Vito Konopelec Microsoft Slovakia Building The Optimized Desktop Infrastructure with Windows 7 and Windows Server 2008 R2
Dec 22, 2015
Vito Konopelec
Microsoft Slovakia
Building The Optimized Desktop Infrastructure with Windows 7 and Windows Server 2008 R2
Branch officesRemote work
Mobile and distributed workforce
Changing World for Information Workers
Central office
IT professional needs:• Secure and flexible infrastructure for working
anywhere
• Reduce costs
Mobile and remote workforce needs:• Work anywhere
• Fast access
The Evolving Needs of Organizations
Optimized Desktop
Client Computing Trends and Choices
Compliance
Costs
ContingencyCarbon-Neutral
(“Green”)
Consumerization
Infrastructure for the Optimized Desktop
• Increase user productivity by enabling access to applications and data quickly, from anywhere
• Enable faster, more scalable, and efficient access to network resources
• Implement policy-based network access and security
• Update and manage mobile PCs even when not on the corporate the network
• Publish server-based applications directly to users’ desktops
• Centrally aggregate important client and server events
Enhance User Productivity Protect Sensitive DataReduce Costs with
Enhanced Manageability
Fundamentals
Security | Reliability | Application Compatibility | Device Compatibility | Performance | Power Management
• Enable faster, more scalable, and efficient access to network resources
• Implement policy-based network security
• Centrally aggregate important client and server events
Combined value to deliver the optimized desktopWindows 7 and Windows Server 2008 R2
Key Scenario Benefits Features
Enhance User Productivity
• Provide faster, more scalable, and efficient access to network resources
• Provide users with seamless access to applications and data from anywhere, helping to increase their productivity
• Provide users with a rich desktop experience from unmanaged or thin clients
• Receive Window auto-tuning • SMB 2.0 • IPv6• DirectAccess• BranchCache™• VDI enhancements
Protect Sensitive Data • Enable policy-based network security by allowing only healthy PCs to access network resources
• Network access protection• Server and domain isolation
Reduce Costs with Enhanced Manageability
• Update and manage mobile PCs even when not on the corporate the network
• Publish server-based applications directly to users’ desktops
• Centrally aggregate important client and server events to help desk
• DirectAccess• Remote Desktop Services
(RDS)• Event forwarding
IPv6
• All services within Windows Vista are IPv6-enabled
• Seamless cost-optimized transitional approach
Receive-side auto-tuning
• Automatically senses the network environment and adjusts important performance settings
• Allows increase in the size of the TCP/IP send/receive window
SMB 2.0 protocol improvements
• Number of open files and shares on the server
• Packet compounding reduces “chattiness”
• Message signing settings have been improved
• Client-side encryption is supported
• Durable handles are supported
Faster, More Scalable, and Efficient Access to Network Resources
Situation Today DirectAccess
OfficeHome
• Challenging for IT to manage, update, and patch mobile PCs while disconnected from the company network
• Difficult for users to access corporate resources from outside the office
• Corporate network boundary includes managed assets no matter where they are on the Internet
• Easy to service mobile PCs and distribute updates and polices
• New network paradigm increases mobile user productivity by providing the same experience inside and outsidethe office
HomeOffice
Remote Access for Mobile Workers
ClientServer
• Runs on Windows 7
• Domain-joined
• Initial configuration done on the corporate network or over VPN
• Runs on Windows Server 2008 R2
• Sits on the network edge
• Single box by default
• Services can be split up for scalability
DirectAccess Components
IT Pro Benefits
DirectAccess Benefits
• Improved manageability of remote users
• IT simplification and cost reduction
• Consistent security for all access scenarios
End-User Benefits• Seamless and secure access to corporate resources
• Consistent connectivity experience inside and outside the office
• Enhances the end-to-end IW experience when combined with other Windows 7 features
IPv6 Devices IPv4 Devices
DirectAccessServer
Windows 7 Client
Native IPv6 with IPSec
IPv6 Transition Services
Supports variety of remote network protocols
DirectAccess
DirectAccess provides transparent, secured
access to intranet resources without a VPN
Allows desktop management of
DirectAccess clients
Allows IPSec encryption and authentication
Supports direct connectivity to IPv6-
based intranet resources
Support IPv4 via 6to4 transition
services or NAT-PTIT desktop manageme
nt
AD Group Policy, NAP,
software updates
Internet
Situation Today BranchCache™
• Application and data access over WAN is slow in branch offices
• Slow connections hurt user productivity
