Windows 7 and Windows Server 2008 R2: Joined at the hip

Microsoft's client and server platforms are coming out at the same time, designed to work better together. Find out what that really means

It looks like the general availability goal for Windows 7 is right on target for an Oct. 22, 2009, release, and the Windows Server team is hoping to debut Server 2008 R2 at the same time. The timing isn't accidental: These two products are meant to work together in an enterprise environment. And IT needs to pay attention to them as a set, as we haven't seen this tandem co-development between Microsoft's server and client products since Windows 2000.

Here's a tour of where the two technologies come together and what IT needs to know about the crossover.

[ The InfoWorld Test Center reviews the Windows 7 RTM edition. | Learn more about Windows Server 2008 R2's features. | Get J. Peter Bruzzese's Windows 7 Quick Guide PDF. ]


With Windows 7 and Windows Server 2008 R2, mobile users will be able to access the corporate network from any Internet connection (drumroll, please) without a VPN. If you're accustomed to using Outlook Anywhere to connect to your Exchange environment without going through a VPN, it is a similar concept. DirectAccess will use the Secure Socket Tunneling Protocol (SSTP) over SSL port 443 -- similar to going through HTTPS to access secure sites. In addition, Direct Access can use IPv6 over IPSec for encrypted communications through the Internet.

Note: To eliminate the fear factor here, keep in mind that users will still be required to authenticate. A stolen laptop won't mean automatic DirectAccess to your company network. Along those lines, you may also want to think about using Windows' BitLocker disk encryption for that laptop. In addition, two-factor authentication can be implemented (such as through smart cards or biometrics) so that you can take advantage of Windows 7's biometric enhancements as well.

There are some clear benefits to the DirectAccess approach. Rather than dealing with an unwieldy VPN connection, users will have a very simple access method to their network from wherever they are (as long as they have Internet connectivity, of course). Typically, within a business network, users with mobile systems can receive updates and policy changes only when they connect to the network. With DirectAccess, users will not even need to log in, as long as they have Internet access. And IT can apply changes on the client devices at any time the devices are connected, providing a much easier method of patch and anti-virus definition management.

Another feature that requires both Windows 7 and Windows Server 2008 R2, its name pretty much describes the function. People at branch offices usually access data that may not be held locally. In fact, the branches may not even have a local server. The norm today is for a user to access a file that then comes across the WAN connection to the branch office (which may already be at its bandwidth limitations). That process repeats whenever a user accesses the file, which may come across the connection 5, 10, even 20 times.

BranchCache caches data locally, so if a branch-based user accesses content from the main headquarters and another user at the branch tries to access that same content, it is made available faster and with less network usage via that local cache.

You can set BranchCache to work in one of two modes. The first is Hosted Cache mode, where the server itself retains the cached files. The second is Distributed Cache mode, where clients retain copies of the cached files (the server still has the roles of ensuring that the latest versions of the files are provisioned and that the permissions for accessing those files is maintained). To use this feature, you will need various forms of security technology in place, such as SSL, SMB Signing, and IPsec.

BitLocker-to-Go Control
Windows 7 includes a removable drive encryption feature that extends BitLocker's reach beyond local hard drives (Vista SP1 already extended its reach from the system drive to nonsystem partitions) and out into the USB-based device world. Although BitLocker-to-Go functions without Windows Server 2008 R2, the two work well together in the enterprise environment because Group Policy can force users to run BitLocker on removable drives plugged into systems on the network. Group Policy also lets you block the use of non-encrypted drives. The recovery key can be stored in Active Directory as well, simplifying management.

Windows 7 and Windows Server 2008 R2 replace the Software Restriction Policy feature (to identify and control which applications can run on a system using a variety of simple methods such as the file name, path location, and/or hash calculation). AppLocker provides new levels of control that can protect your environment.

Although you can use the Local Security policy to work with AppLocker, it will perform better through Group Policy. You can create rules and exceptions with a simple slider that allows you to dial up or down (up being more lenient, down being stricter) the level of control.

RemoteApp and Desktop
RemoteApp allows applications running through a terminal service session to appear as if they're installed locally on the system. This is also termed "presentation virtualization," with the application running on the server side and the client seeing only that application rather than the entire desktop environment in a window. Although this capability was added in Windows Server 2008 R1, Windows 7 enhances the process with RAD (RemoteApp and Desktop) feeds, which improves the integration process with the client.

The benefits to using Windows Server 2008 R2 and Windows 7 together for these RemoteApp session include the fact that you have the new RDP protocol (RDP v7) that allows for a better multimedia experience, including Aero glass features and multimonitor support. More important, it allows for a greater level of security between the client and server, thanks to the Windows Server 2008 R2 server role called the Remote Desktop Gateway, which replaces the Terminal Services Gateway and allows you to configure more restricted access for clients.

So happy together
It's obvious that Windows 7 and Windows Server 2008 R2 are designed to play well together. That doesn't necessarily mean you have to revamp your entire network. In fact, although there are many fine reasons to like R2, the new features may not be what you need within your environment. If that's the case, no worries: Windows 7 will work just fine in your existing environment. However, if any of these features are appealing to you, you won't be disappointed by pairing these two.

What is your deployment strategy? Are you going to deploy Windows 7? Do you have a Windows Server 2008 R2 solution in mind as well? Enterprise Windows readers want to hear from the decision makers.