Course Transcript

1.

Alright, in this section, it is all things networking. We are going to be talking about the basics in terms of networking. We are going to look at IP addressing, DNS, and troubleshooting, making sure Windows 10 is on the network. And of course, it is talking to who we want it to talk to. The other important thing we are to talk about in here is remote connections. So there are several remote connection technologies in Windows 10. So we are going to be looking at RDP – Remote Desktop Protocol, DirectAccess, Workplace Join, VPN, and some of the enhancements with each of those technologies. Good stuff.

Back to top

1.

All right, time to talk networking and Windows 10 together. Now, before we jump into some of the details of how networking works in Windows 10, we want to acquaint ourselves with some of the basics around networking. Now, if you've been in IT and you've done some technician work in the past, some of this is going to come to you as a review. On the other hand, if you are new to supporting Windows 10 in a network or doing any kind of networking at all, then this is going to be a very useful section for you. So let's get started with this. Now the first thing we want to point out is what kind of scenarios Windows 10 supports. And it supports a variety of network options. We have, of course, the typical kind of LAN connection using a wired and using an Ethernet networking card. That's common in corporations, also some homes.

Well, we also have great support for WiFi and different types of WiFi. We have support for mobile broadband, which is kind of your cellular WiFi type of network, often used with smartphones and tablets. And Windows 10 has support for that. And then we've got support for a variety of different remote type of connections. And there are several of these. This includes the ability to use a VPN connection to code in quote dial-in, as we call it, into our corporate environment to access corporate data. We can do that with traditional dialog modems in a telephone network. We can use enhanced solution, such as DirectAccess and maybe your part of an organization that has regional or branch offices. Windows 10 actually has some technology in it that improves its networking over slow networking links for branch offices called BranchCache. So these are the different types of network scenarios that Windows 10 supports.

Now the actual components that Windows 10 requires in order to use networking are, well, pretty basic here. There is nothing new here. Networking has not changed for quite sometime. And so Windows 10 requires those same kind of components. We have at the very basic level here a need for a physical adapter to interact with a physical type of network whether it's a LAN or an Ethernet network or whether it's a wireless adapter or a mobile broadband connection and a mobile broadband adapter. Whatever the case may be, we need to have some sort of adapter to physically interact with the actual medium we're going to transmit our 1s and 0s over. Then on top of that we have our actual Network Access Technology. This could be Ethernet or it could be perhaps our VPN or DirectAccess. Then data that we're sending is all going to be addressed and packaged up using a transport protocol – TCP/IP is the transport protocol of the Internet. And so we're always using that.

And finally, networking requires that we have clients and services. Typically, Windows 10 is functioning with a client. It has some sort of software on it that gives it the ability to send request. A good example of that is your web browser, right. Windows 10 has Microsoft Edge and that's an HTTP web browser that can send request to web servers and say, "Hey, I would like that web page." But you can also have e-mail clients and FTP clients and RDP clients or variety of clients. A client is simply a piece of software that can send request. That's all that it is.

Then we also have a responder. So the client sends a request, that request gets packaged up into a TCP/IP packet and sent over the physical network. And then it's received over that physical network by a service on the corresponding side who can respond to that. Well, believe it or not, Windows 10 actually has some network services you could configure. I mean you can make a Windows 10 a web server if you want it to. No, that's not something we do on a daily basis and not frequently needed by most Windows 10 users. But there are some services that you can configure, even a basic one, like sharing a folder on this Windows 10 device so that the machine next to me can have access to that without having to use a flash driver or use sneakernet, right. Put it on a flash drive and walk across the hall and I share it that way. So there are some other means in which we can actually exchange information and that's to use clients and services and a network application like that. Now, granted, there are other ways we can share data, but the point I am trying to make is that networking requires these ingredients. There is no such thing or no successful networking if you don't have somebody sending the request, someone able to respond to that request and by someone I mean the software. And, of course, both of these client and service software requires the help of TCP/IP, network access, and adapter protocols.

Back to top

1.

Now the next thing I want you to understand about networking is that it requires us to send our messages in the form of packets. So we've got our basic ingredients in place and these ingredients work together to actually create for me this packet right here. Now this packet contains the necessary information so that they can move across the physical network, but also be properly routed and processed by the receiving machine. So at each one of these layers here I've got these headers. And so my initial request gets a header attached to it at each one of the layers including things like an IP address and a physical adapter address and so forth. And then, once this packet is assembled then that information in those headers is what is going to assist it moving across the network so that it can be received and then processed by the receiving machine. So once it's received by the receiving machine, its adapter takes it. It removes each headers, it moves up the different layers of software so that the actual request is remaining here. And then what is going to happen friends, is this service is going to be able to send a response. So it sends a packet back to the client in response. Network packets – this is how we're able to send information because we are taking the information and breaking it down into the different aspects of addressing and communication. Each different stage of communication is processed by these different layers. So we have the local network. We might have a remote network. We might have then the remote application. Each one of those is represented by different headers in our network communication.

Now the next thing I want to describe to you are network addresses. The network addresses are an essential part of communication. You and I, when we're on a system and we're trying to find another device, we often refer to it by, you know, computer1 or Jason's computer or my daughter's PC or whatever, some sort of friendly name. And yet computers don't know anything about Jason's PC. Computers use instead different addressing schemes and they use it more than one. It really depends on what level of communication that we're trying to accomplish.

So, for example, we have on this device over here a name of the computer. The name of the computer plus its domain name, which we call a fully qualified domain name. That's what we refer to is right here – host1. the name of the domain. And we use that a lot on the Internet. So that's probably familiar to you. But then we've got these addresses that are, you know, numbers. We have an IP address and you may have heard of that before as well. And then we have the MAC address, which is the address on the physical networking card. Now it might seem strange that this computer has multiple addresses. But, if you think about it, it's really not that strange. You and I have multiple addresses. We have our first name and a last name, but we also have maybe a social security number or tax ID. We also are associated with a mailing address or residence. And then we might have a phone number or several phone numbers that people use in order to contact us. That's also the case when it comes to a device like a computer. There are multiple addresses for different levels of communication. Now what I mean by different levels of communication is imagine with me that we're trying to reach out to a friend using the telephone network.

Now we don't pick up our phone and we don't say our friend's name. Like if I wanted to pick up a phone and talk to Jacob, I won't pick it up and say, "Hey, Jacob?" The phone doesn't know what to do with that instead I actually put in Jacob's phone number and I call Jacob's phone, a connection is made with the phone. Then when they pick up, right, and the connection is established, at that point I say, "Is Jacob there?" And then, if someone else picked up the phone other than Jacob, well, then by referencing his name I'm doing another level of addressing. So, when I say different levels of addressing, what I'm talking about is there is an address to make a connection with the phone and then there is the addressing used to establish a connection, if you will, with the person. And so same here with the actual computing network. We have different addresses for different levels of communication. We have the MAC address here, which is used for the immediate network. It's the physical piece. Similar in some regards to that phone. Then we have this IP address piece. The IP address is important for remote network communications. So all the networks out there on the Internet, they have a network IP address that references the network. And then the devices inside that network all have individual IP addresses. And so that's important for our internetworking communication.

But then as a user I don't want to have to keep track of the IP address or the MAC address of my destinations. And so one of the things I might do is I might go to my web browser and type www.microsoft.com or whomever. And even though these addresses are required, as a person, I don't care to know microsoft.com's IP address. So I am referencing it by a different level. And so what happens is network communication takes place or I should say name resolution takes place to actually provide me the network communication. So this name is just looked up in like a directory where we find the IP address and then I'm able to make a connection. So I know that's a lot of information to give to you in just a few minutes talking about the way networking works and network addresses. The important thing I want you to recognize here is that there are multiple addresses and each of these addresses are going to be in the different headers. So we've got a header that contains this address, a different header that contains this address, another header that contains that address. And those different levels of addressing together complete network communication. I also want to point out that, you know, all of these guys have addresses. That server has an address so if I click on this guy, you can see it has a name, it has an IP address. But even many of the network devices that provide the actual paths of communication like a router which routes my traffic, it also can have an address. So network addresses are an essential part of network communication.

Back to top

1.

So let's have a look now at the different kinds of configuration I can do for my Ethernet adapter. Now for perspective, remember, we're talking about Ethernet as a...as being tied to a physical adapter. And so, when I purchase an Ethernet card, that's going to give me access to my LAN that supports my Ethernet network access protocols. So this slide is meant to give us perspective as to where and what I'm actually configuring. And so I am configuring that physical adapter and there are some advanced configuration options I might want to do. So, for instance, I might need to update the driver. If I have a problem with the driver being installed and the system not liking that driver, then I can actually come up and roll it back. And so there are configuration options there. I can also configure the power management of that network adapter so that Ethernet adapter could be turned off in the event I want to save some battery life. Or I can actually configure it so that a signal can be sent to wake up that networking card and have the networking card then wake up the entire system. And these are settings that are actually found buried in the properties of the Ethernet adapter. And there are several advanced settings that also can be configured from there. So let's have a look at some of those Ethernet adapter properties, shall we?

Back to top

1.

All right, let's talk a little bit about configuring WiFi in Windows 10. Now, as you all know, WiFi is all about the convenience of connecting wirelessly. And Windows 10 has several nice features in regards to Windows or in regards to WiFi. Now, of course, it has support for WiFi. And we'll talk a little bit more about the details of what kind of support it has. But here is also a list of some specific features that'll go beyond just kind of the basic Wi-Fi standards. For instance, one of the things that I have in Windows 10 is what is called airplane mode. Now with airplane mode we're talking about the ability to disable wireless especially if you're like traveling. Now, the thing is, airplane mode is usually a feature you see on phones, but it's actually universally supported in Windows 10. So that's kind of nice so I can have a tablet or a laptop and I would be on an airplane and I can turn on airplane mode and not interfere with the pilot's work. That's a good thing.

