Easier Setup, Configuration, and Deployment

The following sections describe the enhancements that make Windows Server 2003 easier to set up, configure, and deploy:

• Network Diagnostics Features

• Network Location Awareness

• Wireless LAN Enhancements

• Routing and Remote Access Service Enhancements

• Connection Manager Enhancements

Network Diagnostics Features

Network diagnostics features were added to the Windows Server 2003 family to support diagnosing network problems, as follows :

• Network Diagnostics Web page.

  The Network Diagnostics Web page can be viewed from the Tools section of Help and Support or from the Help and Support detailed information section on either troubleshooting or networking. This Web page makes it easy to retrieve important information about the local computer and the network it's connected to. The Web page also includes various tests for troubleshooting network problems.

• Netsh Diag commands.

  A new Netsh helper DLL provides commands in the Netsh Diag context to enable you to view extensive network diagnostic information and perform diagnostic functions from the command line. To run Netsh diagnostic commands, type netsh -c diag at the command prompt.

• Repair menu option for network connections.

  Sometimes a computer's network configuration can be in a state that prohibits network communication, but the configuration can still be repaired through a set of common procedures, such as renewing the IP address configuration and Domain Name System (DNS) name registrations. To avoid having to take these steps by hand, a Repair option is available on each network connection's shortcut menu. Choosing this option causes a series of steps to be taken that are likely to solve communication problems and are known not to cause worse problems.

• Support tab for network connections.

  The Status dialog box for each network connection in the Network Connections folder now includes a Support tab. From this tab, TCP/IP configuration information is displayed. The Support tab includes a Repair button, which is equivalent to the Repair context menu option on the network connection.

• Networking tab for Task Manager.

  Task Manager now includes a Networking tab, shown in Figure 6-1, that displays real-time networking metrics for each network adapter in the system. This tab can provide a quick look at how the network is performing.

  Figure 6-1. The Networking tab in Task Manager is new in Microsoft Windows XP and Windows Server 2003.

  

• Updated Netdiag.exe command-line network diagnostics tool.

  The support tools provided on the Windows Server 2003 family product CD-ROM include Netdiag.exe, an enhanced version of the diagnostics tool provided in the Microsoft Windows 2000 Resource Kit. To install the support tools, run the file Support.msi from the Support\Tools folder on the Windows Server 2003 family product CD-ROM.

• Menu option to enable remote access logging.

  A new Diagnostics tab has been added to the Remote Access Preferences dialog box in the Network Connections folder to globally enable, view, and clear logging for remote access connections. To view the Remote Access Preferences dialog box, choose Remote Access Preferences from the Advanced menu in the Network Connections folder.

Network Location Awareness

Network location awareness allows computers running the Windows Server 2003 family to detect information about the network to which the computer is attached. This allows for seamless configuration of the network stack for that location. This information is also made available through a Windows Sockets API, allowing applications to retrieve information about the current network or be notified when network information changes.

Components in the Windows Server 2003 family also use the network location to provide appropriate services. For example, the new Group Policy settings to enable or disable the Internet Connection Sharing (ICS), Internet Connection Firewall (ICF), and Network Bridge features are network location “aware; they apply to the computer only when it's connected to the network on which the settings were obtained. For example, if a laptop computer receives a Group Policy setting to disable these features while connected to a corporate network, when the computer is connected to a home network, the Group Policy settings do not apply and the features can be used.

Wireless LAN Enhancements

Several features and enhancements have been added to the Windows Server 2003 family to improve the experience in deploying wireless LANs, including automatic key management and user authentication and authorization prior to LAN access. These enhancements include the following:

• Enhanced Ethernet and wireless security (IEEE 802.1X Support).

  Previously, wireless networking lacked an easy-to-deploy security solution with a key management system. Microsoft and several wireless LAN and PC vendors worked with the IEEE to define IEEE 802.1X, a standard for port-based network access control that applies to both Ethernet and wireless LANs. Microsoft implemented IEEE 802.1X support in Windows XP and worked with wireless LAN vendors to support the standard in their access points.

• Wireless zero configuration.

  In conjunction with the wireless network adapter, the Windows Server 2003 family can choose from available wireless networks to configure connections to preferred networks without user intervention. Settings for a specific wireless network can be saved and automatically used the next time that wireless network is accessed. In the absence of an infrastructure network, the Windows Server 2003 family can configure the wireless adapter to use ad hoc mode.

• Wireless roaming support.

