Tag: networking

Introduction to SMB3

Server Message Block (and often, incorrectly referred to as CIFS) has been the mainstay of windows file servers since the days of NetBIOS, but version 2, and the improvements it brought with it were released in 2006 with Windows Vista and Server 2008 While SMB2 brought with it some much needed improvements, including limiting the chattiness of SMB over the wire (essential in WAN environments), it still lacked the and capabilities (and thus enterprise approval) of NFS, during the time between SMB2 and SMB3 we have seen users migrate away from Windows file servers to array based file storage, away from block storage to NFS for virtualization, but all that is about to change.

Server Message Block 3

With the advent of Windows Server 2012, Microsoft has released SMB3, far more than a mere upgrade to SMB2, SMB3 features important new enterprise features, rich client capabilities, and performance through roof, a far cry from its predecessors

SMB Direct (RDMA)

Utilizing RDMA network devices and SMB Direct, SMB can bypass the NIC and transport layer drivers and communicate directly with the RDMA NIC, this bypass increases performance and lower latency significantly to near wire speeds, and with InfiniBand connectivity those wire speeds can comfortably reach 50GBps on a single port.  SMB Direct can be coupled with SMB Multichannel to provide a reliable and highly available network topology for low latency file server access, enabling the desired file level application support we are increasingly seeing. As file servers become larger and larger with files often nearing the billions, this improvement helps overcome one of the major bottlenecks of file server performance.

SMB Multichannel

While SMB Direct allows for low latency and high throughput RDMA links, without SMB Multichannel it would still lack a certain enterprise comfort level, SMB failures have always been interrupting to users at the least, and catastrophic at worst. SMB Multichannel allows for seamless use of all network interfaces (can be combined with network teaming) with a near linear performance improvement (demos at the Build conference had 4 10Gbe ports pulling 4.5GB/s of throughput. Even a single NIC that supports Receive Side Scaling (RSS) can benefit from the new multichannel capabilities by establishing multiple TCP connections that allow load balancing of any CPU load across cores and CPUs, rather than the single core affinity used by a single TCP connection. When pushing a lot of small I/O over a large interface such as 10Gbe this becomes essential. Clients that support SMB3 will automatically utilize multiple channels when RSS is configured, and multiple NICS when they are available.

SMB Application Shares

With the combination of the two new SMB features listed above, and the myriad of improvements to networking and storage in Windows Server 2012 we finally have the capability to provide certain enterprise applications with file level storage. This move vastly simplifies already complex enterprise application deployments by abstracting a lot of low end storage architecture away from the application architecture, while giving us yet another option for storage of large, complex and performance demanding systems. Currently SQL Server 2012 and Hyper-V 2012 VHDX files are supported in an SMB3 environment, and application shares provide the performance and availability inherent with SMB Direct and SMB Multichannel at an SMB cluster level, providing us a single namespace spanning multiple servers.

Conclusion

All of these features and capabilities are helping bring the file server back to a Windows server, and although major vendors such as EMC and NetApp will be supporting SMB3, it is unknown if they will support the full gamut of features and capabilities, or the timeframe to reach this level of compatibility.

As file systems get larger and larger and our hunger for data ever increases, it becomes that much more critical that our file server infrastructure can scale, and perform to meet our demands. Windows Server 2012 and SMB3 help us get there, today.

Exchange 2010 Namespace considerations

For some of us, migrating from Exchange 2003 to Exchange 2010 is an exciting concept, with tons of new features, simpler high-availability features and a lot more power for the users

One of the common overlooked design pieces of a Microsoft Exchange 2010 architecture is the namespace considerations

Legacy Environments

for most Exchange 2003 environments the following names are usually in play

  • mail.mydomain.com – MX Record, mail flow
  • webmail.mydomain.com, OWA, OMA, EAS, (Web Services) – Certificate Name

This is not always the case, some people will just use mail.mydomain.com for everything, and this also works great.  Your edge configuration will apply certain requirements/restrictions on how you configure your existing namespace, but this is all relatively simple in Exchange 2003 compared to some of the considerations in Exchange 2010.

Exchange 2010

Most organizations are deploying Exchange 2010 in a highly available configuration, and many are implementing site resilient considerations also, this can lead to a complex namespace design that should be carefully considered and design before the first server is deployed in your organization.