Another important part about Windows 10 and its WiFi support is that it can be configured from a centralized MDM management or policy-based management solutions. So I can use Group Policy or Microsoft InTune or a third-party MDM and distribute Wi-Fi configurations and Wi-Fi profiles to my Windows 10 devices. Now I've got metered network awareness. Now metered network awareness means if I have a network connection that's based on usage and I get billed or charged based on usage, I can tell Windows 10 about that network. And it won't use it for kind of background communications like patches and updates and such because its sensitive at that point that that network is going to cost me based on usage. Now typical WiFi isn't going to be set up with metered network awareness by default, but I can enable it, where I am going to see this become especially important is with mobile broadband wireless connections. And this is something I can actually toggle on and off.

That brings me to this next point and that's Wi-Fi Sense. Wi-Fi Sense is a feature in Windows 10 that allows me to tell Windows 10 about my network. But then it will share that information, volunteer it if you will, to other devices that support Wi-Fi Sense. So, if I am at my home and I connect my laptop to my wireless network, then when my friend comes over, they can – you know – jump on the wireless network without having to go through a lot of hassle in terms of putting in the key and such. Because my devices can really act on my behalf and share wireless information and the connection information to them. So Wi-Fi Sense is helpful in discovering wireless networks and also sharing information to other Windows 10 devices if I want to do so. And that's just about convenience. Then we have Wi-Fi Direct here. And what Wi-Fi Direct does is that is it's kind of an ad hoc type of connection. Allows me to have a couple of different wireless devices, Windows 10 devices, connect directly to each other. And Windows 10 supports Wi-Fi Direct.

Now here's a deeper look into the different Wi-Fi standards and protocols that Windows 10 supports. And these are basically pretty detailed. You've got this large table here that shows you that it supports 802.11b, 802.11g, 802.11n, 802.11ac. And you've got the different encoding schemes listed here, the channel, the frequency rates. Now the thing I want to point out is that Windows 10 supports all of these different wireless standards, not limited to just one or just a couple of these. Next thing I want to talk to you about is a fact that it supports multiple authentication types. And of course, security is important so being sure that authorized users are accessing the wireless network especially corporate networks. If I have configured my corporate wireless network with 802.1 x, well, Windows 10 can take advantage of that.

Another important point is the encryption – the actual data being obscured from, you know, prying eyes – and so we've got support for compatible, backward compatible, older legacy protocols, but especially have support here for the newer type of protocols that are going to be far more secure. Now here's a look at Wi-Fi Direct. Remember, Wi-Fi Direct is a way to kind of connect two devices together, but notice you don't need a WAP. In fact, you can configure it securely with Wi-Fi protected setup and WPA2 and Windows 10 supports this. In fact, Windows 10 has some enhanced APIs to support the different hardware implementations of Wi-Fi Direct. So this is going to be beneficial when you don't have...you know, you have two devices and you don't have the key to the actual wireless network that's been advertised or maybe there is not one within range. But you need to do a quick connection between these two devices. You can do that with Wi-Fi Direct.

Back to top

1.

Windows 10 supports mobile broadband. Let's talk about how we can configure mobile broadband. Mobile broadband is, well, sometimes called WWAN or Wireless Wide Area Network connections. It's really a cellular network connection. And, of course, we're really familiar with cellular networks, right, with our smartphones. And this is a popular way in order to access data and services in kind of a roaming fashion. This requires that we have support for the different types of cellular networks that are out there whether it is GSM or CDMA type services. Windows 10 supports that, provided you have the right components and the right hardware on your actual Windows 10 device. All right, so here are some common terms to help you understand mobile broadband a little bit better. Some of you are probably acquainted with a lot of this, but let's start here with a SIM card. In order to get a Windows 10 device to connect to a mobile broadband network, you actually have to have a SIM card and that's a small, removable card. And it has your subscriber information, has maybe some security information attached to it. And the thing with the SIM card is it might be something you can't remove or it might be removable. So it depends on the actual device itself. Now another key term is this right here this Access Point Name. And this Access Point Name is in reference to the subscriber or the mobile broadband operator's network name. And this is usually a combination of letters and numbers provided by the mobile broadband provider that helps me identify the type of network access that I have.

Then we have this idea here called roaming. I'm sure you've heard of this as well, right, if you have a cell phone anyway. If you go outside of your geographic usage area, then you might have some additional roaming charges that apply. That's also going to be true if Windows 10 is connected to a mobile broadband network. So really what you're seeing here is the same kind of concepts and ideas that apply to a smartphone on a mobile broadband network. We're now extending to our Windows 10 tablet or laptop, that's supporting a mobile broadband connection. Then that brings us here to this term called tethering. Tethering is great because it allows me to use my smartphone that has a mobile broadband connection. And, if I don't have a SIM card or my laptop, I can tether the mobile broadband device to my laptop and basically bridge the two. So I can take advantage of my mobile broadband connection, my cellular connection from my laptop with the help of my tethered device. So this gives you some ideas in terms of some of the supporting features in Windows 10 in terms of mobile broadband. It's aware of these types of networks. It can use them directly or it can use them indirectly through tethering.

Now here's a list of additional features behind Windows 10 and mobile broadband. A couple of key points – first off, as I said earlier, Windows 10 is aware of mobile broadband connections and so it has kind of an optimized approach. Meaning – we want to avoid using a subscriber or metered based network for things like hotfixes and patches and so that's what happens here with Windows 10. If it knows it's a metered network connection, we're going to use it less and only use it for those types of connections that are being required a bit like, if we're trying to find a recipe in the grocery store or we're trying to find a location using, you know, Bing Maps or something like that.

In addition to that, the information around that network is actually exposed or available for access by mobile broadband applications. So a mobile broadband provider can actually create their own universal application that enables the Windows 10 user to see information about their accounts and their usage. All of that information is accumulated by Windows 10 much like a phone and so there are some smart data sense that happens there. Another important point I want to make is this right here, very fast to reconnect from standby. So one of the enhancements they've made over the last few generations of Windows is they've improved the ability for Windows to kind of respond and reconnect when it goes to sleep to a mobile broadband connection. You can see significant time savings compared to a reconnection with Windows 7 coming out of standby. So this is a quick look at some additional enhancements to make mobile broadband connections different than the typical WiFi or Ethernet connection. And, because it's different, we have some specific features tailored towards those differences.

Back to top

1.

I want to look now at Windows 10 support for IP. Of course, IP makes the world go round, right. At least it makes the Internet go round. You see IP is the most popular, most important protocol of the globe. And the Internet runs on it and corporate networks run on it. And you might even be watching this video right now over a TCP/IP network connection. TCP/IP is central to network communications and Windows 10, of course, has support for it. So what we want to look into is the TCP/IP stack in Windows and be able to understand exactly how IP and Windows 10 work together. Now for starters you need to understand that there are two types of IP addresses that Windows 10 supports. It supports IP version 4 and it supports what is called IP version 6. And these two different networking addresses are presented and formatted very differently, but they are providing the same core function. The job of an IP address – whether its version 4 or version 6 – is to enable me to communicate to devices in my network or, very important now, to communicate with devices in someone else's network. And, in order to communicate two devices in somebody else's network, I have to be able to route. And, in order to route, we have to have some sort of way of labeling those different networks and so that's where these addresses come in. So you can see here with both our version 4 and a version 6 address that they are divided up so that there is a network portion identifying different networks so that traffic can be routed between those different networks.

There is also a portion of that address here that references the individual device on that network. So each device has a unique host number and each device has a network number that matches the network that they belong to. Now these two different addressing schemes have some important differences. And the reason we have two of them is because IP version 4 here, well, we only have 4 billion of these. Now that sounds like a lot. I don't have 4 billion of anything. Well, maybe cells. I think actually I have more than that. Don't I? I don't know. But I don't, I mean I can't even count 4 billion. I mean that's a lot. Nevertheless, despite the fact that 4 billion is a lot, we ran out of those. And so we need to have more or a larger addressing scheme to support more devices and so we have IP version 6. An IP version 6 is important because we have support for 340 undecillion addresses, I mean that's just unfathomable. I mean I can't even fathom 4 billion. There is no way I am going to even comprehend whatever that number is, right. And I have heard different people refer to this in different ways. I've heard some people say, "Well, that's enough addresses for every square-inch of planet Earth and still have enough addresses leftover for 24 more planets Earth." I'm not so sure that's true as much as it is. Well, that's just a lot of addresses. That's the primary point. And so we're not going to run out of these IPv6 addresses. Windows 10 supports both version 4 and version 6. And it supports both addressing a configuration and standards for the purpose of managing these addressing schemes in both the corporate and in a personal kind of space.

Back to top

1.

So let's look at these different addressing schemes that Windows 10 supports. I want to start by examining IPv4 addressing in Windows 10. Now this is an addressing scheme that's been around for a while. So many of you watching this might already be familiar with this. Then again, even though it's been around for a while, it's still something that's tricky to understand and it might be something that's new to you. Now like IPv6 or other types of addressing schemes, one of the things we're trying to identify is the device on our network. But we're also identifying the network itself. So, in an IPv4 configuration, each different device has kind of a group address or a network address and that network address is shared. So you'll notice here that this guy right here, its networking address is 192.168.100.0 and that's labeled here for us. And so all three of these devices share that portion of the address and they have that in common, all three of these different devices. Now each one also has a unique portion, now this is .30, this is .50, this one here .31. So we can tell the devices apart. We can also tell what network they belong to. Up here in the top half of this, we have a very similar type of configuration but we're doing a different addressing scheme. So we've got 50 up here, so 50.3 for this one and 50.31 over here, and so forth –

so two different networks. The devices in each respective network are sharing that same group identifier that network address. And then, each one has a unique address or a unique portion of the address identifying that device. Now here is a very important point. Right in the center of these two different networks is my router. What the router affords me is a connection between the two. It provides me a path from this network to this network here. And, in order to do that, this router has two interfaces – two network connections. Each network connection has to have an address and it has to be connected to the network that it's serving. So you notice that this router has a network connection to 192.168.100.50, belonging to this network up here. And a unique identifier, identifying that interface 192.168.50.1. It also has this address down here that matches the network or group 100 – so 192.168.100.254. Now anytime these devices down here need to talk to the devices here, they're going to pass that traffic right up to this router's interface. Well, then, of course, it's going to pass it over this interface and to the respective device, whichever device we're going to need to communicate with.

