Strict Standards: Declaration of SkinManchester::initPage() should be compatible with SkinTemplate::initPage(OutputPage $out) in /afs/mcc/common/WWW/DocumentRoots/2/wkiman/windows7-tag/skins/Manchester.php on line 33
Fundamentals - Windows7-tag (The University of Manchester)

[University home]

<sitename>

Fundamentals

From Windows7-tag

 

Contents

Testing

Networking

DNS

  • [MF] DNS servers are detected and assigned automatically.
  • [MF] No need to disable dynamic DNS settings.
  • [MF] Lookups and reverse lookups work fine.
  • [CJM] Appears to work as expected. Test systems seem to behave as normal without issue, This includes reverse DNS lookups.

DHCP

  • [MF] DHCP servers are detected and IP addresses assigned. Negotiations happen successfully.
  • [CJM] DHCP is not the primary provider of IP addresses in fact this is Bootp. However, there has been tests against AD (as DHCP provider) appears to works as extected.

VPN 32/64 bits

  • [MF] Both CISCO and ShrewSoft VPN clients work fine on 32 bits Windows 7 machines.
  • [MF] ShrewSoft VPN client works fine on 64 bits Windows 7 machines.
  • [MF] CISCO Anyconnect works with Windows 7 64bits, but does not support IPSEC (what our concentrators use). Instead it uses SSL, which is more secure but we do not have the hardware to support at this time.
  • [MF] Both wireless and wired connectivity were tested.
  • [MF] CISCO and ShrewSoft clients installed fine. The profile must be made available to users for it to be installed for both clients.
  • [BF] Installation and usage on W7 32bit with wireless IP using Cisco client & Vista profile: Successfully installed Cisco client with Vista profile. Connected to VPN. Mounted shared drives, and browsed the Internet.
  • [BF] Installation and usage on W7 64bit with wireless IP using Shrewsoft client: Successfully installed Shrewsoft client with profile created by Humanities. Connected to VPN. Mounted shared drives, and browsed the Internet.

Multicast

  • [MR] IPV4 multicast works fine and it also seems to support SSM (the next generation of IPV4/IPV6 multicast support).
  • [MR] IPV6 multicast not tested yet - target date of 31st March.

IPv6

  • [MR] IPV6 unicast working with no problems
  • [MR] IPV6 multicast not tested yet - target date of 31st March.
  • [MF] IPV6 is turned on by default on Windows 7 machines, so an IPV6 address is assigned. This does not interfere with the IPV4 address but allows the machine to talk to IPV6-enabled systems. If not required, this can be turned off under the tcp options.

General networking

  • [MF] Default gateway discovered and assigned. Access to internet/intranet tested without problems.
  • [MR] In terms of sniffing the traffic, there is nothing untoward or unexpected.
  • [MR] Since IPV6 is preferred over IPV4 with newer IOSs such as Windows 7, if IPV6 were enabled on a gateway router for a broadcast domain and since the switches in service around the campus do not yet support anti-spoofing measures for DHCPv6 and auto-configuration, there exists the possibility of IPV6-based man-in-the-middle attacks (to put this in context though, this was the case for the whole of the campus for IPV4 traffic until recently and is still an issue in some parts of the campus).

Security

Windows 7 firewall

  • [TA] There are no incoming TCP ports open on a default install of W7. Like XP, all incoming UDP ports are allowed. Care would be needed if this was tightened as both DNS and ARS make use of incoming UDP connections.