• Improving network performance is expensive and difficult to implement
• Caches content downloaded from file and Web servers
• Users in the branch can quickly open files stored in the cache
• Frees up network bandwidth for other uses
Branch Office Enhancements
IT Pro Benefits
BranchCache Benefits
• Helps reduce WAN utilization and cost
• Data encryption is enforced across the network
• Simple to deploy
End User Benefits• Less waiting for downloads = more productivity
• Combined with other Windows 7 features enhances the end to end IW experience
1. First client downloads data from main office server
Main Office
Client 1
Client 2
2. Second client downloads identifiers from main office server
3. Second client searches local network for data and downloads from first client
Branch Office
Improving Branch PerformanceDistributed mode
1. First client downloads data from main office server
Client 1
Client 2
Branch Office
2. Content pushed to hosted cache from first client
3. Second client downloads identifiers from main office server
4. Second client downloads from hosted cache
Main Office
Hosted cachingImproving Branch Performance
Aero Glass for Remote Desktop Server• Uses have the same new Windows 7 look and feel when using Remote
Desktop Server
RemoteApp and Remote Desktop connections• RemoteApp and Remote Desktop icons integrate into the Start menu• Icons refresh and update automatically
Multimedia support and audio input• Experience rich multimedia redirection • Use VoIP applications and speech recognition
True multiple monitor support• Use up to 10 monitors of any size or layout with RemoteApp and Remote
Desktop• Applications behave like users expect – e.g. PowerPoint installing them locally
RemoteApp language bar support• Configure applications that use different language settings than the local
language (such as right-to-left languages)
Full Fidelity RemoteApp and Remote Desktop
Today’s Challenges
Network Access Protection
• Unprotected network taps within an organization’s buildings
• Administrators have limited control over the health of systems joining the network
• Result: hardware/network upgrades and increased operational costs, reduced productivity
Solution: end-to-end, authenticated, tamper-resistant communication• Improved isolation using IPsec
• Network access protection across IPsec, 802.1X, DHCP, VPN
• Increased manageability
1
RemediationServers
Example: PatchRestrictedNetwork
1
Windows Client
2
2 DHCP, VPN, or switch/router relays health status to Microsoft Network Policy Server (RADIUS)
3
3 Network Policy Server (NPS) validates against IT-defined health policy
4If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, and signatures (Repeat 1-4)
Not policy compliant
5 If policy compliant, client is granted full access to corporate network
Policy compliant
NPSDHCP, VPN
switch/router
4
Policy ServersExample: Patch, AV
Corporate Network5
Client requests access to network and presents current health state
Network Access Protection
Policy-Based Dynamic Segmentation
Untrusted
Unmanaged/rogue computer
Domain Isolation
Active Directory Domain Controller
X
Server Isolation
Servers with Sensitive DataHR Workstation
Managed Compute
r
X
Managed Compute
r
Trusted Resource Server
Corporate Network
Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources
Reduce the risk of network security threats
Manageability Beyond the Office
• An additional layer of defense-in-depth• Reduced attack surface area• Increased manageability and more healthy clients
Safeguard sensitive data and intellectual property• Authenticated, end-to-end network communications• Scalable, tiered access to trusted networked resources• Protect the confidentiality and integrity of data
Extend the value of existing investments• No additional hardware or software required• Get more value from Active Directory and group policy• Complements existing third-party network security solutions
DirectAccess
Manageability Beyond The Office
Enables “always-on” management of remote machines to support a fully manageable environmentScenarios include:• Group policy updates• Folder redirection/client-side caching• Software/update distribution
Event SubscriptionsProactive management of key issues• Pull/forward events to and from multiple machines and
search/collate• Does not require loading entire log from remote machine
Improved management toolset• Reduce repetitive tasks with RDS Powershell support, improved application
installation, connection broker installation and profile management
RDS and VDI – an integrated solution• Single broker to connect users to sessions or virtual machines, out-of-the-box
solution for VDI scenarios with Hyper-V
RemoteApp and Remote Desktop connections• Centrally hosted applications integrated into the Start menu and desktop, can
personalize a non-work PC with work applications without installing them locally
Platform investments• Multiple levels of extensibility for custom partner solutions for RDS- and
VDI-based solutions
Remote Desktop Services Manageability