So the router plays a very important role, acting kind of like your local post office, who delivers mail to other zip code to other regions. If you're just talking to your neighbor, device-to-device here, you don't actually need the router. If you're going to communicate to another network, that's where that network address and the magic of IP comes into play. The router is the actual device that reads those addresses, interprets those addresses, and takes action on those addresses, so we can communicate all around the world using IPv4.

Okay, now let's talk about how a subnet mask works. Now the subnet mask is what actually divides the two different parts of an IP version 4 address. The subnet mask is another number, in addition to the IP address number that helps me interpret and understand the IPv4 address. So we've got some examples. We've got three examples here of subnet masks. Now, we can use these three different subnet masks, and when we apply them to this address here, we actually change the meaning. So let me give you an example of that. Let's look at this first one right here. This first one is 255.0.0.0. Now, what that means is this portion right here, this section of the IP address, which is called an octet, because it's actually 8 bits right there. This section here is going to be the network portion.

So, when I associate or line that up with my IP address, then I've got a matching section here – a matching octet. So 255 means this first octet belongs to my network. See these 0s in the remaining portion of my subnet mask? These 0s right here mask out the portion of the IP address, which belongs to the host. Now, in earlier examples, I was showing you where just the last octet was referencing the host. But it's not always the last octet, it depends on the subnet mask. As you see here, I've got three sections dedicated to the host. And, so in the actual IP address, all three sections or octets belong to their host.

So this subnet mask is telling me that the network portion of this IP version 4 address is just 192 and the host portion is 168.100.50. Now demeaning or how I divide this changes if I have a different subnet mask. So, if I am configured with a subnet mask that looks like this, right down here, that slides over the division between network and host. Now only two octets belong to the host and now two octets belong to the network. So I essentially divided it right in half. If my subnet mask, actually this guy right here, 255...there we go, 255.255, then what I have done is I have actually divided up even further, so that the first three octets belong to the network and the last octet belongs to the host. So you can see how you actually read an IP version 4 address, depends a lot on this subnet mask that we're using. So, when you configure a Windows 10 device to work and to communicate on a version 4 network, you're not just communicating or configuring an IPv4 address, you're also needing to configure the appropriate subnet mask, and the mask has to match the router. So the router is going to have a similar IP configuration and it's going to have a subnet mask. And your devices also need to have the same network and the same subnet mask as the router.

Back to top

1.

So here's an important question – how does my Windows 10 devices get an IP address in the first place? It's interesting Jason. And that's how, you know, our subnet mask works and all of that, but I've got to have an address. So there are three different ways in which we can distribute an IP version 4 address. One way is to do it manually. And, when we're doing it manually, we're actually going into the adapter and we're actually configuring the IP settings in properties and we're typing in our version 4 address and we're also typing in our subnet mask. So those are the two required numbers. Now there are probably some other settings we would be typing in. We would be typing in the default gateway – the router. We might also be typing in the location of our DNS server. But that's all manual. Now manual is useful in many cases when I need a static configuration. Essentially, I am pinning that device to a specific IP address for the duration of its connection there, but here's the thing. If I move that device to another network – like it's a portable device, a mobile device – then that manual or static configuration is no longer relevant. And so, if I go to another network that's using a different scheme, it's not going to be able to get on that network until I go in and make changes manually.

So what we often do – especially with, like, portable Windows 10 devices and other devices that are moving around – is we rely on a service call DHCP. DHCP is a service that can run on a server. Or it might be running on a network appliance – like a router or even a switch – that distributes IP addresses on any device for its own network. So, if l connect to somebody else's network – like I come over to your house and I bring my Windows 10 device with me and you've got a wireless network – well, your wireless device will assign me or lease me an IP address from its DHCP pool. That's a typical type of configuration or a way to acquire an address for a Windows 10 device. And the same can be said of a corporate network. Although, in a corporate network, we might have some additional controls, some additional monitoring, and some additional kinds of configuration. And we might have a lot more devices that we're managing addresses for.

Now, if we don't configure it manually and we can't find somebody to give us an IP address, you know DHCP server, then your Windows 10 device will just make one up. It goes through an identity crisis called automatic private IP address. And so it just invents one. Now many of you have seen this actually. If you ever gone in and looked at your IP configuration by typing ipconfig in your command prompt, you may have seen something like 169.254. Now many of you go, "Oh, that means I've got a problem." Well, it's not an error number, right. It's actually a self-assigned APIPA address. Now, if you've got multiple devices that have an APIPA address on the same network, they can talk to each other. That's the whole point of it. It's kind of a fallback addressing scheme in case something does go wrong with DHCP, but it's not very reliable in that sense. In other words, typically what happens is a device will lose an address or not be able to acquire one. And it's probably, you know, the only one out of the group that is enabled to get the address. So it's not useful. Then again, self-assigned address can be helpful if I am doing just some sort of ad hoc connection between two devices or I've got a crossover cable connected to two devices. I don't have to go in and do any static configuration or set up a DHCP server. Instead, TCP/IP will automatically give their respective devices' unique addresses and facilitate communication with IP version 4. So these are the three different ways in which a device can acquire an IP address either manually through DHCP or self-assigned.

Back to top

1.

Now here's a look at five different types or six different types of IP version 4 addresses. These are common types of addresses you're likely to encounter when supporting Windows 10 and TCP/IP. First off, we have these things called private addresses. We also have public addresses, self-assigned addresses. That's our APIPA address. Then there is address for special types of communication like multicast broadcast. And then we've got loopback here. Let's dig into these a little bit more and talk about each one in a little bit more detail starting with our private IP addresses. So, with private IP addresses, this is a group of version 4 addresses that have been kind of set aside by the different regulatory groups behind IP addressing for the purpose of assigning addresses inside home or an organization. Remember, we talked about how version 4 addresses are in short supply. So one of the ways we overcome that short supply is we have this group of addresses that, internally, everybody can use. You just can't use these on the public Internet. The way we're able to communicate on the Internet – even though we're using these private addresses – is we have a device that translates private addresses into public addresses. You probably know the name of this. NAT – you heard of that? I'm sure many of you aren't shaking your heads, right, or nodding. Let's see shaking, nodding, right.

So many of you are familiar with NAT. And, when you buy a home router, it has NAT in it. Now you may not have heard of NAT before or care what that acronym means, but NAT is the magic inside of your home router. That assigns...basically, you have all of your devices at home that have a private address typically like a 192.168, but your Internet provider has given you a wireless home router – a single public address. Now, a public address here guys – a public address is what we're going to need in order to communicate on the Internet. And notice that the public address range is pretty much anything, but those private addresses. And there is a couple in there that is also missing, but that's essentially the idea. These are public addresses – these are the public IP address ranges. And so we're going to need to have an address from within one of these different ranges in order to communicate with everyone else out there in the world. Without a public IP address, well, then there is no Internet communication, no Facebook, no Google, right, no Bing. Okay.

Now the other thing I want to point out is that among these different public IP addresses, they have been organized into these – here what we call – classes. So we've got class A, we've got class B, we have class C listed here. The same can be said here of these private IP addresses up here. And private IP addresses are organized in class A, B, and C. That was what the number authority did for the initial distribution of IP addresses. They broke them down into these different classes for convenience. So our class A right here – well, it actually supports a 255 subnet mask. Our class B on the other hand over here – it actually supports a 255.255 subnet mask. And then our class C supports a 255.255.255 subnet mask. So you've got different subnet masks. And, with each different subnet mask, you have a different number of available networks and a different number of available devices that can be on the networks. So, because we have – what we call – a 24-bit mask, 255.255.255, all three initial octets that belong to the IP version 4 address – that's set aside for the network. So we have a lot more class C networks than we do class A because the class A is only using the first octet – this guy right here. We're only using this for the network portion. The rest of this is for the host – so a lot more host for class A, but fewer networks. The opposite is true for class C. The class C – we've got a lot more networks and we've got fewer hosts right there. All right.

So class A, class B – private IP addresses and public addresses. Remember, NAT or Network Address Translation is what helps us actually translate private addresses to public addresses for the purpose of conserving the number of public addresses that have to be passed down. Now there is another type of address you might encounter and that's this guy right here – this self-assigned address. The self-assigned addresses in Windows called APIPA. And it starts with 169.254. And so, if you type ipconfig and you are having trouble getting to DHCP, your device will just make something up. It can give it, you know, an address. So it has something to work with. Now 169.254 is not routable. And it usually indicates that there is a problem on the network.

Now there are a couple of other types of IP version 4 networks. We have multicast and broadcast addresses. I said different types of networks. I should have said addresses. There are a couple of other different types of addresses – multicast and broadcast. Now these are specialized communications. Now broadcast simply means we're talking to everybody. We're talking to everybody in our subnet, we're talking to everybody on the network. And it looks like 255.255.255.255. That's an all-network broadcast right there or a subnet broadcast. So that's you're broadcasting to everybody in your network. And that's basically where you're going to have 255 and just the host portion of the address, okay. But then you might also want to be aware of the fact that you have multicast communications available. And multicast means the device is talking to multiple devices. Some might be on your network, some might be outside of the network, but you are not talking to everybody.

So there is a unicast. Unicast is one to one, which is – you know – a lot of frequent communications one to one, me talking to a web server one to one. Then there is broadcast. There is me talking to every device. Maybe, I'm trying to find something. So I do a broadcast. And then there is multicast. And multicast is, you know, popular among media applications. We've got multiple devices connected to like a video stream, like an online concert or something. And they are sending out all these packets that relate to, you know, the broadcast and the performance. Well, while it's doing that, it doesn't want to send it out to every device. And then unicast is less efficient. So they will use a multicast, which is kind of a one to group type of communication. All right. Now the next thing we want to talk to about here is the loopback address. The loopback address is a troubleshooting address. And the idea with a loopback address is it supports...it's basically what is...come on. There we go. The loopback address is an address that supports just kind of troubleshooting your own device. So what you can do with it is you would ping yourself – you ping 127. And that tells you whether or not your device has TCP/IP installed. And it's responding. So it's not super useful, I think. But it's there nonetheless. And it's a reserved address. So these are the different types of version 4 addresses that you can configure Windows 10 with or Windows 10 will use in order to communicate on the network. It might use a multicast, it might use a broadcast, it might use a privately assigned address. It depends on, you know, what type of network it's connected to and what address it's been assigned and who it's trying to talk to.