Antivirus clients and updates

  • [TA] Installed Sophos 9.x and McAfee 8.7i (with sp 2) on a vanilla W7 system. Both installed without problem. Both ran a full scan without problem.
  • [TA] Both McAfee and Sophos were configured to get updates from the vendor's site and this worked. There is a current known issue with Sophos using brahmani.
  • [BF] Installation of Sophos 9.0.2 on a W7 32bit machine completed successfully. No Sophos firewall installed at time of installation and the option to provide update settings was left until later. Removing of third party software was unticked.
  • [BF] Installation of Sophos 9.0.2 on a W7 64bit machine completed successfully. No Sophos firewall option on 64bit and the option to provide update settings were left until later. Removing of third party software was left ticked, but had no visible effect.
  • [BF] Sophos 9 Definition updating on W7 32 bits. 1st test - Configuration for updating and patching was set as recommended by the campus website (update via campus servers 1st, and Sophos servers 2nd). Patching from the University servers caused some problems as Sophos reverted to v7.6.16 instead of being at V9.
  • [BF] Sophos 9 Definition updating on W7 32 bits . 2nd test - Sophos re-installed as above with Firewall option, removal of third party software option enabled and the option to provide update settings left until later. Configuration for updating and patching was set to update via Sophos servers 1st and campus servers 2nd. Update and patching successful. Sophos remains at v9.
  • [BF] Sophos 9 Definition updating on W7 64 bits.Configuration for updating and patching was set to update via Sophos servers 1st and campus servers 2nd. Update and patching successful. Sophos remains a v9.
  • [BF] Scan configuration was set as recommended by the campus website. Settings retained after rebooting the machine. Scan run on machine successfully. This was tested on both 32 and 64 bit W7 machines.
  • [BF] Suggested not to install Sophos Firewall as it is very easy for a user to block a required system service or something of importance that could potentially stop an application or the OS from working properly. It is also very limited and not intuitive.

MSE

  • [TA] Further testing is needed for this. Other Universities are recommedning this for personal machines. We are moving to centrally managed AV so this aspect needs to be explored for MSE.

General security

  • [TA] Unknown at present. Probably needs considerable testing to ascertain.

Licensing and distribution

MAK vs KMS

  • [DRVB] Suggested to continue using MAK if restricted to a controlled group of people.

KMS Infrastructure

  • [DRVB] The KMS software we are currently using for Vista will require an upgrade to serve Windows 7 licences but the servers do not require an unscheduled hardware upgrade to handle this nor new servers are needed.
  • [DRVB] If you require multi-server resiliency and the ability for clients to automatically pick up the KMS servers at install time, rather than customising the image or requiring post-install manual configuration, then the service discovery records need to go into DNS. The easiest way to ensure that all clients can pick up the records regardless of their primary DNS domain is to require them all to be active-directory joined.

Shared Areas

Using CIFS

  • [BF] Using W7 32 bits with wired campus IP: Local security policy changed for authentication (see link). Connection to three different servers was successful. However, the user account used could not see any data, despite the fact that this account can see the data via a Novell login. Used another account with higher permissions could see all data on the drive.
  • [BF] Using W7 64 bits with wired campus IP: Local security policy changed for authentication. Connection to three different servers was successful. However, the user account used could not see any data, despite the fact that this account can see the data via a Novell login. Used another account with higher permissions could see all data on the drive.
  • [BF] Using CIFS on W7 32bit with wireless IP over VPN: Local security policy changed for authentication. Cisco VPN installed and connected over wireless. Connection to three different servers was successful. However, the user account used could not see any data, despite the fact that this account can see the data via a Novell login. Used another account with higher permissions could see all data on the drive.
  • [BF] Using CIFS on W7 64bit with wireless IP over VPN: Local security policy changed for authentication. Shrewsoft VPN installed and connected over wireless. Connection to three different servers was successful. However, the user account used could not see any data, despite the fact that this account can see the data via a Novell login. Used another account with higher permissions could see all data on the drive.
  • [BF] Note: problems above with not seeing data during tests above now seem to be resolved with the server maintenance that was done on 3rd March. The first test was attempted again on 04.03.2010 with the original user account used and that was successful.

