28 Mar 2011

New Features of Windows 7 Networking

Windows 7 offers end user and IT Admins a number of new networking features. Let us look at the top 10 Windows 7 Networking features…

1. Libraries

One new networking feature of Windows 7 that aggregates data from multiple sources into a single folder view. This could also be called a virtual folder. Actually, it is an indexed view of multiple data sources.

Because of the new library functionality, many of the common user folders in Windows 7 have been renamed. In Windows Vista you had Documents, Downloads, Photos, Videos, and Music. In Windows 7, these folders have been renamed and now you have Personal Documents, Personal Downloads, Personal Photos, Personal Videos, and Personal Music.

Yes, in other words, all the folders in a user's home directory have been renamed with the word Personal in front of them. As I said, there is a reason for this and that reason is to allow us to use libraries and to distinguish between public and personal (private) documents.

Besides these personal document folders, each Windows 7 computer is going to have public folder such as Public Documents.

To reiterate, the purpose of Libraries is to join together these personal and public documents into a single documents directory (as well as any other libraries that you create).

Thus, the default Libraries in Windows 7 are:

  • Documents: made up of Personal Documents and Public Documents
  • Downloads: made up of Personal Downloads and Public Downloads
  • Music: made up of Personal Music and Public Music
  • Photos: made up of Personal Photos and Public Photos
  • Videos: made up of Personal Videos and Public Videos

To me, the best thing about Windows 7 Libraries is that you can create your own libraries. How do you do it? Easy. In explorer view, just go to your Libraries, right-click, then click on New - Library.


Figure 1: Creating a Windows 7 Library

From here, your new Library will be included in the list of Libraries in the Navigation Pane of all Explorer views (assuming you checked the show in navigation pane).


Figure 2: Results of creating a Windows 7 Library

Once you create it, you need to decide what you want included in the library. To do this, right-click on the folder and click Properties. On the Library Tab, click Add, select a folder, then, click Include in Library. You can include as many folders in your library as you want.


Figure 3: Including Folders in a Windows 7 Library

Of course, the inclusion of folders in your library view is critical to make the library of any use.

2. Network and Sharing Revisions

In Windows Vista the Network and Sharing center was pretty, what I would call "busy". There were lots of options and things that could be done resulting in the use of it being fairly confusing.

In Windows 7 the Network and Sharing center has been simplified. Here is what it looks like:


Figure 4: Windows 7 Network and Sharing Center

The Network and Sharing options have been moved to the Choose homegroup and sharing options window (which we will look at in a minute) and the left navigation options have been moved to other menu windows. I also think that the view your active networks section now looks much nicer and easier to understand.

Personally, I wish that there were more technical networking details shown on the Network and Sharing window. However, I am a technical networking guy and that is likely why I feel that way. I can see where perhaps Microsoft would want to shield less experienced users from technical network details.

3. View Available Networks (VAN)

While the "View Available Networks" or VAN feature sounds like it could be complex and a whole new kind of virtual network, it isn't. However, it is pretty helpful. Essentially, the VAN feature allows you to view all available networks and connect to them, directly from the system tray. Here is what it looks like:


Figure 5: View Available Networks (VAN) - Graphic courtesy of Microsoft.com

With users being more mobile and connecting to various networks, this is a much needed feature.

4. Super Fast Wake up and Boot, Smart Network Power, and Wake on LAN for Wireless

Some of the new features of Windows 7 are there to speed up Windows 7 or save power. Here are 3 examples:

  • Fast Wake Up & Fast Boot – enables your Windows 7 machine to wake up faster when it was put in hibernate or standby mode. The fast boot feature allows Windows 7 to boot up faster when it is powered on from a cold boot.
  • Smart Network Power – turns off the power to your Ethernet jack when there is no cable connected
  • Wake on LAN for Wireless - bring the well-known wired Ethernet feature to wireless networks. Think about it – an Admin can wake up thousands of sleeping computers, not even wired to the network, using wake on LAN for wireless.

5. BranchCache

BranchCache is a big win for branch office users and IT Admins. With BrachCache, when remote Windows 7 users access file or Intranet content on a Windows 2008 R2 server at the headquarters, that data is downloaded to the remote branch. The second time that the same Windows 7 PC, or a different Windows 7 PC, needs that data or Intranet content, access to it is much faster because it has already been cached.

BranchCache can operate in two modes – Hosted Cache or Distributed Mode. With Hosted Cache, a Windows 2008 R2 server at the branch office is the central caching server for that branch. With Distributed Mode, no Windows 2008 R2 server is needed and the cache data is stored on the distributed Windows 7 PCs at the branch.