Back to top

1.

All right, let's take some time now and look at the other IP, that's IP version 6. And let's talk about how we can configure Windows 10 to use IPv6 addresses. Now the first thing I want to do is talk a little bit about why we're using IPv6. And, as we know, version 4 gives us quite a few addresses but not quite enough. I've got myself three, four, five different devices that connect to the Internet. And I also have, of course, more devices I want to add to my network. And then we've got televisions and cars and appliances that are all getting IP addresses. So it's easy to see if we start looking at the world around us, how we've ran out of IP version 4 addresses. So along comes IP version 6. An IPv6 has multiple enhancements to it. It's not just about the addressing space, although that's a big one. It's also about the fact that IPv6 is designed to be extensible. So I have support for enhancements and changes to the protocol. It also has built-in security. It has other capability to work with IPsec. So there is other features and characteristics to version 6 that makes it an important improvement to the overall IP stack. Now Windows 10 supports IPv6 by default. And it will actually start using version 6 because it has an automatic link-local address that it assigned to itself. So, if you type ipconfig, you'll notice right away that there is an IPv6 address and you didn't do anything about that. That's because it's written into Windows 10 and IPv6 is designed to be easy to use and easy to configure.

So here's a look at some of the additional benefits with version 6. Now we already talked about the larger address base, but there is also rich transition technologies. So, if I am using version 4 as my primary protocol, but I want to move to version 6, well, I have some transition technologies that support encapsulation. Version 6 is also more secure, so IPsec integration. But, because I have so many version 6 addresses out there, we don't have that private public type of thing going on, where I have to have NAT. So no NAT required. And then version 6 is also far more efficient. This means that it has better performance. I don't even need to use broadcast. It supports multicast instead. And then Windows 10 has a dual stack, so it has version 4 and version 6 side by side. And the reason that's noteworthy is because in XP and previously version 6 was available but it was actually written into the version 4 stack. And so you have to actually use the same code and it just didn't perform as well by separating them and creating them dual stack, so they're side by side. We've improved the efficiency with version 6 inside of Windows 10.

So let's explore now the anatomy of an IPv6 address. Now the function of this address isn't any different than version 4, we need a network portion for routing and then we need a portion to uniquely identify the device. IPv6 does that for me, but it's kind of preconfigured and that makes it a little simpler. I don't need a subnet mask, and a subnet mask that changes, right, from being the first octet or 8 bits to being 16 bits versus 24 bits. No, instead a version 6 address is divided right in half. So it's a 128 bits in length. So the first 64 belongs to the network and then the last 64 belongs to the actual device or the host ID – the interface identifier. Now that first 64, which relates to the network is further subdivided into different tiers of the network. And this is all done to simplify routing and the implementation of IP version 6. Now the details of how that is broken down for me is described in this table here. So I have at the top here my regional Internet registries and that's the first 12 to 32 bits. Then my ISP has a section for themselves. And then I might have a portion for my organization. And then I can further take that and subdivide it with subnets. The key point I want you to walk away from is to recognize that IPv6, like IPv4, requires a portion of it for routing purposes and routing across the different tiers and hierarchies of the Internet and that's written into it from the very beginning. The first 64 bits help me with the network, the last 64 bits on the other hand uniquely identifies the host of that device.

Back to top

1.

Now the version 6 address looks pretty scary. And you are probably looking at it going, well, there is more to this than just numbers. So there's all these letters in here and that's because a version 6 address supports a hexadecimal format, not a dotted decimal format like a version 4 address. Nevertheless, a version 6 address has some, you know, uniqueness about it. Besides that, they help me kind of present the information in an easy to read format like a version 4 address. But keep in mind that we're dealing with 128 bits here. So you might be looking at me skeptically saying, "This is easier than IPv4." Well, if we were to actually present this information the same way, it would be a much larger number and a little bit more difficult to work with. So they have adapted or adopted this other format called a colon hexadecimal format. And it's broken down in such a way so that each section here is representing for me, you know, 16 bits. So I've got 4 bits, 4 bits, 4 bits, 4 bits, each character in a section represents a 4 bits.

Now, when I write out a version 6 address like this, I might have a lot of zeros in place. And so there are some shortcuts in which I can actually compress my IPv6 address. For instance, one of the things I can do is remove inline zeros. There we go. Right here in the middle, I've got the sequence of a 0s. Notice I can actually drop those 0s. You see this right here, by putting in a double colon like that I am representing a series of contiguous 0s. I can only do double colon substitution once. So this number here, where it's been done here and it's been done here. Well, that would be an illegal representation or compression of that version 6 address. And that's because I wouldn't know if it's one section that's actually being compressed or if it's two sections here. One or two, or two or one, there's no way to tell. So you can only remove inline zeros once.

Now let's look at this next compression technique and that's removing leading 0s. In terms of removing leading 0s, notice that I've got right here in the original address, I've got these four different 0s. Well, I can drop the leading 0s, these first three right here. So 2031, right there, I can represent that entire section with just one 0. I can also come in here and look at this 9C0, there is a 0 in front of that, I can drop any of those leading zeros. Then what I can do is actually combine these two techniques, apply both rules to complete the compression on my version 6 address for kind of a shorthand, ultimate shorthand version of what that address looks like. There you go. That's how you can take this address up here and rewrite it. So it looks like down there. And that's an abbreviated form of the same address.

Back to top

1.

Now just like there are different types of version 4 addresses some for, you know, different types of addressing and different communications. Well, we also have different types of addresses for version 6. For starters, we have a local unicast address. We also have global unicast, link-local addresses, special communications with multicast addresses, and then a loopback for diagnostics. Now let's have a look at each of these. Let's start here with this local unicast address. Now the local unicast address, that has a prefix of FEC0, it's kind of for local site communications. Now this private site addressing scheme is actually been deprecated. But, if you see an address with FEC0 as its prefix in the first section of your IPv6 address, it's called a local unicast or a site address. The next type of address is the global unicast address. And this is one that you need in order to communicate around the world. Hence, the term global. So this has a 2 as its prefix. So that's how you can tell that's a global unicast address, that 2 right there. And this is a significant address and we use this quite a bit for international or internetworking IPv6 communications.

Next link-local addresses right here. Now the link-local address is what is similar to APIPA under v4. It's a self-assigned address. Now normally, when you see an APIPA address or 169 address in version 4, you think, "Oh, something is wrong, can't talk to DHCP." You don't have the same response though in version 6. If you see a link-local address in a version 6 stack and its prefix is here, of course, as you can see it right here, FE80. If you see the FE80 address, what you need to know is that's a good thing. FE80 means it has a IPv6 address and it will use that address to talk to other devices in its same subnet, including discovering other IPv6 devices and services automatically. In fact, in stateless configurations, a device can use FE80 to find a router with the help of the FE80 address and as well as with help of what is called a router discovery in ICMP. So there are some other protocols that contribute to this. But it can use this address to discover a router and acquire a global unicast address. It's not uncommon my friends, for a IPv6 device to have more than one IPv6 address. In fact, that's expected to have more than one IPv6 address for different types of communications. And because we have so many IPv6 addresses, that's not considered a waste. With version 4, we know, we can't have more than one version 4 address, because we're running out of them. And that's not the same kind of attitude, it's a shift. And it's a total paradigm shift when we're talking about version 6, okay.

So link-local address that's good. So global unicast, link-local, those are going to be pretty common. Now, okay, so the next thing I want to talk about is multicast. And multicast is both an address and a type of communication. Remember, we're talking one-to-many and multicast has this prefix right here of FF. So if you see that, it's a multicast address where we're going one-to-many or one to the group. And then we also have in Windows 10 support for IPv6 anycast addressing. And what anycast allows me to do is it allows me to actually communicate to the nearest whatever. So maybe host A here needs to find a router, so it can send an anycast request looking for the nearest router. And often that's done in order to find the router and maybe even acquire more information or an additional address. That brings us to the last address I want to talk about. And this last address is called the loopback address. And very similar to IP version 4, this loopback address is for diagnostic purposes. So you're pinging yourself. But notice here, the loopback address is ::1. So we're following those IPv6 address compression rules or we're dropping inline 0s and contiguous or leading zeros. And so you can represent the loopback and even use loopback with just ::1. And when you have two colons, that's an unspecified address, a UFO if you will. So these are the different types of IP version 6 addresses.

Back to top

1.

One of the most critical parts of network communication is name resolution. And, in this section, I want to talk about how to configure name resolution in Windows 10 and the role name resolution plays in successful network communications. The first thing we need to ask ourselves is what exactly is name resolution? I mean that's not a phrase you use very often. Well, name resolution works very similar to when you need to look up a phone number. So let's say, for example, I am trying to find out the daily specials at my local market, what do I do? I grab a phone book, right. And I open it up and I look up the name of my market and I find the phone number. And then when I pick up my phone, I'm putting the phone number in here. Unfortunately, I can't pick up the phone and just name the market. Now I am putting in a phone number and that's because the phone number is what is required for the actual telephone equipment to make and bridge and create a connection for me so that I can actually talk to somebody in the market. That's name resolution. Name resolution is taking a friendly name and resolving that into a name that the machines can use. You see, you and I, we use symbolic names whereas computers, they use numeric names and IP addresses. Name resolution is the magic of taking something like a symbolic name like www.facebook.com and resolving that into a meaningful IP address that the devices and the machines can use to route the traffic and find that endpoint and set up that connection for me.

