it once was. I expect to see RDP getting used more often in the future. Heck, maybe even as an answer to Google’s SPDY.

    Steven

  • Hmm. Forgive my ignorance, but for a corporation like a bank that uses RSASecureID’s for authentication and security for say OWA, and corporate RDC – using corporate or non-corporate laptops/desktops; this Win2k8_R2 & Win7 using IP-HTTPS replaces the need for RSASecureID Token’s (soft/hard-tokens)??

    Also is this DirectAccess/DirectConnect a very similar way substitution for Bomgar; where corporate staff can utilize the RDP service into a corporate asset over the internet to remotely administer the client pc??!!

    (Bomgar works using an https site connection & password & servers behind corp. firewall)

  • [...] it easier to get buy-in. Elvis Cernjul, vice president of IT for Spiegel Brands, is excited about Direct Access (which enables users to access corporate networks without a VPN) and BranchCache (which promises to [...]

  • [...] ) At the same time, with Windows 7 and Server 2008 R2, Microsoft is offering a new service called Secure Remote Connection. With this a user on any Windows 7 system, not just his or her office laptop, can run a corporate [...]

  • [...] a 1.54 Megabit per second T1 line adds up. What might take a minute or two over an Internet VPN or Secure Remote Connect takes less than a second over your local office’s Gigabit or even Fast Ethernet (100 Mbps) [...]

  • [...] the same time, with Windows 7 and Server 2008 R2, Microsoft is offering a new service called Secure Remote Connection. With this a user on any Windows 7 system, not just his or her office laptop, can run a corporate [...]

  • Mar 16, 2010 | VHMP01 says:

    I think it is great, we have been using Remote Desktop for some years now, and in order to block traffic we blocked Internet navigation locally from Remote Connections, users could only access Server applications. Now, we can set it up so that Remote Users could access Server Applications and surf (considering this bandwidth is not going to be Corporate bandwidth).

    Great article, thanks a lot Steven.

  • [...] can use the connection just as you would any other network connection. For instance, you can use Secure Remote Connection over either [...]

DELL
FM IT Expert Voice is a partnership between Dell and Federated Media. Privacy Statement