Before you can raise your security red flag, you should know that BranchCache complies with all Windows security settings and always checks to ensure that it is delivering the latest version of the file to the Windows 7 PC that requested it.

6. Virtualization Enhancements

With the Windows 7 Virtualization Enhancements, when you run Windows 7 in a VDI (virtual desktop interface) mode, the end user will enjoy a higher quality experience. To help you visualize how this works, let us say that you have a Hyper-V server and you are running Windows 7 as a Guest virtual machine on the server. End users running thin client devices connect to the Windows 7 Guest VMs on that server. Previously, with Windows XP or Vista, there would have been limitations to the users' experience, as compared to a traditional desktop. With Windows 7 many of these limitations are removed. Here is what Windows 7 provides when used in a VDI mode:

  • The Windows Aero Interface
  • Viewing of videos in Windows Media Player 11
  • Multiple monitors
  • Microphone for VoIP uses
  • "Easy Print", which allows you to use a printer on the local printer without installing a printer driver
  • Common tools for IT Admins to manipulate virtual desktop images

Something else that is new about Windows 7 and VDI is the new Windows Vista Enterprise Centralized Desktop (VECD) license.

7. Fix a Network Problem

One of my favorite changes to Windows 7 networking is the update to Vista's diagnose and repair. In Windows 7 if you want to get assistance fixing a network issue, you just click Fix a network problem. Sound simple and clear, right? That's what I like about it.

From Windows 7 Network and Sharing, if you click Fix a Network Problem, you get this window, asking you want you want to fix:


Figure 6: Fixing a Network Problem

Windows 7 will go through and attempt to fix any network issues that you select. It will even ask you if you want to fix it as a Windows Administrator. Here is what fixing a homegroup looks like:


Figure 7: Fixing a network problem

8. QoS Enhancements

While Quality of Service (QoS) is not something that end users think about they do see the results if QoS is not working. Windows 7 offers a number of QoS enhancements.

URL based QoS is one of the new Windows 7 QoS Enhancments. Since many mission critical enterprise applications have been moved into hosted web environments, URL based QoS is the answer to giving those IT Admins the ability to prioritize those mission critical web applications over, say, other general web surfing.

Is it slick and exciting? Maybe not but it is a very valuable feature resulting in a better experience for the end users.

9. DirectAccess

I like how Microsoft characterizes the new Windows 7 feature, DirectAccess -

  1. Help mobile users get more done
  2. Help IT Admins manage remote machines more effectively

The combination of both of these things make DirectAccess worth learning more about (and likely implementing).

So what exactly is DirectAccess? Today, mobile users can connect to the enterprise network with VPN but it is not always easy and can be difficult to configure. DirectAccess wants to be the answer that allows end users to connect to the enterprise quickly and easily, without VPN.

For the IT Admins, DirectAccess will allow them to manage laptops even if the laptops are not connected to the VPN. The IT Admin can schedule software to the updated or configuration changes to be made, the next time that device connects using DirectAccess.

10. HomeGroup

Absolutely, the best new Windows 7 networking feature for home and small office users is the homeGroup feature. Essentially, a homegroup is a simple way to link computers on your home network together so that they can share pictures, music, videos, documents, and printers. There is just a single password that is used to access the homegroup, making creating it and connecting to it easy.

To configure a Windows 7 Homegroup, you can click on Choose Homegroup and Sharing Options from the Network and Sharing Center in Windows 7, then Create now (assuming your network location is set to Home).


Figure 8: Creating your HomeGroup

You will be asked what types of personal content you want to share with the HomeGroup.


Figure 9: Creating a Windows 7 Homegroup

You will be able to select what you want to share in the homegroup.


Figure 10: Viewing the Windows 7 Password to connect to the homegroup

And you will be given a single password, used on other computers, to connect to the homegroup.

When you are done, the Homegroup and Sharing center will look something like this:


Figure 11: Windows 7 Homegroup configured
Posted by at No comments:

27 Mar 2011

New Wi-Fi Features in Windows 7

Among enhancements to the Network and Sharing Center, there have been a couple new Wi-Fi features added in Windows 7 and Windows Server 2008 R2. Native support of Wi-Fi Protected Setup (WPS) lets admin and users more easily set up wireless routers or access points and wireless clients. Wireless Hosted Networks let you create virtual Wi-Fi networks. Advanced 802.1X settings give you more control over authentication settings when using the Enterprise mode of WPA or WPA2 security. In this article, we'll discuss each of these features.