Now, when we talk about name resolution in regards to Windows 10, it's important to understand there are different types of names. So let's take a moment and talk about the different types of names that a Windows 10 device might have or might be referring to and trying to resolve. First off, I want to mention that we've got these names down here called host names. Now host names are probably the most common type of name and that is most devices that are participating on any IP-based network, including the Internet – well, we use host names. Now host name is basically the computer name, the first name – if you will – appended with a suffix. So something like this – computer1.brockadero.com, that is a fully qualified domain name. That's taking the host name, computer 1 and appending the domain name, which we also call a suffix and putting that together. Now those are the types of names we typically resolve. But there are other names that we might be using on the network and also needing to resolve – like service names, maybe computer names. And usually in Windows, computer names and host names are the same. There are some technical differences in as far as the application is concerned and maybe some of the services, but really they are kind of the same. And then NetBIOS names, which are also interchangeable in many cases with computer names, but those are more for legacy applications. So a legacy application would refer to my Windows 10 machine by its NetBIOS name, rather than by its host name. Again, most of the time, we're going to be using the host name – computer 1 – and maybe also it's suffix – computer1.something – when we're trying to look up its IP address.

Now the next thing we're going to look at are the different name resolution methods that a Windows 10 device will use in order to discover an IP address. Now, legacy clients, that is older like Windows 98-type clients, they might actually use NetBIOS names and resort to using broadcast in order to discover IP addresses. Windows 10 is going to use more modern methods – primarily going to rely on talking to DNS to resolve those names to IP addresses. In fact, let's actually look at the process that a Windows 10 device will use in order to find an IP address. The first thing it's going to do is it's going to check to see if it is the destination that it's trying to be reached. Now this is interesting. So, if I type in www.facebook.com, the first thing my Windows 10 device does is it checks to see, am I www? So it examines itself to see if it is the destination. Then the next thing it's going to do is it's going to check its cache to see if it's been to facebook.com before. This is really an important part of DNS and name resolution performance. The fact that if you are frequenting a web site or some other resource – doesn't have to be a web site, it can be e-mail, could be Office 365, doesn't matter. If you are frequenting an IP-based resource, that IP address gets stored into cache so that you're not having to attempt this resolution process over and over and over again. So, if it's in cache, we don't do the rest of these steps – we stop here, perfect.

On the other hand, if it's not found in cache, then we need to continue to go down this list to find that IP address. So what is the next thing our Windows 10 device is going to do? Well, it could look into the host file. Now the host file is a text file – yes, a text file – and it actually goes all the way back to the early days of the ARPANET. Even before we even called it the Internet, we had this thing called the host file. And the host file was a basic text file where we put in the name of computers and their corresponding address. Windows 10 still supports that and you can still use it as a name resolution source. Now typically, we don't. The only time we're really concerned with the host files, if we're in a lab environment or we have to add some sort of exceptions, maybe configure it for VPN connections or maybe we're actually checking the host file for malware. Malware likes to put in bad information to the host file and kind of redirect people to false locations. In fact, a lot of antimalware will examine your host file to ensure that it's clean and it's been protected. So this is the next place Windows 10 goes. Now here is another important point. Both step number two here and step number three here – this DNS resolver cache and this host file, both of these steps – these steps are done simultaneously and that's because Windows 10 would take the host file and load it actually into cache, alright.

So, if it's not me, that is it's not the device, if it's not in cache or the host file – what does our Windows 10 device do next in order to find the IP address? DNS. That's the next thing it needs to do. Now this is the critical part where we really want success. Our Windows 10 devices need to be configured with the DNS server. It sends a query to that DNS server and says, "Hey, I am trying to find the IP address of this resource that's referred to by this name." That DNS server then goes through a process of looking up that name and finding an IP address for me. Now, if that fails for some reason or the DNS server is not available, then my Windows 10 device might resort to using other methods – in particular if the DNS server is not available. So we've got this option here called LLMNR. And LLMNR, what that does for us is that that's a multicast method. So the assumption here friends is if the first few items or methods don't work, then that Windows 10 device will make a look or a search around in the local network for an IP address. In other words, it's assuming at this point, if DNS doesn't have the answer, then it might be a neighboring device. And so it starts using multicast, then it might get desperate and start using these other legacy methods – that's what the remaining items there are on the list. Now we don't want it having to resort to that, we want success to occur as much as possible through DNS and maybe through multicast.

Back to top

1.

So the next question I want to address with you is what exactly is DNS? I mean if DNS is the primary method of name resolution for Windows 10, what is it? Glad you asked. Windows 10 stands for the domain naming system. You see it's not just a domain name server, it's a naming system. And the reason I think that's a significant clarification is because DNS provides not just a server-based answer, but it provides an entire scheme for the way we might name resources on the Internet to provide unique names globally and to also provide a way to find those resources globally. I mean, imagine, there are millions of devices on the Internet and being able to locate those resources and find their IP address, we need a comprehensive system that can do that. And that's where DNS steps in.

Now how does DNS actually accomplish that? Well, there are a couple of keywords I want to highlight for you. First off, this one right here, DNS is distributed. What that simply means is that DNS isn't a database stored in a single mainframe server. That will create a couple of problems, of course. We would have a single point of failure. If something were to go wrong, the entire globe would be affected. Another problem with that would be it would be a total bottleneck – a global bottleneck – because we would all be going to this one mainframe to find our IP addresses. Instead, it's a distributed naming system, meaning there are multiple DNS servers strategically positioned around the globe. These DNS servers each own a certain part of the information, so not any one DNS server knows it all. Instead, the information is distributed and the servers are distributed.

So we have additional performance. We don't have bottlenecks – we don't have single points of failure. Well, that lends itself to another question. Well, if its information is spread out, how do we find each other? How does one DNS server find another? How do I actually find my IP address? Because how do I know where it's at? Well, that's the next keyword and that's hierarchical. All of those DNS – distributed DNS servers – have a relationship to each other. They are organized into a hierarchy. And that hierarchy governs who we are going to talk to and which DNS server has our information. DNS is more than just a server, it's a naming scheme. DNS is distributed and hierarchical in order to support the global Internet and all of the resources that we use the Internet for. So let's look into the details of DNS and how that hierarchy works.

So here's what we call the DNS tree. It's an inverted tree, so you can see that the root is at the top and then underneath that we have these other branches. We have a top level, then we have the second level here and then maybe other levels after that. Now when you're looking at this, I want you to understand that there's DNS servers positioned at each one of these branches. So we've got DNS servers everywhere here and they are related to each other in this hierarchy. The other thing I want to point out is this is not the complete tree. There's no .com, for example, or the country codes. So what you see in DNS here is just a small portion of the tree. There are many, many other parts of the hierarchy, but they're all organized in a similar fashion. At the top, however, is always the root. There is one root in charge and overseeing this entire hierarchy. Now the way that this works is best understood with an example. So let's imagine for a moment that we're trying to go to web1.support.comptia.org. So what we need is the IP address, right. We need the IP address in order to get to this web server. So how do we accomplish that? Well, DNS is going to look that answer up for us. And how does DNS know who to talk to because there are so many DNS servers out there? Well, the way it works is a query is sent to the root and at the root there are 13 DNS servers or DNS server clusters. Now the root doesn't keep track of everything. Instead, the root just keeps track of the DNS servers below it.

So this is how the reference works. So when a query is received by the root, looking for something like web1.support.comptia.org, those root servers can say, "I don't know where web1 is; I don't know where support is; I don't know where CompTIA is; but I do know some DNS servers that might help you in .org, which is part of the name you're looking for." So then another query can be sent to the DNS servers who are in the org domain. And the DNS servers in the org domain will have a similar type of reply. They will say, "I don't know where web1 is, I don't know where support is, but I do know who is directly underneath me in my hierarchy. I do know the name and IP address of some DNS servers in CompTIA." So then we have a reference to the CompTIA DNS servers. So we're moving through this hierarchy using referential or iterative queries as they are called. Ultimately, we are going find that we're in the support zone here. In that support, there is a DNS server who has the answer for us – who essentially has that page of the directory with that particular web1 reference and a record in there with an IP address. With that reference – with that IP address – we've got finally the answer we need in order to actually make a connection. Now this seems like a tedious process, but you have to consider the fact that the Internet is massive and that there are millions of resources that we have to keep track of. This hierarchy is essential in providing a way to store the information in a distributed fashion, but also retain a whole. So it's organized in part, right, the information is stored in part, and organized as a whole.

Back to top

1.

So let's look at this one more time, but this time from the perspective of Windows 10. What exactly happens when a Windows 10 device is trying to find an IP address? Well, let's walk through this with an example. We have this Windows 10 device looking for www.myweb.com – so let's use this as our example here. So what is the first thing that a Windows 10 device does? Well, the first thing it's going to do is it's going to check its local cache. Now this is an important piece to the performance and the optimization of all of this. So let me explain. If you have devices who are frequently accessing a resource in the same location, you don't want every packet requiring a query to DNS – it's way too much overhead. So what the Windows devices will do is it will store it in cache and store it in memory and it will be in there for a period of time until it no longer is using or referencing that entry. And then once that entry times out, there is a time to live associated with it. Once it times out, then the device will do a subsequent query if it needs to. The point of all of that is there is no need to actually ask DNS the same question over and over again. The expectation is that you're going to get the same answer. So store it in cache and that will improve the performance of that Windows 10 device, talking to, you know, the destination resource.

Now, if we're going to a resource we haven't been to recently or maybe never at all, then we're not going to find anything in cache. So that's when we need to actually talk to DNS. This is also important. A Windows 10 device has to be configured with the DNS server's address, it has to know who to talk to. So, if you are troubleshooting a networking problem on Windows 10, number two is one of the areas you want to explore. You want to ensure that your Windows 10 devices can successfully find DNS and query DNS and if they are not working and they are not responding, then you're going to experience all kinds of problems on the client, nothing is going to work. So number two occurs, the client sends its query to DNS. What happens after that? Well, the next thing that happens is the DNS server checks itself, it checks its own cache, it checks to see if it actually has a record for the resource that's being requested. So it checks to see if it has information about myweb.com. Now let's assume for a moment that this is our ISP and we're going out on the Internet. So it's very likely that this DNS server doesn't have a record and it's likely or possible anyway that it doesn't have any entry in its cache for that resource. Now, if it's a popular website – something like Facebook – then our ISP DNS server may likely have an answer here. And so that's going to speed up this process because it can fire back a response to requesting clients from its own cache.

