Tech Ed EMEA IT: Day 4 – Guru Central

So, we’re on the penultimate day of TechEd EMEA and I have to say that exhaustion is starting to creep in. However, the day had a great start with sessions by Steve Riley and then Mark Russinovich.

Steve was talking about security implications of virtulisation and his views were stimulating. He was talking in depth about what to consider when virtualising machines and why Microsoft took the architectural approach that they did for the Hyper-V stack when security was considered. I could post more, but I would urge you to go and find the video of the session when it’s available as Steve himself gave a much better delivery of the material than I ever could.

Next up was Mark Russinovich, of sysinternals fame. I’ve been using tools produced by sysinternals for a long time, but almost always from the standpoint of figuring out how to make apps run with the least possible security. That means filemon and regmon, now replaced by Process Explorer. What Mark was showing was how to use ProcExp with some of his other tools to analyze why applications crash and how to drill right down into crash dump files to identify the offending code. It was a very cool presentation and his delivery was both engaging and amusing. If you get the chance to see him speak I would highly recommend it.

Tech Ed EMEA IT: Day 3 – Steve Riley

The last session of the day was just incredible. A surfer-dude with boundless energy wandering around the audience in shorts, cracking jokes and telling stories and every single one related in some way to his point. Steve Riley is a fantastic presenter, and his session – Do these ten things now or else get 0wned was a great session on security. Sadly, I don’t think it’s repeated or I would urge you all to attend the next viewing. If you have the chance to see Steve speak, grab it with both hands – especially if you are involved in any way with security or IT management.

Tech Ed EMEA IT: Day 3 – Microsoft Enterprise Desktop Virtualisation (MED-V)

OK, MED-V is cool! Sadly, cool though it is, it’s not something we’ll use3 at BM, but in my previous lives doing large organisation IT, MED-V would have been a killer.

In a nutshell, it is this: create a Virtual PC image with your legacy OS and legacy App. Deploy that VPC to your users desktop so they can run your legacy app but let them run the app without needing to start the VPC and use two desktops.

That’s right – MED-V apps appear in the host OS Start Menu and fire up windows which, although using the appearance of the guest OS, are hosted straight on the desktop. Not only that, but they get task bar entries, and even tray icons!

It’s really well thought out – admins create the VPCs, publish them into a server infrastructure and publish the images and apps to users. The system takes care of versioning for the images and pushes them out to users which reduces the amount of data transferred.

You can allow roaming users to work remotely as well, but do clever things like setting a time limit, after which the virtual apps won’t work because the user needs to connect to the main system to get updates to the guest OS.

It’s great. It’s also not out yet. Beta 1 is expected Q1 2009, although they are looking for early access users. Release is projected for H1 2009. If you’re a big organisation and migration to Vista is a pain, MED-V may be for you, although it’s only available to SA customers, as far as I can tell.

The snags (there are always some, right?): Host OS is Vista Sp1 or XP SP2/3 32-bit only. Guest OS is Windows XP or Windows 2000 only.

It was a great session, and you definitely want to find out more about this.

Tech Ed EMEA IT: Day 3 – Server 2008 R2

We were in early today, looking forward to a session on SharePoint with Bill Engolish. Sadly, that was cancelled so Andy and I sat in on the Server 2008 R2 overview session presented by Iain McDonald. That was very interesing, and we learned a bit more about BranchCache. It doesn’t look like it will replace WAN accelerators like Riverbved, because it doesn’t appear to function at their low level. However, it does a similar thing at the file level. The client requests a file from the remote server, which instead replies with hashes. The client PC the requests those hashes from the local cache, improving performance. The cache itself is built on request so does not need to be pre-populated (which is good). I think WAN accelerators have nothing to fear from this, but for smaller organisations or ones which aren’t able to put the accelerators in (perhaps their servers are hosted, for example) BranchCache looks like a very promising technology.

Something I saw and got excited about is DHCP failover. We don’t suffer much with DHCP outage, but because the only way to sync up two DHCP servers is to export and import it’s very hard to do resilient services. DHCP failover should solve that, and it looks good.

Also, more on the >net on server core front. The key ‘takeaway’ is that it is a subset of .Net 2, .Net 3 (WCF and WF, not WPF) and .Net3.5 (WF additions and Linq). That makes sense – why include elements related to the GUI. However, subset obviously means compatibility pitfalls and I am still very interested to see where this goes.