Native Support for Wi-Fi Protected Setup (WPS) and Wireless Router Configuration

Wi-Fi Protected Setup (WPS), developed by the Wi-Fi Alliance, helps users quickly and easily configure WPA/WPA2-Personal (PSK)security on wireless routers and clients. Vendors use one or both of two different WPS configuration methods: Personal Information Number (PIN) and Push Button Configuration (PBC).

The PIN method usually consists of entering a wireless adapter's PIN into the web-based control panel of the router. This PIN can be preset and printed on the adapter or displayed and/or customized via the client software.

The Push Button Configuration (PBC) method consists of pressing a button on the wireless router and then pressing a button on the wireless adapter or computer (that supports WPS) within a minute or so. Most wireless adapters don't have physical buttons, but they may have a button on the client software if you've installed it. Similarly, wireless routers will have WPS settings available on the web-based control panel.

The exact workings of WPS can vary among hardware and software vendors. However, generally WPS works like this: It creates a WPA/WPA2 passphrase on the first WPS attempt when the wireless router is still set with the factory default settings. Any clients that participate in the first or future WPS attempts will automatically be configured with the same WPA/WPA2 passphrase. However, if some settings on the wireless router (such as the SSID) are changed from defaults before the first WPS attempt, security may not be enabled by WPS. If WPA/WPA2 security is already set via other methods, WPS will still help configure client devices with the existing WPA/WPA2 passphrase.

Microsoft started introducing its implementation of WPS in Windows Vista under the Windows Connect Now feature. The use of WPS PINs were supported but required you to initially connect via Ethernet. Windows Vista SP2 then added support for Push Button Configuration (PBC). Here we'll discuss the WPS functionality in Windows 7.

Windows 7 supports the PBC method. The first time you try to connect to a wireless router with WPS, Windows 7 prompts you to enter the security key or press the button, such as Figure 1 shows.


Figure 1: Prompt to enter PSK key or remaindering to push WPS button on the router.

If you press the WPS button on the router, the security setting will automatically be transferred to Windows 7, it will connect, and a profile will be created and stored for future connections to the router.

Windows 7 also supports the PIN method, but not in the normal sense, only when setting up the router for the first time. If Windows 7 detects that the router is using factory default settings when you try to connect, it will prompt you to setup the router, such as Figure 2 shows.


Figure 2: Prompt to setup a new wireless router.

You can proceed connecting to the unsecure signal or you can setup the router right in Windows 7. If you choose to setup the router, you'll be prompted for the router's PIN (see Figure 3).


Figure 3: Entering the WPS PIN to setup a new wireless router.

Then you'll be prompted to enter a Network Name (SSID) and optionally customize the security settings, as Figure 4 shows.


Figure 4: Entering wireless settings.

Once configured, it will display the encryption key to use on older Wi-Fi devices that don't support WPS. If you have Windows XP machines, you can even insert a USB flash drive to copy the configuration onto it.

New Wireless Hosted Networks Feature

Part of an old Microsoft project called Virtual Wi-Fi, the Wireless Hosted Network feature lets you create a virtual wireless router with a supported wireless adapter in Windows 7 or Windows Server 2008 R2.You can even host the virtual wireless network while being connected to a regular wireless network using the same wireless adapter.

You can use a Wireless Hosted Network to setup a temporary Wi-Fi network to securely share files when away from your home or office network. You could also use it to extend or share a wireless or wired network connection. It's basically an enhanced version of ad-hoc networking.

If a supported wireless adapter is detected by Windows 7 or Windows Server 2008 R2, you'll see the Microsoft Virtual Wi-Fi Miniport Adapter on the Network Connections window, such as Figure 5 shows.


Figure 5: Virtual adapter for Wireless Hosted Networks.

To get started, you'll probably first want to enable Internet Connection Sharing (ICS) to provide an Internet connection on the host network. On the Network Connections window, right-click the network adapter that's connected to the Internet via a regular network and select Properties. Select the Sharing tab, check the Allow other network users to connect through this computer's Internet connection, choose the Hosted Network Connection from the drop-down listbox, and click OK.

Next, configure the hosted network via the Command Prompt:

Netsh wlan set hostednetwork mode=allow ssid=YourVirtualNetworkName  key=YourNetworkPassword

Now start the hosted network:

Netsh wlan start hostednetwork

To stop the hosted network:

netshwlan stop hostednetwork

See Figure 6 for an example of these commands.