So imagine with me that neither one of those provides an answer. So then, at this point, the local DNS server there – that ISP DNS server – is going to ask for some help. That's when it turns to the hierarchy and it starts querying the root servers and it starts querying the dot-com servers, until it finds a DNS server that has a record for www.myweb.com. Now once it completes that answer – once it asks the other DNS servers and it has an IP address – it can then finally respond to the client with an IP. When it responds to the client, the client is going to store that information into cache so that it can continue to use that IP address when building packets and responding to the web server and making additional subsequent requests. And then it's going to send its very first request and establish the connection with the web server, now that it has the IP address in hand – kind of like dialing that phone number and actually making the call. Now this looks like a lot of activity and a lot of things that have to go right in order to have a successful connection and the answer to that is yes. There is a lot going on. In fact, that's part of the magic of DNS, right. I mean when you start looking at the details behind this, it's really quite amazing. I go to a website and I type www.facebook.com and I just instantly get this page. What I don't often realize or remember is that there is a lot of pieces in place that really make the Internet happen for us. It's kind of like, when we look at this, looking at the trap door underneath the hat where the rabbit comes out, because this whole DNS environment – the distributed hierarchical nature of DNS – that really is part of the magic of TCP/IP network.

Back to top

1.

Now that you have some understanding of how DNS works, the next thing we want to look into is configuring DNS and configuring name resolution in Windows 10. Now in Windows 10 on the TCP/IP properties, there is a set of settings related specifically to DNS and name resolution. The most important settings are these right here, the DNS server settings. These settings are important because without that, our Windows 10 devices are not going to know who to talk to or who to send their queries to. If they don't know who to talk to or if there is a problem with those DNS servers, then all communication on the network is going to appear as if it's not working. E-mail won't work, Facebook won't work, right, nothing is going to work because we can't find the IP addresses of the resources we're trying to reach. So this is a critical part of our troubleshooting, it's also a critical configuration.

Now how do we get that DNS server IP address? Well, we can type them in manually. There is room for multiple DNS server addresses. We can also have those options delivered to the machine as part of its IP configuration from DHCP. So, if you have a DHCP server who is passing out IP addresses, in addition to passing out the IP addresses, it can also include advanced IP configuration – additional options as they're called. And DNS is going to be a common one that DHCP will deliver. So that way our Windows 10 devices have everything they need – they have the IP address; they have their mask; they would probably also have a router or a default gateway; and they know the location of their DNS servers. But those configuration settings – provided there is nothing wrong with the DNS servers and the other parts of our network – those Windows 10 devices will be able to communicate on the Internet or on our network.

Now there are some other DNS server configuration settings here. There are these suffix settings here and then there is this setting here referencing DNS registration. Those are settings that can become useful for us in certain circumstances. Let me describe these a little bit and then we'll look at a demo. First off, the primary suffix is really the domain name, kind of the last name of the device. So, if my computer is called computer 1, then it will have a primary suffix that usually matches my organization's domain name. So, if my domain is brocadero, then my computer's fully qualified domain name would include its primary suffix and it would be computer1.brocadero.com or whatever. Then I can have connection suffixes and that's useful if I have a complex environment where I have multiple identities and I have resources in different identities. And so that can help improve the device – can help improve the device's attempt to locate resources under those identities. In particular, it helps with what is called single-label name resolution. Let me say that again, it helps with single-label name resolution. Single-label name resolution is kind of a fancy phrase for when we don't know the last name and we're just referring to a resource by its first name. So, if I have a computer who is trying to find another computer like computer 10 or something, it doesn't know necessarily what its last name is, it will append its suffixes to its query and ask DNS. So, if my computer is brocadero.com, then when it looks for computer 10, it will simply say, "Hey, DNS, do you know computer10.brocadero.com?" Assuming that computer 10 is in the same organization, that will work. But, if computer 10 is in a different organization or has a different identity, then that will fail.

So, if we are in a complex environment – where we have multiple identities – we can add these additional suffixes right here. So then, my device will send multiple queries. It will ask, "Do you know computer10.brocadero.com?" And then any other suffix it has, it will append those and send queries for those as well – do you know computer10.earthfarm.org? Do you know computer10.easynomadtravel.com or what have you? Okay, so these suffixes here are where I have a complex environment with multiple identities and I can configure these on my Internet properties. So these are several important settings related to DNS and name resolution configuration. Don't forget my friends, the most important one is the first one and that's the DNS server settings.

Back to top

1.

Today, it's not unusual to do work from home or a cafe or a hotel. In fact, that's kind of becoming the norm. And so we want to talk about the different types of remote connections and remote connection technologies in Windows 10 that enable me and you to get our work done, no matter where we are. Now let's look at the different remote access technologies in the networking stack of Windows 10. For starters, let's talk about what is available for me in the network access category. Here, of course, we have to have a physical connection and that physical connection is going to be, you know, probably an Ethernet LAN connection; could be a wireless connection; could be a mobile broadband connection; probably is a wireless connection. And in order to actually access corporate data and corporate applications and to do that securely, then what I'm going to need to use is some sort of technology to encapsulate my traffic to make sure it stays authenticated and to make sure it's not tampered with. And so in order to achieve that, I can use encapsulating and secure VPN connections.

I can also use DirectAccess, which is kind of like a VPN only I don't have to actually have the initiation part of – initialization part would be a better way of saying it. So I don't, as a user, have to actually provision the VPN connection. Instead, it automatically connects for me. The thing with DirectAccess is it requires my machines – a member of the domain, an Enterprise Edition. So that brings us to another option in Windows 10 and that's Workplace Join. And Workplace Join is really kind of a bring your own device option. So I can actually connect to corporate data and corporate applications through a Workplace Join infrastructure and do that even from my own personal device. And, in fact, one of the things that's interesting about Workplace Join is it doesn't necessarily require a Windows device. I can even do it from a non-Microsoft machine. Alright, so those are some examples of remote access connection at the Network Access Layer.

So the next thing we're going to look at is a remote access connection option in client and services and that's really remote desktop. Now remote desktop is something that's been around for a long time but it's equally another option to access corporate data, corporate applications, even a virtual desktop from a Windows 10 device or from another device to a Windows 10 device. Now there is, of course, third-party options – those third-party options are popular and certainly something we can turn to. But our focus here is going to be on Windows 10 technologies. So here is kind of a topological view – the different scenarios that we've been describing. So down here, we have our user device and this could be, of course, a Windows 10 device because it supports all of these different technology scenarios or connection scenarios. So, for instance, we have our RDS gateway right here for a Remote Desktop Connection. Then here we have a remote access server. And this can, of course, be an appliance as well and I can connect using VPN. Or if it's a Windows server, I can potentially develop and enable a DirectAccess infrastructure. And so I could connect automatically. That's the great thing about DirectAccess. And then alternatively, over here, I can connect to my application using Workplace Join and a Web Application Proxy server. Now one of the things you should be aware of is that if in each of these cases – in all three of these different scenarios – if I'm using a Windows solution and, you know, even if I'm not, there is going to be a required infrastructure. So the type of connection that I'm going to actually configure for my Windows 10 users or enable on my own Windows 10 device is going to be very dependent on what I have available to me and what my business needs are.

Back to top

1.

Now what I want to do is drill into Remote Desktop Connections. Let's start with this question, what is remote desktop? Remote desktop has been around for a while. If you have been around for a while like me, you might remember Terminal Services and this is essentially Terminal Services only for modern computing. Remote desktop is dependent on RDP protocols and essentially what it allows me to do is it allows me to connect to an RDP service as if I'm sitting right in front of that device. It's called remote desktop because what I am doing is providing my input – the mouse clicks, the keyboard input. Those are being sent over the network with the RDP protocol and then they're being processed and received by the RDP service, who then turns around and sends back to me screenshots of what the desktop would look like. And so that's why they call it remote desktop. And as I said earlier, just as if I am actually interacting with this device locally, instead though I am doing it across the network.

Now here is a little bit about the Remote Desktop Protocol, couple of key points. RDP has been around for a long time and its key to actually transporting those images and those inputs. A key thing to know about it is that it uses port 3389 by default and that could have implications in terms of configuring your firewalls and making sure that it's supported. So, if I have a Windows 10 device and I have enabled Remote Desktop Services and I'm having trouble connecting to it, it might be because I don't have that port opener available. Now another concern with remote desktop is security, but this is another area that Microsoft continues to invest in. Remote desktop is very popular and so security, of course, is a concern. And so, by default, our transmissions are encrypted and Windows 10 supports Network Level Authentication, which is an enhancement that Microsoft brought along to RDP years ago. And what it simply means is instead of authenticating to the end device after the Remote Desktop Connection is completed, instead it's part of the initial connection, and I have to provide some authentication and some credentials before I am even given my first screen image.

So here is a look at different RDP scenarios, and it describes for me the why I would use remote desktop and there is a couple of big ones right here. First off, we've got administration. Now administration is one of the primary reasons I like to use remote desktop because it allows me to remote into my servers and be able to perform administration on my servers remotely. I don't actually have to install any additional client over here, instead I can use remote desktop and interact with it as if I am directly connected to it. Now that all assumes, of course, that the server has a graphical environment that I can remote into or if it has an environment that I want to issue commands to directly. So there are other ways I can remotely administer the server – RDP is just one of many.

