Feed: TechNet Edge - AggScore: 75.5

Visio 2010 has new features specifically for process diagrams, such as cross-functional flowcharts (swimlane diagrams) and BPMN diagrams.

Mark Nelson, the lead PM on the Visio team for these features, shows how they work using the Beta version of Visio.

The Windows® 7 and Windows Server® 2008 R2 operating systems introduce DirectAccess, a new solution that provides users with the same experience working remotely as they would have when working in the office.

With DirectAccess, remote users can access corporate file shares, Web sites, and applications without connecting to a virtual private network (VPN), as shown in Windows 7 DirectAccess User Experience. Further, DirectAccess separates intranet traffic from Internet traffic, as shown on the left, and reduces unnecessary traffic on the corporate network. 





DirectAccess requirements include:

• DirectAccess Server: This is a Windows Server 2008 R2 server with the server feature, DirectAccess Management Console, added. A DirectAccess server must be joined to an Active Directory® domain and cannot be behind a Network Address Translation, or NAT, device. In addition, a DirectAccess server must have two network adapters: one connected to the Intranet, and the other to the Internet with at least two, consecutive, public, IPv4 addresses.
• DirectAccess Client: Windows 7 is the supported client OS.
• At least one domain controller and Domain Name System (DNS) server is Windows Server 2008 SP2 or Windows Server 2008 R2.
• A Public Key Infrastructure (PKI) for issuing computer certificates, smart card certificates, and, for Network Access Protection (NAP), health certificates
• IPsec policies to specify protection for traffic
• IPv6 transition technologies, i.e. ISATAP (RFC 4214), Teredo (RFC 4380), and 6to4 (RFC 3056), for DirectAccess server
• Optionally, a non-Microsoft NAT-PT (RFC 2766) device to provide access to IPv4-only resources for DirectAccess clients  

Here’s how DirectAccess works:

1. A DirectAccess client computer boots and detects a network connection.
2. The DirectAccess client computer attempts to connect to an intranet-only web site specified in DirectAccess configuration. If the web site is available, the DirectAccess client determines that it is connected to the intranet, and the DirectAccess connection process stops. The effective DNS Name Resolution Policy revealed by the command, netsh name show effectivepolicy, should indicate DirectAccess is turned off, if the client is in the intranet. On the other hand, if the Web site is not available, the DirectAccess client determines that it is connected to the Internet and the DirectAccess connection process continues. The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a native IPv6 network isn’t available, the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the DirectAccess server, the client automatically attempts to connect using the IP-HTTPS protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity as shown below.

   

3. As part of establishing the IPsec session, the DirectAccess client and server authenticate each other using computer certificates for authentication. Two types of IPsec protection: end-to-end and end-to-edge are available for a DirectAccess client to connect to intranet resources.
4. By validating Active Directory® group memberships, the DirectAccess server verifies that the computer is authorized to connect with DirectAccess. To mitigate the risk of denial of service (DoS) attacks, IPsec on the DirectAccess server de-prioritizes key negotiation traffic using Differentiated Services Code Points (DSCPs).
5. If Network Access Protection (NAP) is enabled and configured for health validation, the DirectAccess client obtains a health certificate from a Health Registration Authority (HRA), located on the Internet, prior to connecting to the DirectAccess server. The HRA forwards the DirectAccess client’s health status information to a NAP health policy server. The NAP health policy server processes the policies defined within the Network Policy Server (NPS) and determines whether the client is compliant with system health requirements. If so, the HRA obtains a health certificate for the DirectAccess client. When the DirectAccess client connects to the DirectAccess server, it submits its health certificate for authentication.
6. The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access.

Notice the DirectAccess connection process happens automatically once a DirectAccess client boots up without requiring a user to log on.

The last stop on the Exchange customer road trip was Memphis.  We met with a couple guys from Morgan Keegan.
They expect to see some significant cost savings and improved uptime.  They even got written up in Wall Street and Technology - you can see the write up here.

This is a follow-up posting with Windows 7 DirectAccess Explained. Here, I configured a simple infrastructure with my Hyper-V-enabled laptop to demonstrate the user's experience in accessing corporate resources with DirectAccess including:

• dc.contoso.com

DC/DNS/DHCP/CA

• da.contoso.com

DirectAccess server with 2 network adapters and 2 consecutive Ipv4 addresses assigned to the one connected to the Internet

• app.contoso.com

An internal only application server

• win7-client.contoso.com

A Windows 7 machine configured as a DirectAccess client 

The demonstration shows with DirectAccess a user can securely access authorized corporate resources with the same experience working remotely without connecting to a virtual private network (VPN) as one would have when working in the office.

Join Tim Vander Kooi, chairman of the board for the North American arm of Culminis, and Kevin Watt, Product Manager as part of  Windows Server team in US Subsidiary, as they delve deeper into the changes that Windows Server 2008 R2 brings to the server OS and what these changes mean with regard to existing network infrastructure. What current applications and products are affected by making the move to Windows Server 2008 R2 and also how do Windows Server 2008 R2 and Windows 7 together bring a new dimension to network computing? 