Figure 6: Configuring, starting, and stopping a Wireless Hosted Network.

Wireless Hosted Networks can be useful and interesting for techies, but they also can serve as another security hole on corporate networks that admins should plug. Employees may knowingly or unknowingly create a Wireless Hosted Network, opening uncontrolled wireless access to the corporate network. Though it's secured with WPA2/AES encryption, it's not controlled by the admins. If you're using a Windows Server, you might be able to prevent users from creating Wireless Hosted Networks via the Wireless Network (IEEE 802.11) Policies.

Addition of Advanced 802.1X Settings

Microsoft introduced advanced settings for 802.1X authentication in the Group Policy settings of Windows Vista. Now most of those settings are available on the GUI of Windows 7. They're accessible by clicking the Advanced Settings button on the Security tab on the Wireless Network Properties dialog (see Figure 7) and Authentication tab on the Local Area Connection Properties dialog (see Figure 8)


Figure 7: Security tab on the Wireless Network Properties dialog.


Figure 8: Authentication tab on the Local Area Connection Properties dialog.

Figure 9 shows the Advanced Settings dialog.


Figure 9: Advanced 802.1X Settings dialog.

The first section is where you can specify the authentication mode: User, Computer, or Guest. If you aren't sure, there's also the User or Computer option. When using User authentication, you can click the Save Credentials button to input the username and password. Additionally, you can remove saved credentials by marking the checkbox below.

The second section of the dialog lets you enable and configure single sign-on functionality. If supported by the system and network, configuring these settings eliminates the need to provide separate login credentials. Windows would use the Windows account credentials during the 802.1X authentication.

For wireless connections, you'll also find an 802.11 Settings tab, as Figure 10 shows.


Figure 10: Advanced Wireless802.1X Settings dialog.

Here you can enable and configure Pairwise Master Key (PMK) caching. This facilitates fast roaming between multiple wireless access points (APs). When enabled and supported by the APs, the APs will share the PMKs among themselves so clients don't have to perform pre or full 802.1X authentication when roaming to another AP—speeding up the roaming process up.

When PMK caching is enabled, you can also enable and configure pre-authentication, in case PMK caching isn't supported by an AP. Pre-authentication eliminates the need for clients to perform full 802.1X authentication when roaming to another AP—also speeding up the roaming process

On this tab you can also enable the Federal Information Processing Standards (FIPS) mode, used by non-military US government agencies and contractors.

Posted by at No comments:

16 Mar 2011

Internet Information Services 7.0

Internet Information Services 7.0 (IIS 7.0) is Microsoft's latest version of their web server. IIS has been included with Windows Server since Windows 2000 Server as a Windows Component and since Windows NT as an option. IIS 7.0 is available with Windows Vista and Windows Server 2008, which is scheduled for release in Q1 2008. IIS 7.0 has gone through a major overhaul and has been completely redesigned from scratch. This has been done to make the most flexible and secure platform for web and application hosting.

IIS 7.0 has been designed to be the most secure and flexible web and application platform from Microsoft. Microsoft has redesigned IIS from the ground and during this process the IIS team has focused on 5 major areas:

  • Security
  • Extensibility
  • Configuration and Deployment
  • Administration and Diagnostics
  • Performance

What's New

Almost everything is new in IIS 7.0. Microsoft has focused on modularity when building IIS 7.0, which means that only the binaries needed is installed, this minimizes the attack surface of the web server.

An example to this: If you need the FTP Server or the Caching feature in IIS, you install the FTP Server or Cache modules to manage and enable either the caching activity or the FTP Server.

Windows Server 2008 will include all the IIS features needed to support hosting of web content in production environments. Windows Vista only has some IIS features and the features depend on your Vista version. IIS 7.0 in Windows Vista is ideal for building and testing web applications. Additional modules and features will be available from Microsoft or you can code your own, maybe even buy some from 3rd party vendors.

Architecture

Besides the changes to the core components of IIS 7.0, the focus has been with modular design in mind. The modular design gives more flexibility and security to IIS 7.0, compared to previous versions of IIS.


Figure A: Overview of the main modules and components of IIS 7.0

The main advantage of the new modular design is that it helps to reduce the footprint, which results in a more secure web server platform, since the attack surface has been minimized.

IIS 7.0 provides a new native core API, which replaces the ISAPI filter from previous versions of IIS. With the new API it's now possible to extend IIS with extra modules or even replace any of the built-in modules with custom written modules.

