Building The Optimized Desktop Infrastructure with

Windows 7 and Windows Server 2008 R2

Jason Leznek, Group Product Manager, Windows Client

Justin Graham, Senior Product Manager, Windows Server

Information Workers’ World Has Been Changing

BRANCH OFFICES

MOBILE & DISTRIBUTED WORKFORCE

CENTRAL OFFICE

REMOTE WORK

The Evolving Needs of Organizations

Mobile & Remote Work-Force needs:Work anywhereFast access

IT Professional needs:Secure and flexible infrastructure for“work anywhere”Reduce costs

Client Computing Trends and Choices

Consumerization

Costs

Compliance

ContingencyCarbon-

Neutral(“Green”)

Optimized Desktop

Enhance User Productivity Protect Sensitive Data Reduce Costs with Greater Manageability

• Policy-based Network Access and Security

• Faster, More Scalable and Efficient Access to Network Resources

• Policy-based network security • Centrally Aggregate Important Client and Server Events

Enhance User Productivity Protect Sensitive Data Reduce Costs with Greater Manageability

• Increase user productivity by enabling users to access their applications and data quickly, from anywhere

• Update and manage mobile PCs even when not on the corporate the network• Publish server-based applications

directly to users’ desktops

FundamentalsSecurity, Reliability, Application Compatibility, Device Compatibility, Performance, Power Management

Infrastructure for the Optimized Desktop

Enhance User Productivity Protect Sensitive Data Reduce Costs with Enhanced Manageability

• Increase user productivity by enabling users to access their applications and data quickly, from anywhere

• Policy-based Network Access and Security

• Faster, More Scalable and Efficient Access to Network Resources

• Policy-based network security • Update and manage mobile PCs even when not on the corporate the network

• Publish server-based applications directly to users’ desktops

• Centrally Aggregate Important Client and Server Events

FundamentalsSecurity, Reliability, Application Compatibility, Device Compatibility, Performance, Power Management

Windows 7 and Windows Server 2008 R2 Key Scenario Benefits Features

Enhance User Productivity

Provide Faster, More Scalable and Efficient Access to Network Resources

Provide users with seamless access to applications and data from anywhere, hence increasing their productivity

Provide users a rich desktop experience from unmanaged or thin clients

Receive Window Auto-tuning SMB 2.0 IPv6

DirectAccessBranchCache™

VDI enhancements

Protect Sensitive Data

Enable policy-based network security by allowing only healthy PCs from accessing network resources

Network Access ProtectionServer and Domain Isolation

Reduce Costs with Enhanced Manageability

Update and manage mobile PCs even when not on the corporate the network

Publish server-based applications directly to users’ desktops

Centrally Aggregate Important Client and Server Events to Help Desk

DirectAccess

Remote Desktop Services (RDS)Event Forwarding

Combined Value to Deliver the Optimized Desktop

Enhancing User Productivity

Faster, More Scalable and Efficient Access to Network Resources

IPv6All Services Within Windows Vista are IPv6-enabledSeamless Cost-Optimized Transitional Approach

Receive-Side Auto-tuningAutomatically senses network environment and adjusts important performance settingsAllows increase of the size of the TCP/IP send/receive window

SMB 2.0 protocol improvementsNumber of open files and shares on the serverPacket compounding reduces “chattiness”Message signing settings have been improvedClient-side encryption is supportedDurable handles are supported

Challenging for IT to manage, update, patch mobile PCs while disconnected from company networkDifficult for users to access corporate resources from outside the office

Corporate network boundary includes managed assets no matter where they are on the InternetEasy to service mobile PCs and distribute updates and policesNew network paradigm increases mobile user productivity by providing same experience inside & outsidethe office

Situation TodayRemote Access for Mobile Workers

HomeOffice Home Office

DirectAccess

Microsoft Confidential.

DirectAccess Components

Runs on Windows 7Domain-joinedInitial configuration done on Corpnet or over VPN

Runs on Windows Server 2008 R2Sits on network edgeSingle box by defaultServices can be split up for scalability

Server Client

Microsoft Confidential.

IT Pro Benefits

DirectAccess Benefits

Improved manageability of remote users

IT simplification and cost reduction

Consistent security for all access scenarios

Seamless & secure access to corporate resources

Consistent connectivity experience in / out office

Combined with other Windows 7 features enhances the end to end IW experience

End User Benefits

IPv6 Devices IPv4 Devices

DirectAccessServer

Windows 7 Client

Native IPv6 with IPSec

IPv6 Transition Services

Supports variety of remote network protocols

DirectAccess

DirectAccess provides transparent, secured

access to intranet resources without a

VPN

Allows desktop management of

DirectAccess clients

Allows IPSec encryption and authentication

Supports direct connectivity to IPv6-

based intranet resources

Support IPv4 via 6to4 transition

services or NAT-PTIT desktop manageme

nt

AD Group Policy, NAP,

software updates

Internet

Branch Office Enhancements

Caches content downloaded from file and Web serversUsers in the branch can quickly open files stored in the cacheFrees up network bandwidth for other uses

Application and data access over WAN is slow in branch officesSlow connections hurt user productivity Improving network performance is expensive and difficult to implement

BranchCache™Situation Today

Microsoft Confidential.