Some things to consider in Exchange 2010 from a high availability standpoint are

Internet Presence

  • webmail,mydomain.com – Primary point of presence, OWA, OA, EAS, OAB – Certificate Name

Auto discover Service

  • autodiscover.mydomain.com – auto configuration URL– Certificate Name

Client Access Arrays

  • site-casA.mydomain.com – Internal AD reference to CAS Array for each site
  • site-casB.mydomain.com – Internal AD reference to CAS Array for each site
  • casA-nlb.mydomain.com – Assigned to VIP of Load balancer for HA CAS – Certificate Name
  • casB-nlb.mydomain.com – Assigned to VIP of Load balancer for HA CAS – Certificate Name

Co-Existence

  • legacy.mydomain.com – Name used for redirection to 2003 during migration – Certificate Name

Site Resiliency

  • webmail2.mydomain.com – alternate internet pointe of presence– Certificate Name

Failback URLs

  • failbackA.mydomain.com – DNS Failback URL for timeout consideration – Certificate Name
  • failbackB.mydomain.com – DNS Failback URL for timeout consideration – Certificate Name

As you can see there is a lot to consider here before jumping in and throwing some servers up, and some of these names may not be required, or can be consolidated with others depending on your edge topology

For more detailed information on namespace design please check out the TechNet article located here

Forefront Unified Access Gateway 2010, what’s that then?

I keep hearing a lot of confusion as to what UAG is, where it fits, and what it does, so here is a brief introduction to what it does, and what it’s capabilities are.
Forefront Unified Access Gateway 2010 is designed as a gateway into your organization, and utilizes a number of other Microsoft components to enable a seamless and integrated experience for both corporate users, and 3rd parties

  • UAG is NOT the same as TMG, nor are the two interchangeable
  • UAG is geared toward securely allowing inbound access
  • TMG is geared toward protecting internal users from external threats
UAG vs TMG

A lot of confusion arises because UAG installs some TMG components and utilizes them, mainly for array management and firewalling, it cannot however operate as a forward or reverse proxy, nor can it do web filtering or use the active protection components that TMG does

The TMG components built into UAG are there to protect the TMG server, as it is generally afforded a global external address and does not sit behind its own firewall due to the NAT restrictions if you wish to utilize DirectAccess

Direct Access

Microsoft DirectAccess technology allows you to bridge the connections of enterprise endpoints to the corporate network whenever they are online, this is accomplished seamlessly and securely with a combination of IPv6, PKI and IPSEC technologies.  This allows users to access resources on the corporate infrastructure safely from anywhere they can get online, as well as providing internal support staff access to roaming systems without requiring them to join special support sessions, install special software, or have the user bring the system into an office

DirectAccess is a technology built into Windows 2008 R2, and can operate without UAG, however there are significant benefits to deploying direct access through a UAG system, including DNS64 and NAT64, both of which are required to allow seamless network access to IPv4 only corporate resources (not just IPv6 ready apps)

Remote Access

UAG provides a user web portal to access applications, services and network resources, as well as integrating with an RDS gateway component if you chose to install that, this portal provides access to numerous devices and can detect the type of device, and the type of experience to deliver.  These portals can be customized to fit the clients needs, to display client assets and specifics on a case by case basis

UAG is also capable of VPN termination, this can be via integration with RRAS for PPTN and SSTP tunnels, or via native UAG SSL VPN capabilities

While TMG can also do VPNs, it is not afforded the same SSL VPN capabilities that UAG has, this is another UAG plus point

Server Publishing

UAG is the Microsoft recommendation for publishing Microsoft server resources, this is a shift from IAG2007 when MS still pushed ISA2006 as it’s best practice method for securing Exchange and SharePoint web interfaces.  If you wish to make services such as outlook web access, outlook anywhere, active sync and SharePoint sites available to your users over the internet, this is the technology to deploy to secure and manage access to those resources.

TMG can still handle this, but many of the upgrades and features that have been added to UAG2010 have not been included in TMGs publishing capabilities, so when publishing SharePoint, Exchange, or even RDS Web Access, UAG is the way to go (reverse proxy requirements are still handled by TMG 2010, this includes OCS and Lync requirements)

Licensing

UAG has client and server CAL requirements, unlike TMG which is licensed as a server (unless you want all the filtering and protection suites), however ECALS have UAG CALs included, this is good to know for ECAL customers as the majority of the cost is already paid for and you can start benefiting from the technology straight away through a pilot, or implementation engagement