New modules can be downloaded from Microsoft's IIS.net website, where Microsoft maintains a download repository for IIS: http://www.iis.net/downloads

Administration

There are several ways of administrating IIS 7.0.

  • The GUI way using IIS Manager
  • APPCMD command tool
  • Remote administration using IIS Manager
  • Scripting using Windows PowerShell
  • Microsoft.Web.Administration API interface

The GUI Management interface has also been redesigned, the new IIS Manager is now more task-oriented and action based, as we know from ISA Server and the new Exchange Server 2007.


Figure B: Screenshot of the IIS Manager

IIS Manager can be used to configure IIS and ASP.NET settings, the configuration settings will be written to the xml configuration files. As something new, Health and diagnostics information can now be seen and run as integrated tools directly from within IIS Manager and is already a part of IIS 7.0.

APPCMD is the new main general purpose command prompt tool for IIS 7.0, which can be used for administration and configuration of IIS. APPCMD is the new enhanced version of the old adsutil.vbs, for those of you who are familiar with that tool from IIS 6.0.

Remote Administration has been enhanced and is now possible using the IIS Manager, communicating securely over https to the web server.

There's also the option of scripting all IIS management. This is now done using Windows PowerShell, which is Microsoft's new scripting language. It's an easy and effective way of handling administration of IIS on your web server and this is especially useful if you manage several web servers or large web farms. Windows PowerShell can be used directly against the WMI interface of IIS or used to read and write in the IIS 7.0 XML configuration files.

IIS 7.0 has backward compatibility with the IIS 6.0 metabase and the ADSI and WMI scripting interface known from IIS 6.0, which means that all your old scripts for IIS 6.0 will still work on IIS 7.0.

Microsoft.Web.Administration API is the interface targeted to developers, who want to code their own programs or scripts to manage IIS 7.0.

In IIS 7.0 it's now possible to delegate the management of IIS and the web sites. You can now delegate full administrative access to the site owners of a website. The site owners can then control and manage all the website settings using IIS Manager, without compromising server security. All the settings the site owners manage, are written to the web.config xml file of their own website.

Configuration

The configuration has been made simple and is based on distributed XML files that hold the configuration settings for the entire IIS and ASP.NET.

Configuration settings can be done globally for the entire web server or for specific websites using either the XML files or through the GUI Management interface. The GUI just writes the configuration settings to the same XML files. The main xml configuration files in IIS 7.0 are:

  • Applicationhost.config
  • Global web.config
  • Machine.config
  • Site web.config
  • App web.config

By using xml based configuration files, deployment and scale-out in large web hosting environments has been optimized. It's fairly easy to copy the IIS configuration to a new server and be up and running relatively quickly.

Handling replication of web server configuration is also relatively easy with IIS 7.0 compared to IIS 6.0, because of the xml based configuration files. This makes it very easy to replicate and deploy configurations in larger web farm environments. With IIS 6.0 this was best handled by using Microsoft Application Center 2000 or other 3rd party products.

Shared Configuration is a new feature of IIS 7.0, which is designed for web farm scenarios. With Shared Configuration it's now possible for multiple web servers to share a single configuration file (applicationhost.config). A master of the applicationhost.config file will be placed on a common UNC path. The Shared Configuration feature is a great alternative to the perspective of replicating IIS settings.

The Applicationhost.config xml file is the main configuration file of IIS 7.0, this configuration file contains all the information about sites, virtual directories, applications, application pools and global settings for the web server.

Content replication can relatively easy been managed by simple x-copy or robocopy commands, as well as specific website configurations, which are saved in web.config xml files within each website.

Posted by at No comments:

How to configure the new Windows Server 2008 advanced firewall MMC snap-in

Why should you use the Windows host-based firewall?

Many companies today secure their network using the "hard outer shell / gooey center" approach. What this means is that they create a strong perimeter around their network with firewalls and IPS systems, protecting themselves from malicious attackers on the Internet. However, if an attacker could penetrate the outer perimeter and gain access to the internal network, there would only be Windows authentication security to stop them from gaining access to the company's most valuable assets - their data.

This is because most IT Pros don't secure their servers with host-based firewalls. Why is that? We see host-based firewalls as being "more trouble than they are worth".

After reading this article, I hope that many of you will take a second look at the Windows host-based firewall. With Windows Server 2008, the host-based firewall is built in to Windows, is already installed, now has more features, and is now easier to configure. Plus, it is really one of the best ways to secure a crucial infrastructure server. So, what can the Windows Server Advanced firewall do for you and how do you configure it? Let's find out.