IT Pro Benefits

BranchCache Benefits

Helps reduce WAN utilization and cost

Data encryption is enforced across the network

Simple to deploy

Less waiting for downloads = more productivity

Combined with other Windows 7 features enhances the end to end IW experience

End User Benefits

1.First client downloads data from main office server

Improving Branch PerformanceDistributed Mode

Main Office

Client 1

Client 2

2.Second client downloads identifiers from main office server

3.Second client searches local network for data and downloads from first client

Branch Office

1.First client downloads data from main office server

Client 1

Client 2

Branch Office

Improving Branch PerformanceHosted Caching

2.Content pushed to hosted cache from first client

3.Second client downloads identifiers from main office server

4.Second client downloads from hosted cache

Main Office

Microsoft Confidential.

Aero Glass for Remote Desktop ServerUses have the same new Windows 7 look and feel when using Remote Desktop Server

RemoteApp & Desktop ConnectionsRemoteApp & Desktops icons integrated into start menu etcIcons refreshed & updated automatically

Multimedia Support & Audio InputExperience rich multimedia redirection Use VoIP applications and speech recognition.

True multiple monitor supportUse up to 10 monitors of any size or layout with RemoteApp and DesktopsApplications behave like users expect – e.g. PowerPoint installing them locally

RemoteApp™ Language Bar SupportConfigure applications that use alternate language settings (e.g. right to left languages) from the local language

Full Fidelity RemoteApp & Desktops

Protect Sensitive Data

Network Access Protection

Unprotected Network Taps Within An Organization’s BuildingsAdministrators Have Limited Control About Health Of Systems Joining NetworkResult: Hardware/Network Upgrades And Increased Operational Costs, Reduced Productivity

Today’s Challenges

Solution – End-to-End, Authenticated, Tamper-resistant Communication

Improved Isolation Using IPsecNetwork Access Protection Across IPsec, 802.1X, DHCP, VPNIncreased Manageability

Microsoft Confidential.

1

RemediationServersExample: Patch

Network Access Protection

RestrictedNetwork

1

WindowsClient

2

2DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)

3

3Network Policy Server (NPS) validates against IT-defined health policy

4

If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)

Not policy compliant

5If policy compliant, client is granted full access to corporate network

Policy compliant

NPSDHCP, VPNSwitch/Router

4

Policy Serverssuch as: Patch, AV

Corporate Network5

Client requests access to network and presents current health state

Policy-based Dynamic Segmentation

Untrusted

Unmanaged/Rogue Computer

Domain Isolation

Active Directory Domain Controller

X

Server Isolation

Servers with Sensitive DataHR Workstation

Managed Compute

r

X

Managed Compute

r

Trusted Resource Server

Corporate Network

Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources

Business and Technical Benefits

Extend the value of existing investmentsNo additional hardware or software requiredGet more value from Active Directory and Group PolicyComplements existing 3rd network security solutions

Safeguard sensitive data and intellectual property

Authenticated, end-to-end network communicationsScalable, tiered access to trusted networked resourcesProtect the confidentiality and integrity of data

Reduce the risk of network security threatsAn additional layer of defense-in-depthReduced attack surface areaIncreased manageability and more healthy clients

Enhanced Manageability

Microsoft Confidential.

Manageability Beyond The Office

Enables “always-on” management of remote machines to support a fully-manageable environment

Scenarios include:Group Policy UpdatesFolder Redirection/Client-side CachingSoftware/Update Distribution

DirectAccess

Event SubscriptionsProactive management of key issues

Pull/Forward events to/from multiple machines and search/collateDoes not require loading entire log from remote machine

Microsoft Confidential.

Improved Management ToolsetReduce repetitive task with RDS Powershell support, improved application install, connection broker install & profile management

RDS and VDI – An Integrated SolutionSingle broker to connect users to sessions or virtual machines, out of the box solution for VDI scenarios with Hyper-V

RemoteApp & Desktop ConnectionsCentrally hosted applications integrated into Start Menu, desktop, etc. Can personalize a non-work PC with work applications without installing them locally

Platform InvestmentsMultiple levels of extensibility for custom partner solutions for Remote Desktop Services & VDI based solutions

Remote Desktop Services Manageability

Questions and Answers

© 2009 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.