  Windows 2000 included enhancements for detecting the availability of a network and acting appropriately. These enhancements have been extended and supplemented in the Windows Server 2003 family to support the transitional nature of a wireless network. Features added in the Windows Server 2003 family include renewing the DHCP configuration upon reassociation, reauthentication when necessary, and choosing from multiple configuration options based on the network to which the computer is connected.

• Wireless Monitor snap-in.

  The Windows Server 2003 family includes a new Wireless Monitor snap-in, which can be used to view wireless access point (AP) or wireless client configuration and statistical information.

• Password-based authentication for secure wireless connections.

  The Windows Server 2003 family includes support for Protected Extensible Authentication Protocol (PEAP) for wireless network connections. With PEAP, you can use a password-based authentication method to securely authenticate wireless connections. PEAP creates an encrypted channel before the authentication process occurs. Therefore, password-based authentication exchanges are not subject to offline dictionary attacks. The Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is now available as an EAP authentication type. PEAP with the EAP version of MS-CHAP v2 allows you to have secure wireless authentication without having to deploy a certificate infrastructure, also known as a public key infrastructure (PKI), and without having to install certificates on each wireless client. The Windows Server 2003 family Remote Authentication Dial-In User Service (RADIUS) server, known as the Internet Authentication Service (IAS), has also been enhanced to support PEAP.

• Group Policy extension for wireless network policies.

  A new Wireless Network (IEEE 802.11) Policies Group Policy extension allows you to configure wireless network settings that are part of Group Policy for Computer Configuration. Wireless network settings include the list of preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings. These settings are downloaded to domain members , making it much easier than in Windows 2000 Server to deploy a specific configuration for secure wireless connections to wireless client computers. You can configure wireless policies from the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node in the Group Policy snap-in.

• Unauthenticated access for wireless LAN connections.

  Both the Windows Server 2003 family wireless client and IAS support unauthenticated wireless connections. In this case, Extensible Authentication Protocol with Transport Level Security (EAP-TLS) is used to perform one-way authentication of the IAS server certificate, and the wireless client does not send a user name or user credentials. To enable unauthenticated access for wireless clients , select Authenticate As Guest When User Or Computer Information Is Available on the Authentication tab from the properties of a wireless connection in the Network Connections folder. To enable unauthenticated access for the IAS server, the guest account is enabled and a remote access policy is configured that allows unauthenticated access for EAP-TLS connections using a group containing the guest account. The remote access policy can also specify a virtual LAN (VLAN) ID that corresponds to a temporary network segment for unauthenticated users.

  With these enhancements, the following scenarios are possible:

  • A mobile user is in an airport and can gain secure Internet access via wireless or Ethernet connectivity.

  • An administrator can use these enhancements to configure secure access to a wireless LAN. The administrator might also require certificates deployed via autoenrollment and authorization based on remote access policies used by IAS.

  • An administrator can use these features to configure authenticated and authorized access to wire-based Ethernet LANs without requiring data encryption.

Routing and Remote Access Service Enhancements

The following enhancements to the Routing and Remote Access service have been made in the Windows Server 2003 family:

• Snap-in and Setup Wizard enhancements.

  The Routing And Remote Access Server Setup Wizard has been modified to make it easier to initially configure the Routing and Remote Access service (see Figure 6-2). The Routing And Remote Access snap-in has been modified to make it easier to configure server settings after the initial configuration.

  Figure 6-2. The Routing And Remote Access Server Setup Wizard makes configuring different types of remote access much easier.

  

• Improved configuration for EAP-TLS properties.

  The Smart Card Or Other Certificate Properties dialog box has been improved to allow the configuration of multiple RADIUS servers and multiple root certification authorities. This provides seamless connectivity with multiple wired or wireless networks or large networks that use multiple RADIUS servers. You can access the Smart Card Or Other Certificate Properties dialog box by selecting the Smart Card Or Other Certificate EAP type on the Authentication tab from the properties of a LAN connection in the Network Connections folder and then clicking Properties.

• NetBIOS over TCP/IP name resolution proxy.

  A new NetBIOS over TCP/IP (NetBT) proxy is built into the Routing and Remote Access service to allow remote access clients connecting to a network consisting of one or multiple subnets with a single router (the remote access computer running a member of the Windows Server 2003 family) to resolve names without having to use a Domain Name System (DNS) or Windows Internet Name Service (WINS) server. This new feature allows a small business to configure a remote access or VPN server so that its employees can work from home. With the NetBT proxy enabled, clients connecting remotely are able to resolve the names of computers on the small-business network without requiring the deployment of a DNS or WINS server.

• Manage Your Server and Routing and Remote Access service integration.