We spoke to a few guys on the IIS stand yesterday about SharePoint on IIS7. I need to talk to the SharePoint guys about the same thing. The IIS chaps were optimistic that what I wanted to do would work, but there had been no effort put into testing of the scenario as yet. As far as I am concerned, at the very least I want to be able to run my WFE servers as server core for security reasons. I’d really like to be able to deploy the app server roles to core as well, which falls in line with a single-purpose server, virtualised strategy.

I’m writing this as I wait for the MED-V session to start. The brief intro to this given during the Windows 7 session made it sound exciting and I really hope to come away from this feeling energised. Whilst it’s been a solid conference so far, there’s not been much to give me a buzz – perhaps this is it. I’ll take notes and try to post my thoughts later.

TechEd EMEA IT: Day 2 – Threat Management Gateway

Andy and I are now in a TMG preview demo. This looks really interesting – we spoke to the guys at ATE last night and saw a few items that I hope to see now in more detail. TMG is ISA Server vnext – codenamed ‘Nitrogen’ and part of the ‘Stirling’ next wave of Forefront.

Stirling family members exchange information to allow ‘dynamic response’ – trigger actions from different forefront elements (client sec etc) based on alerts from other elements (eg mail scanner). That looks really powerful.

New in TMG is web client protection – threat protection. Scan downloaded files as they pass through for malware. This blocks download of malware and shows the user a message page. Finally – way to save some users from themselves!

TMG can now also inspect ssl traffic! TMG encrypts between client and itself using it’s own certificate to the client, assuming the cert from the actual site is valid. Notably, if you enable https inspection you can make TMG tell the users – warn them, if you like – that their ‘secure’ connection is being inspected. You can also exclude categories of sites from this inspection.

For large files, TMG will show the user a ‘comforting’ page informing them that the file has been downloaded by TMG and is being scanned for malware.

TMG inspects traffic and will try to detect if a download manager is being used. At that point the ‘comforting’ page won’t be displayed. Interestingly, you can also block the download of encrypted zip files if you like – i.e. if TMG can’t scan it, don’t let it through.

TMG can also now do URL filtering. This is category-based, so you can block categories of sites. The site lists can be acquired through an external service. Can override the https inspection for categories of sites as well – e.g. banking sites.

These are gathered into the heading of Web Access Policies, which cover URL filtering, https inspection and malware inspection.

Also interesting is the Intrusion Prevention Systems which allows TMG to detect and block exploits for vulnerabilities, even if the hotfix is not yet released (such as the sql worm, for example). The demo of this was really cool, albeit in a geeky kind of a way. The exploit protection uses signatures which will be dowloaded and deployed, and my understanding is that they are not limited to TMG.

The firewall can also now continue to run if the logging DB server goes away. TMG creates a log queue locally, continues to operate normally, and will update the DB when it comes back online. The log viewer also continues to work, albeit only accessing the local queued items.

This is all cool stuff. There’s lots more too, but the things I’ve mentioned here are of use to everyone, whereas some of the other stuff covered is certainly less applicable to us at BM because of the way we work. Another solid-looking new product that I would recommend anybody to look into, and particularly if you’re currently using ISA 2006.

TechEd EMEA IT: Day 2 – Windows 7 Feature Preview

So, the first session of the day was an extremely well-attended overview of Windows 7 features. When they talk about evolution rather than revolution with regard to Windows 7, I think that’s accurate. It was very much about developing and extending the foundations of Vista.

A few things stuck out, however. An almost throwaway comment about DirectConnect requiring IPSEC and IPv6 means that I must dig deeper, and that the technology, whilst cool, is almost totally useless to me, stuck behind two layers of NAT in a managed building. BranchCache was again mentioned with, again, no indication of how it works – more digging required.

Most pertinent to me, however, was the development of Bitlocker. I am typing this as I sit in the room waiting for the deep dive session on Bitlocker enhancements to start. The key new feature in Windows 7 is the ability to encrypt removable drives using Bitlocker. Interestingly, admins can also use policies to enforce encryption, at which point unencrypted drives become read only. Backwards compatibility ensures that ‘Windows XP and Vista’ can ‘read’ data from the drives. I’m guessing they can’t write, and I’m also guessing (as it wasn’t mentioned) that non-windows systems need not apply.