Then there is client access and this is another reason why I like to use RDP. RDP allows me to connect to my own desktop remotely. So, if there is an application or if I am working on a project and there are some files I need to have access to, then what I can do is I can remote into my desktop where I've been doing that work in my office and be able to access that from my laptop when I am on the road. Now that's two common scenarios, but there is more. For instance, one of the reasons why organizations adopt remote desktop as a primary way to remote in and access data and corporate applications is because of the value or the ability to do that from the cloud. I can actually move my applications up into the cloud, run them in a remote desktop infrastructure, rely on a service called Azure RemoteApp to actually deliver applications to clients. And it appears to the client as if the application is locally installed, but all the actual hard work and processing is done up here in my remote desktop environment. Now this is actually an iteration or kind of an evolution of RemoteApp. RemoteApp works with RDP and it basically does the same thing I described only RemoteApp is something that you can actually implement in your own organization and in your own data center. So whether you're implementing RemoteApp in your data center or you're implementing it with Azure RemoteApp, one of the benefits is that clients can access that application. And this is useful if you have compatibility issues, you have a line of business application that just can't be installed locally – the agent isn't supported for some reason on Windows 10 – and it's an application that your business is dependent on. It's an important mission-based application.

So by putting the application on a platform that is supported, maybe Windows Server 2003 or something like that – hopefully not, right. So you're able to actually run it in an environment where it is supported and then you can actually essentially present that application to your clients remotely. Now another way in which you can present applications is using Virtual Desktop Infrastructure or VDI. VDI simply means that I am essentially taking a client environment. I am going to run it in a virtual machine and I am going to present that over the network as if that person is in front of it, but in reality it's not a physical remote client, it's a virtual machine. So it's similar to this scenario right here, only, instead of running on a physical machine, we are accessing Windows 10 in a virtual machine over here. Now the benefit of that is also application access. So we might have some devices that aren't quite ready for Windows 10 or they have limited functionality. And so we might want to run an application that is specifically designed for a certain edition of Windows. And in order to grant them access to that Windows application and that Windows desktop, we can put them and encapsulate them here on a virtual machine and then the user can access it from over the network. And, in many cases, with the situation here on the right, whether it's RemoteApp or VDI, we might actually...the user might actually be accessing this application from a noncorporately managed device – might be their own device that's simply configured to access these other...access their application in these other locations. So this is kind of a tour of the different kinds of remote desktop scenarios that RDP can participate in and that Windows 10 can participate in.

Back to top

1.

Alright, the next thing I want to talk about is VPN. Let's have a look at the VPN components and the technology the Windows 10 supports in order to provide VPN connections. Now I recognize here that many of you use a VPN on a daily basis like me. And often our VPN solution isn't a Microsoft solution, we are using something like Juniper or Cisco or something like that. Nevertheless, Windows 10 has built-in support for VPN, so let's have a look at it. Now for starters, let's define what a VPN is and if you are like me, this is something you're already familiar with because you use it on a regular basis. But, if you are new to this or if it's been a while, a VPN provides secure access – confidential access – to a corporate location, a corporate network and it does that over a public network. Now the reason why confidential access and secure access is so important is because, well, we are traversing this public network here. And the Internet is the most common and most popular public network and we all know that's the wild, wild west when it comes to security. So, if I am accessing that project, well, I want to make sure to that project is protected because it's intellectual property. So the way that works is a VPN provides for me an encapsulated connection – a tunneled connection. So all of my requests are encrypted and protected. And, of course, the corporation over here, they want to make sure I'm who I say I am. So I'm going to authenticate as well.

Now in order to set up that connection, there are several components in place. And these are generally considered VPN protocols, but there's not just one or two protocols, there are several. For instance, down here, we have tunneling protocols. Tunneling protocols provision that endpoint – that indirect connection to the corporate remote access server. Then, I want to make sure I am who I say I am. Well, I know who I am, right, corporation wants to know who I am. Anyway, I don't mind to need to authenticate, right, so I need to provide my credentials whoever I am. And then we've got encryption as well. So not only are they concerned with making sure I am who I say I am – and I'm concerned with that too – but I'm also concerned with making sure that all of my traffic is protected from prying eyes and can't be modified in anyway and hijacked with man-in-the-middle type of attacks. So that's where these encryption protocols come in.

So one of the important components to any VPN connection is ensuring that I'm using compatible protocols – protocols basically that the organization has configured over here. Now this requires a VPN client. The VPN client is configured with these protocols and the necessary credential settings so that I can enable this connection, provision this tunnel and, of course, would be able to actually establish that secure connection. And so, on the client side, we need to install a VPN client with the necessary information. Now that can be deployed to this client in a variety of ways. In Windows 10, there is a wizard where you can manually actually set it up or you can have that VPN client setting or profile settings actually issued to this device – issued to your Windows 10 machines, either from a mobile device management or script or maybe you're not using the built-in VPN client in Windows at all. So then you would distribute your own client with the necessary settings. Now couple of comments about the other side of this. Over here, on the corporate side of this – of course – we have to have a remote access server, an endpoint that's going to host the connections. The infrastructure over here can vary in complexity depending on the number of connections we're supporting and how we want to perform our authentication, perhaps even where our applications are stored. So the typical and simpler approach is we're going to be connecting to a remote access endpoint – perhaps a remote access server installed on Windows Server, but perhaps not. And I am going to authenticate with domain credential, so typically you are authenticating with Active Directory. Nevertheless, there is an infrastructure piece over here and Windows 10 is going to participate in that and that it has a built-in client that supports all of the necessary protocols.

Back to top

1.

So let's have a look now at some of the VPN settings we can configure in Windows 10. Now, in Windows 10, you might see a property page like this where I can configure the big three protocols, the tunneling protocols, the encryption protocols, and the authentication protocols. And, of course, this is a space that we don't want our typical end user to be in, so we're going to configure these protocols and help them connect to VPN by using maybe a policy or installing it or maybe a script. But, if I have to go in and support them or if I have to configure it manually, then I could come into the property's page like this and I can make configuration changes to any one of these three different protocols. All three configuration settings – each one of these – are required in order to set up the VPN connection and of course they need to support what we're using on a remote access point or remote access server – they need to be compatible is what I'm saying.

Now here is a look at some of the protocols available to us. Now the ones on the far left-hand side like PPTP for instance, these are aging protocols and even though we might need to use them, we don't want to use them because they're not as secure as some of the newer protocols. So over here, we've got support for SSTP. So you can configure SSTP in Windows 10 and this is a great protocol in that is far more friendly in regards to firewalls and traversing NAT devices. It also has a great deal of support for different types of authentication protocols, including smart cards as well as MS-CHAPv2.

Another option for us in Windows 10 is IKEv2 and IKEv2 has this feature in it called mobility IKE or you might say VPN Reconnect. And what is nice about IKEv2 is the fact that you can actually reconnect or resume a session without the user having to, you know, initiate the connection. So imagine a user on a train goes into a tunnel, loses their VPN connection when they come out of the other end of the tunnel, if it was one of these other types of VPN connections, they would have to actually reconnect. But with IKEv2, the session automatically reconnects. Now the downside to IKEv2 is that it requires that the machines have certificates. So that adds an additional burden in distributing certificates to my Windows 10 devices. But then the payout is, of course, that I have the benefit of supporting VPN Reconnect. So this is a quick look at some of the protocols that I might use on my Windows 10 machine. Now here is an additional visual on what VPN Reconnect is all about. Remember, it's about being able to actually move from hotspot to hotspot and maintain your VPN connection – thanks to IKEv2 and MOBIKE. One key point that this slide brings out here is we don't have support for hibernation and VPN Reconnect at the same time.

Now another important development in terms of VPN technology in Windows 10 is VPN automatic triggering that is where you actually launch an application, that application is preconfigured to initiate a VPN connection. This means you can narrow the circumstances in which a VPN is actually used. This is just another improvement in terms of giving the user a better experience, but also increasing security. Now a couple of key points about the way that this works is it requires that the apps that you need to provide an automatic trigger be included in your VPN profile and the VPN configuration. It also requires split tunneling. And that just makes sense, right, if we're going to set it up so that only selected apps will initiate a VPN connection and can own these...only these apps can use the VPN connection, well, everything else needs to use a different connection and that's called a split tunnel. So that's going to be required. And then, we don't have support here for domain-joined devices and that's really not necessary either.

So we're using domain-user credentials and we are using a device to connect to corporate data, but this device is not a domain-joined device. We're still using domain-user credentials. Now, if you have a domain-joined device, you can still use traditional VPN without automatic triggering or you can use direct access. In either case, if it's a domain-joined device, we have additional channels of management on that device. So one of the things that are beneficial about automatic triggering is its only select applications. So the assumption is this device may not even be owned by the organization. And yeah, we need to narrow, right, how many applications or the type of applications and the type of data that's connected to our corporate network. When it's domain joined, well, we have other things like Group Policy and direct access to help us kind of control what that device is able to do. So VPN automatic triggering is an exciting development in Windows 10 that really enables additional experiences for users, so they don't have to go through all the hassle of setting up a VPN connection. They connect and click on that link that is referencing that corporate application, that corporate connection is immediately provisioned for them, they're able to do their work and we have increased security because we're not allowing other types of applications to use that connection.

Back to top

1.

Alright, one of my favorite technologies is DirectAccess. So let's have a look how Windows 10 can connect to a corporate environment but without a VPN. Now what is wrong with a traditional VPN anyway? It allows our devices to connect from anywhere and to do that securely. Well, there are a couple of issues with the traditional VPN. First off, user friction, which means oftentimes the user is actually going in there and setting up the VPN connection. And, if they're like me, they avoid the VPN connection. I mean, how many of you have users who don't like to actually set up the VPN connection? And so we go through a lot of effort to set up maybe some sort of any connection or set it up so that it automatically gets initiated for them. Nevertheless, it's still one of those types of connections that users if they have to have anything to do with it, they would rather not have anything to do with it. It's just too complex for them. Now when you have devices that are not taking advantage of the VPN or connected frequently with VPN, then what you end up having is you have configuration drift, right. You have the device pulling further and further away from its corporate orbit, which means it's not getting the latest virus definitions or missed out on the policies that were put into place last month because it hasn't connected for a month. So we're concerned about configuration drift and compliance drift. The other downside to the VPN is it's an all or nothing type of access. Meaning, when they connect to the VPN, they're connected to the corporate network and that means remotely they have access to any other resource within that corporate network. You know, there are other ways to kind of filter and control and shepherd that traffic, but with traditional VPN, it's an all or nothing type of connection.