  This feature provides an integrated method to configure the NAT/Basic Firewall component of the Routing and Remote Access service using Manage Your Server. With this feature, an IT administrator can configure a Windows .NET family server and the Routing and Remote Access service NAT/Basic Firewall component during the same setup procedure.

• Ability to enable the Routing and Remote Access service internal interface as a Network Address Translation private interface.

  For a computer running Windows 2000 Server that is providing remote access to a private intranet and is acting as a Network Address Translator (NAT) to provide access to the Internet, there is no way to provide Internet access to connected remote access clients. Computers running a member of the Windows Server 2003 family now allow you to add the Internal interface as a private interface to the Network Address Translation component of the Routing and Remote Access service. This allows connected remote access clients to access the Internet.

• Demand-dial connections can now use PPPoE.

  This feature provides the ability to use the Point-to-Point Protocol over Ethernet (PPPoE) for demand-dial connections (also known as dial-on-demand connections). Demand-dial connections are used by the Routing and Remote Access service to make point-to-point connections between LANs over which packets are routed. You can access this feature by selecting the Connect Using PPP Over Ethernet (PPPoE) option in the Connection Type dialog box of the Demand-Dial Interface Wizard. By allowing PPPoE as a connection type for demand-dial connections, a small business can use the NAT/Basic Firewall component of the Routing and Remote Access service and the business's broadband Internet connection to connect its office to the Internet.

• Improvements in default behavior for Internal and Internet interfaces.

  To prevent possible problems with resolving the name of the VPN server and accessing services running on the VPN server, the Routing and Remote Access service by default disables dynamic DNS registration for the Internal interface and disables both dynamic DNS and NetBT for the interface identified in the Routing And Remote Access Server Setup Wizard as the Internet interface.

• VPN connection limit for Windows Server 2003, Web Edition.

  For the Web Edition, the number of allowed VPN connections is one VPN connection (either PPTP-based or Layer 2 Tunneling Protocol [L2TP] “based). This is the same limitation that exists for Windows XP Professional and Windows XP Home Edition. To support more than one VPN connection, you must use Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

• NAT and firewall integration.

  The NAT/Basic Firewall component of the Routing and Remote Access service has been enhanced to support a basic firewall using the same technology as that used by the Internet Connection Firewall feature provided with Windows XP. This feature allows you to protect the public interface of a computer running a member of the Windows Server 2003 family that is using a NAT to enable access to the Internet. By using a NAT, the computers on the private network are protected because the NAT computer does not forward traffic from the Internet unless a private network client requested it. However, the NAT computer itself can be vulnerable to attack. By enabling the basic firewall on the public interface of the NAT computer, all packets that are received on the Internet interface that do not correspond to traffic requested by the NAT computer (either for itself or for private intranet clients) are discarded. You can enable this new functionality from the NAT/Basic Firewall tab on the properties of a private interface configured to use the NAT/Basic Firewall IP routing protocol component of the Routing and Remote Access service.

• L2TP/IPSec NAT traversal.

  With Windows 2000, Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is not able to traverse a NAT, because if the NAT translates the IP addresses or ports of the packet, it invalidates the security of the packets. This means that you cannot create an L2TP/IPSec connection from behind a NAT and must use the Point-to-Point Tunneling Protocol (PPTP) for VPN connections. The Windows Server 2003 family now supports User Datagram Protocol (UDP) encapsulation of Internet Protocol security (IPSec) packets to allow IKE and ESP traffic to pass through a NAT. This allows L2TP/IPSec connections to be created from Windows XP “based or Windows 2000 Professional “based computers and server computers running a member of the Windows Server 2003 family that are located behind one or multiple NATs.

• NLB support for L2TP/IPSec traffic.

  In Windows 2000, the Network Load Balancing (NLB) service did not have the capability to manage IPSec security associations (SAs) among multiple servers. If a server in the cluster became unavailable, the SAs managed by that cluster were orphaned and eventually timed out. This meant that you could not cluster L2TP/IPSec VPN servers. You could use DNS round robin for load distribution across multiple L2TP/IPSec VPN servers, but this approach offered no fault tolerance. In the Windows Server 2003 family, the NLB service has been enhanced to provide clustering support for IPSec SAs. This means that you can create a cluster of L2TP/IPSec VPN servers, and the NLB service will provide both load balancing and fault tolerance for L2TP/IPSec traffic. This feature is provided only with the 32-bit and 64-bit versions of Enterprise Edition and Datacenter Edition.

• Preshared key configuration for L2TP/IPSec connections.

