Practical Technology

for practical people.

Using Secure Remote Connection to Access Office Resources Connected PCs


Computers and Internet access are universally available, but your corporate network resources are probably only available on your office PC and on your laptop. If you wanted to securely use your office resources from another computer — say, your husband’s laptop or your local library’s PC — you were out of luck. Until now.

By using the combination of Windows 7 and Windows Server 2008 R2 services, your IT department can set up what Microsoft calls Secure Remote Connection. With this feature, a user on any Windows 7 system can gain access to the corporate intranet’s resources. In short, with the right back-end setup you can run office-only programs and get to server-based files from any Windows 7 PC. If desired, you could even set up a complete thin-client desktop solution, where the entire business desktop is hosted on the servers and staff run the desktop on any Windows 7 PC with a high-speed Internet connection.

What makes this different from, say, Microsoft’s Windows Server 2008 Terminal Services Gateway or Citrix XenApp? Secure Remote Connection tries to provide a more integrated package on the server side that also doesn’t require any additional software on the Windows 7 desktop.

Microsoft hasn’t yet provided a recipe on how to do this, but we do know what the ingredients are for this virtual desktop dish. On the server side, it starts with Server 2008 R2?s Remote Workspace and Remote Desktop Gateway.

Remote Workspace is the new name for Terminal Services in Windows Server 2008 R2. This package has more than just a new brand-name. It incorporates both the presentation virtualization and the VDI (Virtual Desktop Infrastructure).

This in turn is managed by the Remote Desktop Connection Broker. Under this new virtualization-based approach there are two kinds of thin-client Windows 7 desktops for remote users: persistent (that is, permanent) VMs and pooled VMs.

In the case of a persistent VM, there is a one-to-one mapping of the thin-client Windows 7 desktop to users. Just as with an ordinary desktop, each user is assigned his own unique desktop. Except, in this case, it’s a virtualized desktop. The user can customize the desktop to his taste, and he can use it on any Windows 7 PC with an Internet connection.

With a pooled VM, a single image is replicated as needed. You can still maintain a unique user state by using profiles and folder redirection, but any changes made during a session disappear when the user logs off.

To use any of this functionality, though, you need more than just the technology. You need to license Microsoft Windows Virtual Enterprise Centralized Desktop (VECD). VECD licensing, which is device-based, is mandatory for any Windows VDI deployment that uses virtual copies of Windows. To manage all this, Windows Server 2008 R2 uses a unified front-end to manage these new Hyper-V based virtual machine remote desktops.

To make sure these remote virtualized desktops (persistent or pooled) get to the right resources, Server 2008 R2 uses the updated Terminal Services Gateway, Remote Desktop Gateway. The major changes from an enterprise point of view is that Remote Desktop Gateway is more efficient in handling and managing idle sessions. This, in turn, saves system resources on the server side, and, in the long run, that saves cash.

Connecting all this with the Windows 7 desktop is an updated version of Remote Desktop Protocol (RDP ). Microsoft claims that this new version of RDP is faster than ever before. In addition, it supports the Aero Glass interface, improved multimedia performance, and it supports redirecting DirectX. So, in theory, you could run games over RDP on a virtual Windows 7 desktop. That’s not a good idea at work, but it does underline RDP’s improved speed improvements.

Helping this performance boost along on the Windows 7 side is DirectAccess. Microsoft calls DirectAccess a virtual private network (VPN) replacement, but that’s not quite right. DirectAccess incorporates a built-in Windows 7 VPN that uses Internet Protocol security (IPSec), an old, but still robust, Microsoft VPN protocol.

What makes DirectAccess more than just a VPN is that it uses Internet Protocol version 6 (IPv6) to make the end-to-end connection between a Windows 7 client and a Windows Server 2008 R2 host. There’s nothing new about IPv6; it’s the next generation of TCP/IP networking, which has never found broad acceptance in North America or Europe. Microsoft is using it now to perform the rare feat of improving both security and speed.

It improves security because it combines the relatively uncommon IPv6 with IPSec. You can also use DirectAccess to authenticate the user and use it to configure what intranet resources specific users can access with it. Last, but far from least, you can also integrate DirectAccess with Network Access Protection (NAP). By doing this, you can make sure that users won’t be allowed in if they’re trying to login from a Windows 7 system without up-to-date patches or an anti-virus program installed.

The performance boost comes from separating corporate traffic from Internet traffic. With DirectAccess, only corporate network traffic actually starts from or goes to the business servers. With a traditional VPN, all traffic, even if it’s just to do a Google search, is routed through the corporate network. By reducing this traffic, DirectAccess reduces traffic both at the corporate gateway and within the LAN, thus preserving resources; it also increases the client PC’s effective network speed by avoiding the overhead of sending ordinary Internet requests though the business network.

You’re not using IPv6? Not a problem. DirectConnect has support for IP-HTTPS. This is a new tunneling protocol that’s only supported by Windows 7 and Windows Server 2008 R2; it enables the office PC and server to tunnel IPv6 packets inside an IPv4-based HTTPS session. This provides both the necessary IPv6 support, while also helping your company’s PCs to make connections through a Web proxy server or a firewall that might block an ordinary VPN connection.

Here’s the broad outline of how it works. First, you set up your Windows Server 2008 R2 hosts so that they can handle DirectConnect, Remote Workspace and Remote Desktop Gateway. If you elect to use virtual machines for off-site Windows 7 users, you also need to jump through the VECD hoops. That done, you’ll be ready to let any of your Windows 7 users – with the proper authentication – start using your corporate resources.

Once set up properly, this powerful combination of Windows 7 and Server 2008 R2 should enable your workers to do their work from almost any location. While this is likely to require upgrading your servers, by improving both remote security and network speed, it should result in a bottom line IT win when all is said and done.

A version of this story first appeared in IT Expert Voice.

Leave a Reply