Back to top

1.

DirectAccess to the rescue. What exactly is DirectAccess? Well, DirectAccess provides seamless, protected, and managed connections that doesn't require user interaction and it prevents devices from drifting too far away from management. Let me give you some specific features around DirectAccess. First off, it's seamless, which means it's transparent to the users, it's always on, and we're not doing any kind of VPN connection itself. It's VPN like, but it's automatic. Another key benefit to it is it's protected, which means we're using secure authenticated tunnels and it's relying on IPsec, so you know it's solid. Then we've got managed. Because the connection is always on, remote management is available to us. So we don't have an issue with the devices falling out of orbit or drifting further away from management because we can provision them; we can connect them; we could apply policies to them because they're always connected. The other benefit to this is we're not installing an additional agent, an additional client. Notice it requires the user to have to initiate any other connections. Now that doesn't mean there isn't drawbacks to this but so far, you can look at this and say, "Hey, this is superior in many ways to the traditional VPN connection."

Alright, here is a look at the two different types of DirectAccess connections that are supported. We have end to edge and an end to end. Now end to edge is very similar to, you know, your VPN type of connection – that is – you've got your DirectAccess client connected to a server. That particular leg of the journey is protected, encrypted, and inside of an IPsec tunnel. And then access through the application from there is over the Internet, just as if the device was plugged into its docking station or the person was there locally. Then we've got end to end. An end to end is little bit different and that the IPsec and secure tunnel doesn't stop at the DirectAccess server, but we extend the protection through the Internet to the actual application server. So this provides additional security. Of course, it's also going to require that this application can support that IPsec tunnel and there is a little bit more administration required to extend it that far.

Now here are the drawbacks I would say around DirectAccess and that's the requirements. The good news is in the latest release of Windows server including 2012 and beyond, they've improved the DirectAccess requirement. Nevertheless, we still have some important requirements in order to actually support and use DirectAccess. We're talking domain membership. In today's age, not every device might be being used to connect to corporate data and to do work as a domain member. That device might belong to the actual worker and we're doing a BYOD scenario. In those cases, DirectAccess isn't an option. But you could support DirectAccess inside a Windows To Go image. So you could actually issue it on a Windows To Go flash drive and that might be another way of providing DirectAccess connections for those workers.

It is a Windows-only technology. So we're not supporting, you know, iPads and Androids and not only that is it requires Enterprise Edition. Next, they have to have an IPv6-compatible infrastructure. Now that does not mean you have to have IPv6. That's a good thing. IPv6 is really something you should seriously consider migrating your network to or at least supporting, if you haven't already. But it also has...and I say it, I'm referring to DirectAccess. It also has rich transition technologies that can ease the challenges with adopting IPv6. IPv6 is an important technology to look into and adopt. If you're not quite there yet though, it doesn't necessarily mean you can't do DirectAccess. Examine and look at the different transition technologies you might find that you can install DirectAccess and start using it sooner than later. And then the actual DirectAccess servers and Windows Servers. So this is a Microsoft Windows Server Solutions with built-in support – a built-in client, if you will into the Windows 10 Enterprise Edition. It also supports Windows 7 Enterprise and Windows 8 Enterprise, but this is not something that we're going to be using a network appliance for to provide the remote access connection.

Now there might be some other requirements depending on the type or style of DirectAccess you're implementing. Like, for instance, if you're implementing Network Load Balancing or you're implementing GO and multisite DirectAccess – by that, I mean – DirectAccess actually can be configured now where clients can connect to the nearest DirectAccess servers. So, if you're an international company or even a national one – we have a large region like North America – and then you can have it set up so that those DirectAccess clients automatically connect to whatever region that they're in. Well, that might have some specific additional requirements in your infrastructure to implement. So this list might get a little bit longer depending on what kind of DirectAccess you're doing.

So let's talk a little bit about how DirectAccess works. And I find this very fascinating. Remember DirectAccess isn't always on connection. That's not entirely true. By always on, we mean it's always on when the client is in the Internet or on a remote network. When the client comes home, right, boards the mother ship, comes to the corporate campus, and plugs in to their network via, you know, an RJ-45 jack or connects to the corporate Wi-Fi hotspot, right, they're on the inside of the firewall. If that's the connection type, DirectAccess isn't needed. And so DirectAccess does not invoke in those cases. You know why? Because, when you have the device inside the corporate network, it actually looks for this guy called the network location server. That's this guy right here.

The network location server, the way I like to think of it is like a lighthouse. If you see a lighthouse, right, your ship at sea and you see a lighthouse, so then it tells you something. That tells you that you're near a shore. That's exactly what the network location server does for any DirectAccess device that's inside the Internet – inside the corporate network. If the device can find and see the network location server, then it doesn't need to invoke the DirectAccess tunnels. However, if it fails to see the network location server, then it will immediately begin to establish those DirectAccess connections. And that's when these things start kicking off,

right. At that point, the information and the profile get triggered; the Name Resolution Policy Table gets referenced. And what that has to do with is it has to do with the corporate names like corporate resources – like brocadero.com or whatever. So the Name Resolution Policy Table tells the client any reference to a corporate name goes through the DirectAccess tunnel. That's all that means. Then we've got the actual IPsec tunnels negotiated and set up and DirectAccess is automatically enabled, okay. So, if you cannot find the lighthouse, the client configured for DirectAccess immediately sets up a DirectAccess connection and all of the other supporting components comes into play. Now split tunneling by default, which means the user will be browsing the Web, checking Facebook, and all of that – none of that goes through the DirectAccess tunnel, because it's not needed. However, whenever that client needs to access a corporate resource, then the Name Resolution Policy Table goes, "Oh, I recognize that resource. That resource is using a corporate name and it needs to go through the DirectAccess tunnel." And so just that traffic actually goes through the DirectAccess tunnel. Alright, so that's how DirectAccess works on Windows 10.

Back to top

1.

Alright my friends, it's time now to talk about Workplace Join, which is yet another remote access connection that Windows 10 supports. What exactly is Workplace Join? Well, let me explain. What is Workplace Join? Well, Workplace Join is really a response to kind of our present day reality and that is there is this explosion of devices. We all have these devices – we have our phones; we have our tablets; we have our laptops; and we want to do work from these devices. And some of these devices are corporate owned but a lot of them are personally owned and so we like the convenience of doing work and any kind of work from any type of device. So Workplace Join is Microsoft's response in providing users access to corporate applications securely but from personally owned devices or maybe not even a Windows device at all. There is actual support with this technology for Apple and Android devices as well, not just Windows 10.

So how does it actually work here? Here are some important details. Workplace Join allows users to connect from any device with SSO. Now what does SSO stand for? Single Sign-On. So another important part of Workplace Join is the experience the user has. It's so annoying having to log in and then log in again and log in again. Why can't I just open up that file? Well, Single Sign-On takes the pain out of that because we're able to actually authenticate the user once, store those credentials securely, and support two-factor authentication for greater degree of confidence. In fact, Microsoft can use the device that we're using as one of the factors for authentication. So two-factor authentication means one factor is the user's domain credentials, the other factor could be the device. And the device itself – either a Windows 10 device or another device that's been configured for Workplace Join – is then recognized by our identity services. Now, as I already mentioned, some of the important features is we don't even need domain membership. We're going to use domain-user credentials but the actual devices don't need to be a member of the domain. Another important point is conditional access. This has to do with part of this two-factor authentication. We can restrict to actually use this Workplace Join and we can control the different conditions we're going to permit. And finally, this also supports MDM, which means we can support mobile device management policies and we can implement those with the help of Workplace Join.

Back to top

1.

So the next thing I want to talk about and show you is how to enable Workplace Join. Now let's look at the requirements for starters. The requirements for Workplace Join include domain-user credentials because, of course, we need to authenticate the user. But the connection itself is hosted and processed by a Web Application Proxy server. This is a reverse proxy server that we configure for Workplace Join. Now the connection itself is secured because we have a trusted SSL certificate installed in the Web Application Proxy server. But here's what is interesting. This WAP server doesn't actually perform the authentication. It has a trust with a federation server. Now the Web Application Proxy server has to at least be 2012 R2. So this is a relatively newer technology, we can't use 2008 or just a 2012 server – has to at least be 2012 R2. And we have to configure it with Federation Services. WAP requires an ADFS server. Not only that, but in order to support that two-factor authentication, we are going to want to enable on the Federation Server. There is a little check mark in there called device registration. So this is going to support for us the additional authentication and help us with our Single Sign-On experience. So these are the requirements behind Workplace Join.

Back to top

1.

Here's a question for you. Let's say you have an Internet device and you want to configure it for Remote Desktop Connection services. But that requires that you configure it for your organization's Remote Desktop Gateway server. So where do you go to configure your Remote Desktop Connection settings so that it connects through a gateway server. Now think about that for a moment, I'm going to give you a few seconds to consider that. Feel free to pause the recording and resume when you're ready.

Okay, so where we need to go first is Remote Desktop Connection settings. Now to find those is a little bit tricky if you try to use the menu system. I, of course, just like to just type it in there in the search – remote desktop – and there it is. Now the menu system has it buried. If we go into Start and we go to All apps, we'll actually find it under Windows Accessories, but here it is – Remote Desktop Connection. And what I like to do is just pin this here to Start. So here's my Remote Desktop Connection. So first thing we do is find this and then start it. Then to configure the gateway settings, what I have to do is select the Show Options button, select the Advanced tab, and then right down here in this category called Connect from anywhere. This is where I can configure Settings so that I'm connecting through a Remote Desktop Gateway. So this means I select Settings, I choose this radio button here, and I'm going to configure it with the information provided by my IT administrator. This is going to be the name of the server or the IP address of my RD Gateway server. So that's how you configure your Remote Desktop Connection for Remote Desktop Gateway connection.

Back to top