Visit IT Manager Community Hub on TechNet - www.technet.com/itmanagement

With the RTM of Forefront Threat Management Gateway (TMG), David Cross tells us about what's new and gives some real-world examples of how Microsoft IT has benefited from TMG over ISA 2006.  He also discusses the following:

• Why TMG only utilizes Microsoft signatures with the GAPA / NIS capabilities
• How TMG protects non-Microsoft & unmanaged clients
• URL filtering capabilities 
• How TMG can help you save costs
• How to migrate from 32-bit ISA 2006 servers to the (only 64-bit) TMG server
• The differences between UAG and TMG

Download TMG RTM
Learn more about TMG

Need to make your web site’s relevance more search engine friendly as well as create simpler URLs?  Today marks the RTW (Release to Web) of the IIS Search Engine Optimization (SEO) Toolkit and the RC (Release Candidate) of URL Rewriter 2.0.

The IIS SEO Toolkit helps Web developers, hosting providers, and Web server administrators to improve their Web site’s relevance in search results by recommending how to make the site content more search engine-friendly. The IIS SEO Toolkit helps to improve the volume and quality of traffic to your Web site from search engines, control how search engines access and display Web content, and inform search engines about locations that are available for indexing.

IIS URL Rewriter 2.0 adds support for outbound response rewriting and enables Web administrators to create powerful rules to implement URLs that are easier for users to remember and easier for search engines to find. IIS URL Rewriter 2.0 helps to easily define rules that match URLs or HTTP headers to generate more friendly and consistent URLs, protect content and assets from unauthorized linking and scanning, and integrate with existing IIS features to improve management, performance, and troubleshooting.

For more information or to download, please visit the IIS SEO Toolkit RTW page and the IIS URL Rewriter 2.0 RC page.  Of course for all of your IIS 7.5 needs you should visit IIS.net.

Join Kevin Remde, Sr. IT Professional Evangelist and Shanen Boettcher, General Manager in the Server & Tools Division on the US team at Microsoft, as they discuss Hyper-V in Windows Server & System Center and how Microsoft Virtualization solutions can cost less and help you maximize the return on your virtualization investment. They will also address the features and benefits of Windows Server Virtualization and System Center including how they work together to allow complete integration. 

Visit Microsoft Thrive site - www.microsoft.com/thrive

The second stop on the Exchange early adopter road trip was Vegas.  The customer we visited with, Global Crossing, was actually just in town for a conference, but who am I to turn down a visit to Sin City?
Global Crossing is upgrading to Exchange 2010 to take advantage of the great new e-mail archiving, cheaper storage options, and as a replacement for its legacy voicemail system. 
CIO Magazine also caught up with Global Crossing this week and posted this story on the cost savings the company hopes to realize by standardizing on Windows phones and EAS and moving off of BlackBerry smartphones.

Join James Brundage, PowerShell Test Team member, as he introduces Variables, Types, and Operators.  

Windows PowerShell is a Windows command-line shell designed for ease-of-use not only by system administrators but also for application and system developers.  The shell includes an interactive prompt and a scripting environment that can be used independently or in combination.  PowerShell V2 is available by default with both R2 and Windows 7 and, via an optional update, previous versions of Windows.

Unlike most scripting shells, which accept and return text, Windows PowerShell is integrated with the .NET Common Language Runtime (CLR) and the .NET Framework, and thus deals in .NET objects instead of just text strings.  This fundamental change in the environment brings entirely new tools and methods to the management and configuration of Windows.   Application Developers may extend their solutions with custom PowerShell based object models that integrate seamlessly with platform management solutions.

Like many shells, Windows PowerShell gives you access to the file system on the computer.  In addition, Windows PowerShell providers enable you to access other data stores, such as the registry and the digital signature certificate stores, as easily as you access the file system.

Version 2 of Windows Powershell introduces an array of new features including remote sessions, an integrated script environment, debugging tools, and much more. 

Continue your video tour of PowerShell V2 via TechNET Edge.  Don't miss the reusable scripts and techniques at the PowerShell Script-Center website.  Subscribe to the PowerShell Team Blog RSS Feed for the latest info.

 

The Microsoft Security Response Center (MSRC) holds a monthly webcast to discuss the security bulletins that we released on the second Tuesday of that month. To attend live and ask questions, register at http://www.microsoft.com/technet/security. 

In this edition, Jerry Bryant and Adrian Stone present information about the November 2009 Security Bulletins and answer customer questions live. See the MSRC blog for a transcript of the questions and answers that were addressed during the live session: http://blogs.technet.com/msrc

For more information about the MSRC, please visit:
http://www.microsoft.com/security/msrc/default.mspx

Meir Mendelovich, UAG Program Manager, at TechEd EMEA 09 tells us about some of the capabilities of UAG and then demos Direct Access and walks through the UAG Direct Access configuration via a screencast.