What does the new advanced firewall offer & how can it help you?

New with Windows Server 2008, the built-in firewall is now "advanced". And it isn't just me saying that, Microsoft now calls it the "Windows Firewall with Advanced Security" (let's abbreviate that as WFAS).

Here are the new features that help justify that new name:

  • New GUI interface – an MMC snap-in is now available to configure the advanced firewall.
  • Bi-directional – filters outbound traffic as well as inbound traffic.
  • Works better with IPSEC – now the firewall rules and IPSec encryption configurations are integrated into one interface.
  • Advanced Rules configuration – you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts & groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the Windows Server.

With the addition of being a bi-directional firewall, a better GUI, and advanced rules configuration, the Windows Advanced firewall is bordering on being as good as traditional host-based firewalls (like ZoneAlarm Pro, for example).

I know that the first concern of any server admin in using a host-based firewall is: what if it prevents critical server infrastructure apps from functioning? While that is always a possibility with any security measure, WFAS will automatically configure new rules for any new server roles that are added to the server. However, if you run any non-Microsoft applications on your server that need inbound network connectivity, you will have to create a new rule for that type of traffic.

By using the advanced windows firewall, you can better secure your servers from attack, your servers from attacking others, and really nail down what traffic is going in and out of your servers. Let's see how it is done.

What are the options for configuring Windows Firewall with Advanced Security?

Previously, with Windows Server, you could configure the Windows firewall when you went to configure your network adaptor or from the control panel. The configuration was very basic.

With Windows Firewall with Advanced Security (WFAS), most admins will configure the firewall either from Windows Server Manager or the MMC with only the WFAS snap-in. Here is what they both look like:


Figure 1: Windows 2008 Server Manager


Figure 2: Windows 2008 Firewall with Advanced Security MMC only

What I have found is that the quickest & easiest way to start the WFAS MMC is to just type firewall in the Start menu Search box, like this:


Figure 3: Windows 2008 Firewall with Advanced Security MMC only

There is also a new netsh advfirewall CLI option for configuring WFAS.

What can I configure using the new WFAS MMC Snap-in?

Because there are so many possible features you can configure with the new WFAS MMC snap-in, I can't possibly cover them all. If you have ever seen the configuration GUI for Windows 2003 built-in firewall, you will quickly notice how many more options there appear to be with WFAS. However let me hit on a few of the most frequently used.

When you first go into the WFAS MMC snap in, by default, you will see that WFAS is ON and blocking inbound connections that don't have a matching outbound rule. In addition, the new outbound firewall is turned off.

Something else you will notice is that there are also different profiles for WFAS (see Figure 4 below).


Figure 4: Profiles now available in Windows 2008 Firewall with Advanced Security

There is a domain profile, private profile, and public profile for WFAS. What these different profiles allow you to do is take the many inbound & outbound rules you may have and apply that group of firewall rules to your computer based on where your computer is connected to the network (say the corporate LAN vs. the local coffee shop).

Out of all the improvements we have talked about with WFAS, in my opinion, the most significant improvement is the more sophisticated firewall rules. Take a look at the Windows 2003 Server Firewall option to add an exception (a rule), in Figure 5.


Figure 5: Windows 2003 Server Firewall Exception window

Now, let's compare that to Windows 2008 Server:


Figure 6: Windows 2008 Server Advanced Firewall Exception window

Notice how the Protocols and Ports tab is just a small part of the multi-tabbed window. You can also configure rules to apply to Users & Computers, Programs and Services, and IP address Scopes. With this type of sophisticated firewall rules configuration, Microsoft has pushed WFAS more toward Microsoft's IAS server.

The number of default rules offered by WFAS is truly amazing. In Windows 2003 Server, there were the 3 default exceptions (rules). Not so in Windows Server. WFAS offers about 90 default inbound firewall rules and at least 40 default outbound rules – WOW!


Figure 7: Windows 2008 Server Advanced Firewall Default Inbound Rules

How to Create an Inbound Custom Firewall Rule

So how do you create a rule using the new Windows Advanced Firewall? Let's step through it.

Say that you have installed Apache web server for Windows on your Windows 2008 Server. If you had used IIS, built-in with Windows, the port would have been automatically opened for you. However, as you are using a third party web server and you have the inbound firewall enabled, you must manually open the port.