Using Novell

  • References: Humanities VPN Advice; ITSD VPN Vista; Novell Client W7.
  • [BF] Connection on W7 32bit with wired campus IP: Novell Client 2 SP1 for Win7 installed. Set University options for LDAP contextless login, service location and created a system login profile. Connection to auto mapping drives successful on login. Manual mapping of drives also successful.
  • [BF] Connection on W7 32bit with wireless IP over VPN: Novell Client 2 SP1 for Win7 installed. Set University options for LDAP contextless login, service location and created a system login profile. Cisco VPN installed and connected over wireless. Connection to auto mapping drives successful when manually logging into Novell through the desktop once VPN was connected. Manual mapping of drives also successful.

p drives

Using CIFS

  • [BF] Connection and mapping using CIFS on W7 32bit with wired campus IP: Local security policy changed for authentication. Connection to manual mapping of P-drive successful.
  • [BF] Connection and mapping using CIFS on W7 64bit with wired campus IP: Local security policy changed for authentication. Connection to manual mapping of P-drive successful.
  • [BF] Connection and mapping using CIFS on W7 32bit with wireless IP over VPN: Local security policy changed for authentication. Cisco VPN installed and connected over wireless. Connection to manual mapping of P-drive successful.
  • [BF] Connection and mapping using CIFS on W7 64bit with wireless IP over VPN: Local security policy changed for authentication. Shrewsoft VPN installed and connected over wireless. Connection to manual mapping of P-drive successful.

Using Novell

  • [BF] Connection and mapping using Novell on W7 32bit with wired campus IP:Novell Client 2 SP1 for Win7 installed. Set University options for LDAP contextless login, service location and created a system login profile. Connection to auto mapping P-drive successful on login. Manual mapping of drive also successful
  • [BF] Connection and mapping using Novell on W7 32bit with wireless IP over VPN: Novell Client 2 SP1 for Win7 installed. Set University options for LDAP contextless login, service location and created a system login profile. Cisco VPN installed and connected over wireless. Connection to auto mapping P-drive successful when manually logging into Novell through the desktop once VPN was connected. Manual mapping of P-drive also successful.

Active Directory

  • [CJM] AD has been tested for Windows7 and it works. It should not be considered at this stage, as this is a fact finding exercise.

Updates

WSUS

  • [CJM] Tested in a limited capacity and it works for Windows 7, but currently not supported fully.
  • [CJM] Suggested to use windowsupdate.microsoft.com meanwhile.

Printing

iPrint

  • [CJM] iPrint already updated for W7 support. Print queues will require migration.
  • [PB] The servers hosting the NDPS Manager and NDPS Broker have been upgraded from Netware 6.5 SP7 to Netware 6.5 SP8B and the latest version of the iPrint plugin for iManager has been installed on all servers. These upgrades were necessary in order to make the broker Windows7-compatible.
  • [PB] Now that this work has been completed, we are in a position to populate the broker with Windows 7 (32-bit) drivers. This process has already begun but is not complete. However, it does mean that in cases where Windows 7 (32-bit) support is required for a particular iPrint queue, we are in a position to provide that.
  • [PB] A compatible Windows 7 driver needs to be uploaded to the broker for each model of printer, then the driver needs to be associated with each individual queue. There are approximately 640 queues on the Central system so I would estimate that the task of associating all queues with a Windows 7

(32-bit) driver will be around 2 weeks work for the Central Printing team (which effectively means Nigel Watkinson and myself).

  • [PB] iPrint offers support for 64-bit Vista and 64-bit Windows 7. The problem has always been that 64-bit drivers for Windows Vista and Windows 7 can only be uploaded to the broker from a workstation running 64-bit Vista or Windows 7. We have been able to upload 32-bit drivers for Vista and Windows 7 by using virtual machines running 32-bit Vista and Win7 hosted upon Windows XP. We have no access to any systems running 64-bit Vista and Windows 7.

System Compatibility

Desktop email

  • Work in progress...

Web resources (p drives, webmail, blackboard, portal, etc.)

  • [BF] Logged into p-drive web portal. Successfully used functionality such as copy and pasting files, changing server locations, create folders.
  • webmail seems to work fine on IE8.
  • portal seems to work fine on IE8.

Communications

  • [BS] New Microsoft Releases and Windows 7 pages changed.
  • [MT] KB Article re: Windows 7 changed.
  • [BS] Requested aliases for www.manchester.ac.uk/windows7 and www.itservices.manchester.ac.uk/windows7 pages.

|  This page was last modified on 10 March 2010, at 09:26. | This page has been accessed 6,454 times. |