  The Windows Server 2003 family supports both computer certificates and a preshared key as authentication methods to establish an IP Security (IPSec) security association for L2TP connections. A preshared key is a string of text that is configured on both the VPN client and the VPN server. Preshared key is a relatively weak authentication method; therefore, use of preshared key authentication is recommended only in the interim when your PKI is being deployed to obtain computer certificates or when VPN clients require the use of preshared key authentication. You can enable the use of a preshared key for L2TP connections and specify the preshared key from the Security tab on the properties of a server in the Routing And Remote Access snap-in.

  Windows XP and the Windows Server 2003 family remote access VPN clients also support preshared key authentication. You can enable preshared key authentication and configure a preshared key from IPSec settings on the Security tab on the properties of a VPN connection in Network Connections. Preshared key authentication is also supported for Windows Server 2003 family router-to-router VPN connections. You can enable preshared key authentication and configure a preshared key for demand-dial interfaces from IPSec settings on the Security tab from the properties of a demand-dial interface in the Routing And Remote Access snap-in.

Connection Manager Enhancements

The following enhancements to Connection Manager and the Connection Manager Administrator Kit have been made in the Windows Server 2003 family:

• Connection Manager Favorites.

  The Connection Manager Favorites feature lets users eliminate repetitive configuration of Connection Manager properties when switching between common dialing locations. This feature provides a method for storing and easily accessing settings and is used in the following scenario:

  A user travels frequently between a company's office and a business partner's site. The user configures Connection Manager settings for each location, including the nearest access telephone number, area code, and dialing rules, and gives each a unique name. The user then chooses from among saved settings to quickly set up network connections from each location.

• Automatic Proxy Configuration.

  The Automatic Proxy Configuration feature provides the ability to create a Connection Manager profile to ensure that the user's computer has appropriate access to both internal and external resources during a connection to a corporate network. This feature requires the use of Internet Explorer 4.0 or later. For example, a business user's home computer is configured to browse the Internet without any proxy settings. This configuration can cause a problem when the user connects to a corporate network. An IT administrator can create a Connection Manager profile that provides the appropriate proxy settings for use whenever the user is connected to the corporate network.

• Client log files.

  This feature provides the ability to turn on log files to quickly and accurately troubleshoot problems with Connection Manager connections. For example, a user experiences problems connecting to a network using a Connection Manager profile issued by an IT administrator. A log file is generated on the user's computer, which the user can send to the IT administrator to streamline the troubleshooting process.

• Support for VPN server selection.

  With the enhanced Connection Manager Administration Kit provided with the Windows Server 2003 family, a Connection Manager profile can be created that allows users to select a Virtual Private Network (VPN) server to use when connecting to the corporation's network. This enables VPN connectivity in the following scenarios:

  • A company has offices worldwide with VPN servers in many of these locations. An IT administrator can create a Connection Manager profile that allows a traveling user to select the VPN server that best meets their connection needs at the time of the connection attempt.

  • A corporate VPN server is taken off line for maintenance. During this time frame, users can select a different VPN server with which to connect.

• Connection Manager Administration Kit Wizard im ­ prove ­ ­ments.

  The Connection Manager Administration Kit (CMAK) has expanded the wizard functionality, including improved dialog boxes and the ability to perform most advanced customization tasks before building user profiles. The improvements streamline the process of building custom client connection packages and reduce the need to edit .cms or .cmp files for most advanced customization needs. A greater variety of custom actions are available and configurable from within the CMAK Wizard, including custom actions designed specifically for VPN connections. For example, an IT administrator can configure a single profile to accommodate security settings for a variety of client operating systems or configure a profile to take advantage of remote access server features such as callback and the use of Terminal Services.

• Preshared key configuration.

  This feature allows an IT administrator to create a connection manager profile using CMAK that contains the preshared key of the VPN server for use in authenticating L2TP/IPSec connections.

• Route management for simultaneous intranet and Internet access for VPN connections.

  Before Windows XP and the Windows Server 2003 family, a Microsoft VPN client automatically created a default route that sent all default route traffic through the VPN tunnel. Although this allows a VPN client to access its organization's intranet, the client can access Internet resources only while the VPN connection is active if Internet access is available through the VPN connection to the organization's intranet. The new Connection Manager support in Windows XP and the Windows Server 2003 family allows for the following:

  When the VPN connection is made, the default route isn't changed; instead, specific routes for organization intranet locations are added to the routing table of the VPN client. This allows simultaneous access to intranet (using the specific routes) and Internet (using the default route) resources without having to pass Internet traffic through the organization's intranet. The Connection Manager Administration Kit allows you to configure specific routes as part of the connection manager profile distributed to VPN users. You can also specify a URL that contains the current set of organization intranet routes or additional routes beyond those configured in the profile.