Here are the steps to follow:

  • Identify the protocol you want to filter – in our case, it is going to be TCP/IP (as opposed to UDP/IP or ICMP)
  • Identify the source IP address, source port number, destination IP address, and destination port number – our web traffic will be coming from ANY IP address and any port number, going to this server, on port 80. (note that you could also create a rule for a certain program, such as the apache HTTP Server).
  • Open the Windows Firewall with Advanced Security MMC
  • Add the Rule - Click on the New Rule button in Windows Firewall with Advanced Security MMC to bring up the New Inbound Rule Wizard


Figure 8: Windows 2008 Server Advanced Firewall MMC – new rule button

  • Select that you want to create a rule for a port
  • Configure protocol & port number – take the default of TCP and enter the port number as 80 and click Next.
  • Take the default of "allow this connection" & click Next.
  • Take the default of applying this rule to all profiles & click Next.
  • Give the rule a name and click Finish.

At this point, you should have a rule that looks like this:


Figure 9: Windows 2008 Server Advanced Firewall MMC – after rule was created

Posted by at No comments:

Using Windows Server 2008 R2 to Publish Internal Resources

Something that I don't hear a lot about these days is the Windows Routing and Remote Access Service (RRAS). I remember back in the "olden days" when we used to use RRAS for all sorts of things – LAN router, outbound NAT server and reverse NAT server. I don't do that so much anymore because I've been using ISA or TMG firewalls for the last decade, and the ISA or TMG firewall is much more flexible than RRAS.

However, depending on your situation, there might still be times when you'd want to use RRAS. Maybe you need a quick and easy way to publish a service on your intranet and you don't have time to figure out how to do it on the firewall. OK, that's a pretty unlikely scenario. A more realistic situation in today's economy: Maybe you're on a tight budget and can't afford to spend more money for the TMG product. Or how about when you want to test things in a virtual environment? It's a lot easier to use Windows RRAS in a virtual environment than many other options, so why not take advantage of it?

Also, if you're new to Windows, you might not even know about the RRAS service and some of the things it can do. If this is your first time hearing about RRAS, then I think you'll be pleasantly surprised at all you can do with it. And it's built into Windows Server 2008 R2, so you don't have to spring for another program.

In this article, we'll check out the reverse NAT feature in Windows Server 2008 R2 RRAS. Reverse NAT allows you to publish services on the intranet to the Internet. The reason we call it reverse NAT is because the client side of the connection is on the non-NATed side of the RRAS server. What we do with reverse NAT is map an IP address on the external interface of the RRAS server to an IP address on the intranet, for the protocol that you want to allow to communicate.

For example, suppose you have a web server on your intranet that you want to make available to users outside the intranet. A quick and dirty way to do this is to set up a NAT server and use reverse NAT. You configure the NAT server to accept connections on a specific IP address and port number (TCP or UDP; in the case of the generic web server, it would normally be TCP port 80) and then forward those connections to the web server on the same port (TCP port 80). You could even do something called "port redirection" and forward the connection to a different port other than the port on which the connection was received. For example, you publish your web server so that external users use TCP port 80 to connect to the NAT server, but then the web server accepts the forwarded connections on another port, such as TCP port 81. This is one method that can be used to enable you to host multiple web sites on the same web server.

In this example of how to configure the Windows Server 2008 R2 RRAS reverse NAT, I'm going to take advantage of a project that my husband, Tom Shinder, is spearheading along with Joseph Davies at Microsoft. This project is the "Test Lab Series" and you can learn more about the Test Lab concept on Tom's blog. Something that all the Test Labs have in common is the "Base Configuration". We will use the Base Configuration in this article since it creates a nice, standard Test Lab environment on which we can build other articles and demonstrations.

The first thing you should do to complete the exercises described in this article is build out the Base Configuration, which you can find at here.

After you build out that Base Configuration, you can snapshot the virtual machines that participate in the Base Configuration. That enables you to return to the Base Configuration to start a new Test Lab. It's a very nice concept and I wish I'd had something like this years ago because it really saves a lot of time if you do frequent testing.

After you build the base configuration, log on to EDGE1 as CORP\User1. In the Initial Configuration Talks window, click the Add roles link as seen in Figure 1 below.


Figure 1

On the Before You Begin page, shown in Figure 2, click Next.


Figure 2

On the Select Server Roles page, shown in Figure 3, put a checkmark in the Network Policy and Access Services checkbox and click Next.


Figure 3

On the Network Policy and Access Services page, shown in Figure 4, click Next.


Figure 4

On the Select Role Services page, shown in Figure 5, put a checkmark in the Routing and Remote Access Services checkbox. Note that this will also automatically put checkmarks in the Remote Access Service and Routing checkboxes. Click Next.