Learn more about UAG

The old adage “A watched pot never boils” could be applied to your servers. “A watched server never goes wrong”, that server always decides to doing something right before those critical moments, just as you are leaving for the day, just before the game starts, just as your food arrives, it never does it when you have the console open on the server. The answer to this is to use some form of “early warning system”, something that monitors what’s going on and lets you know when conditions you deem critical occur. So what “early warning systems” are there and when do you use them?

The one thing Microsoft Servers and the applications that run on them do well is that they expose a significant amount of information through event logs and performance logs. This is a double edged sword, while the information is detailed; it’s also isolated to that particular server. To get a full picture of what is going on across all your servers you have to be able to analyse all this information. So a basic “early warning system” can use this built in-functionality for Windows Server 2008 and above (this also includes Windows Vista and Windows 7 and while strictly not Data Center products it could be useful to know). The Event viewer in Windows Server 2008 has the ability to run a task when a specific event occurs, this task could be a script that addresses the event or informs you about the event. This is a simple solution for a small number of servers, and I do mean small number. Remember if you decide to change the task later, you have to modify every server it’s on. The next step up is to use the same task idea, but have it run on one machine only. What makes this machine special is that it is the target in an Event Subscription setup. Here, all the servers can be configured to send events to one machine; this machine in turn can monitor the events and alert you when specific events occur. This is a little more centralized than running tasks on each server.

The above is not really a system management solution; the purpose of the information is to highlight the basics of a system management solution. True solutions, like I’ll come onto next, process the information in the event logs and in performance counters in a way that makes it easy to digest from the outset and they also apply “knowledge” to issues to correct them for you. The “early warning system” should deliver a view of your servers and clients in one console and allow you to correct issues with a few clicks. So let’s look at the two System Center solutions you can use.

If your data center is up to around 30 servers – physical and/or virtual – you can use System Center Essentials 2007. Essentials 2007 is a mid-sized organization solution; it can work in a single Domain environment or a workgroup environment. It provides a single console view that allows you to manage your Windows-based servers, Windows-based clients, applications, services and SNMP-capable network devices.

What if your Data Center is beyond 30 servers? If you are then there is no reason you should expect a less experience than Essentials 2007 provides. You have much the same requirements as a mid-size organization, just bigger. For a job this big, then you need Essentials 2007’s bigger brother, System Center Operations Manager 2007 R2. There are a lot of features that both Essentials 2007 and SCOM 2007 R2 share to deliver a management experience and cost saving experience.

In both products you have a single console that is designed to deliver information clearly and quickly. When there is a problem, the console clearly identifies the issue and can suggest remediation actions. The way the system decides what actions can be take is based on information that is contained in Management Packs. These “packs” contain monitoring settings for applications and services. Once imported, Operations Manager or Essentials 2007 immediately begin to monitor objects based on default configurations and thresholds that are set in the management pack. What makes these powerful are the parts contained within the pack, for example, Packs can contain Tasks, which define activities that can be executed by either the agent or the console. (As a side note, there are over 50 management packs for various Microsoft products.)

Operations Manager 2007 R2 also allows you to track service levels, which is becoming increasingly important for IT Operations as they are pressured to provide the services they are providing are available and performing. This also leads to a need for reports; you can create custom reports with Operations Manager 2007 R2 to meet whatever reporting requirement you may need.

Operations Manager 2007 R2 is a power tool, some thought should be given into how exactly to deploy it. To help there is a Solution Accelerator called the Infrastructure Planning and Deployment (IPD) Guide, if the guide seems a bit much to start with, the is also a Deployment Webcast that can provide some useful insights into what worked, as well as what didn't, when deploying Operations Manager 2007 into different environments. Likewise if you are under the 30 server limit that allows you to use Essentials 2007, there is a Deployment Webcast that will walk you through the processes for deploying Essentials 2007 in different network environments.

In the next post I’ll cover how to specifically manage Hyper-V and your virtual machine infrastructure.

This is part 4 of a 5 part series of screencasts, which were the demos from the TechNet Webcast: "Automating Windows 7 Deployments using System Center Configuration Manager 2007 R2 SP2" delivered November 11, 2009.

Part 4: Deploying Windows 7 to Bare Metal Systems

In this session we create and advertise the task sequence for, and perform a PXE-boot and installation of Windows 7 onto a "bare metal system" (A computer with no OS installed on it).

For topic resources, plus links to the webcast recording and the other screencast demo videos from this series, click here: http://blogs.technet.com/kevinremde/archive/2009/11/11/CLI312.aspx

This is part 5 of a 5 part series of screencasts, which were the demos from the TechNet Webcast: "Automating Windows 7 Deployments using System Center Configuration Manager 2007 R2 SP2" delivered November 11, 2009.

Part 5: Deploying Windows 7 to Existing Windows Clients

In the "grand finale" of this series, we add the USMT (User State Migration Tool) package to SCCM 2007, and include it in a new task sequence for the sake of upgrading existing Windows clients from Windows XP or Windows Vista to Windows 7.  We then perform the upgrade of an existing Windows XP system, while retaining user files and settings.

For topic resources, plus links to the webcast recording and the other screencast demo videos from this series, click here: http://blogs.technet.com/kevinremde/archive/2009/11/11/CLI312.aspx