Figure 5

On the Confirm Installation Selections page, shown in Figure 6, click Install.


Figure 6

On the Installation Results page, shown in Figure 7, click Close.


Figure 7

Now that the RRAS service is installed, you can turn it on. By default, RRAS is not enabled after installation. During the enabling process, you tell the RRAS wizard which roles you want RRAS to perform. To get this started, click Start and point to Administrative Tools and click Routing and Remote Access, as shown in Figure 8.


Figure 8

In the Routing and Remote Access console, shown in Figure 9, right click the EDGE1 (local) entry in the left pane of the console. Click Configure and Enable Routing and Remote Access.


Figure 9

Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard page, shown in Figure 10.


Figure 10

On the Configuration page, shown in Figure 11, you have a number of options. Some of them allow you to configure the server as a remote access VPN server or site to site VPN server. In this example, we want to configure EDGE1 as a reverse NAT server. To do that, select the Network address translation (NAT) option and then click Next.


Figure 11

On the NAT Internet Connection page, shown in Figure 12, select the Use this public interface to connect to the Internet option and then select the Internet Network Interface. Click Next.


Figure 12

On the Completing the Routing and Remote Access Server Setup Wizard page, shown in Figure 13, click Finish.


Figure 13

In the left pane of the console, expand the EDGE1 (local)\IPv4 node and then click on the NAT node. In the right pane of the console, right click on the Internet interface and click Properties, as shown in Figure 14.


Figure 14

In the Internet Properties dialog box, click on the NAT tab, as shown in Figure 15. On the NAT tab, confirm that the Public interface connected to the Internet is selected and that there is a checkmark in the Enable NAT on this interface checkbox.


Figure 15

On the Address Pool tab, shown in Figure 16, you can add all the addresses that are bound to the external interface. Since there are two addresses bound to the external interface of EDGE1, we can add both of those addresses here. Click the Add button. In the Add Address Pool dialog box, enter the first address in the pool in the Start address and the last address in the pool in the End address. Enter the subnet mask in the Mask text box. In this example, the Start address is 131.107.0.2 and the End address is 131.107.0.3. The subnet mask is 255.255.255.0. Click OK in the Add Address Pool dialog box.


Figure 16

You can see the addresses you added now on the Address Pool tab, as shown in Figure 17. Notice the Reservations button. You can use this button to reserve an address on the external interface of the NAT server and forward all traffic from that address to a server on the intranet. You would do this if you wanted to allow all traffic to the server, and not limit the traffic to a specific protocol.


Figure 17

Click on the Services and Ports tab, shown in Figure 18, and you can see a list of the protocols that you can publish through the NAT server. Most of these protocols are "simple" protocols, in that they require a single primary connection. If you want to use a protocol that has multiple primary connections, or requires secondary connections back to the client on the Internet, then you will need a NAT editor. The RRAS NAT server includes several NAT editors to support complex protocols. One example is the FTP NAT editor.

Select the Web Server (HTTP) service and then put a checkmark in its checkbox.


Figure 18

This brings up the Edit Service dialog box that's shown in Figure 19. In the Public address frame, select the On this address pool entry and enter 131.107.0.2 in the text box. In the Private address text box, enter the IP address of APP1, which is 10.0.0.3. Click OK.


Figure 19

Click OK in the Internet Properties dialog box, shown in Figure 20. At this point, the Windows Server 2008 R2 RRAS server is ready to accept connections from Internet hosts at IP address 131.107.0.2 on TCP port 80 and forward those connections to APP1 on the intranet, which is listening for incoming web connections on IP address 10.0.0.3 on TCP port 80.


Figure 20

Now let's test it out! Move CLIENT1 to the Internet subnet (one of the three subnets in the Base Configuration). Open Internet Explorer and in the address bar enter http://edge1.contoso.com. This is the address you configured on the DNS server on INET1 in the base configuration which maps to the IP address 131.107.0.2 on EDGE1. Press ENTER and bang! There's the default Web site on APP1, as shown in Figure 21. Now that was pretty easy, wasn't it?


Figure 21

Click on the NAT node in the left pane of the console. In the right pane of the console, right click Internet and click Show Mappings. Here you will find some interesting and helpful information about mappings used on the Internet Interface for forward and reverse NAT connections. You also can see in the right pane of the console and number of statistics, such as Total mappings, Inbound packets translated, and others, as shown in Figure 22.


Figure 22

Posted by at No comments:
Subscribe to: Posts (Atom)