That lack of cross platform (and now I’m talking about OSX and Linux) support may anger some, but for our company needs  it’s irrelevant. We already ensure no customer or sensitive data is copied on removable storage, but being able to encrypt, and force the encryption of all removable media attached to systems I own will help be be able to guarantee that any data copied from our systems is stored securely.

NOTE: Having now been to the deeper dive on Bitlocker, the current build of Windows 7 has no downlevel support. I’m really hoping this will change prior to launch (the presenter was carefully non-comittal, and probably rightly so at this stage). If it doesn’t the technology is a dead duck for us, as I can’t guarantee being able to get all our machines up to Windows 7 in a reasonable timeframe.

Also of interest to me were the developments in deployment technologies. I will try to attend the appropriate sessions on these too – the ability to add new drivers to wim and vhd files offline (and post-sysprep) could be a big benefit to use in extending the life of our system images, particularly as we look towards more automated provisioning of virtual machines from vhd and wim files onto varied hardware (especially when I get my hands on hyper-v in Windows 7!).

Overall it was a very interesting session, albeit shallow. Windows 7 is exciting – not because it is new and cool, but almost precisely because it isn’t. It is to Vista what Windows 2000 was to NT4 and XP beyond – evolved, more stable, more trustworthy.

Tech Ed EMEA IT 2008: Day 1 – Keynote

So, the keynote was interesting. Much of the content I had seen before, but there were some demos that were interesting and a few snippets that made me take note.

For example, I had not understood that the acquisition of Kidaro will enable interaction between applications running within a virtual machine and the host desktop in ways that are not currently achievable. That the technology will ship as part of a new Desktop Optimisation Pack was news. I believe the technology is name MEDV – Microsoft Enterprise Desktop Virtualisation.

Softgrid was also mentioned as solid way to achieve application virtualisation – a technology that I have not previously had chance to play with, but which is most definitely on my To Do list – I think of a few specific practical uses for us. One of the ‘announcements’ of the keynote was the RTM of Application Virtualisation 4.5 (I believe, the solution formerly known as SoftGrid). Critically, the team behind application virtualisation are working on virtualising the server applications. That has big implications for simplifying the deployment of new virtualised solutions and the stack of differencing disks and other VHDs needed.

Also of note – Server 2008 R2 includes the ability to live migrate virtual machines. What I did not know until today was that Server 2008 R2 M3 is available for download. I can feel some testing coming on…

On the subject of virtualisation, the release of System Centre Virtual Machine Manager including support for Hyper-V was also ‘announced’. I believe we’ve been running that for about a week now and I am pretty impressed with it (we’re currently migrating our Virtual Server 2005 VMs to Hyper-V – I’ll post about that experience another time).

What was new to me was the idea being worked on of using M – the modelling language launched as part of Oslo – to create models of systems which can then be provisioned using SCVMM. For the creation of development and test environments that sounds cool!

All of this is part of a concerted (if a little low-key, I thought) push to position Microsoft as the cost effective (read, cheaper!) solution for virtualisation and virtualisation management.

A couple of enviro-quickies:

  • Microsoft is the largest commercial purchaser of servers in the world and is brining a new datacenter on-stream roughly once per quarter.
  • Their new DC in Quincy, WA is built next to a hydro-electric dam to ensure a clean source of energy.
  • The upcoming Dublin, Ireland DA will use natural air cooling, not air-con (and I’d love to hear more about that).

Announcement quickies:

  • SCOM 2007 R2 beta will be available for download at the end of November.
  • Centro – Essentual Busines Server will be ‘announced’ on November 12th.
  • Identity Lifecycle Manager ‘2’ RC is now available

A key new feature in Server 2008 R2 is the availability of ASP.Net on Server Core. That has big implications for SharePoint and you can bet I will be talking to the guys from Microsoft about that one later!

Also interesting were a few new Server 2008 R2 features:

  • DirectAccess – device can connect securely over internet without requiring VPN. We currently use ISA server but there are limitations. This might be handy…
  • Bitlocker to Go – encryption for USB drives (and other removable storage, I assume). Definitely interested in that one.
  • BranchCache – branch office caching solution for data. Sounds like WAN acceleration a la Riverbed to me, and the demo did nothing to change that view. Does this mean the caching server has to be the gateway for the WAN? What does it support in terms of applications, protocols etc? Another one to discuss during the week.

Tech ED EMEA IT: Day 1 – Waiting for the Keynote

It’s an exercise in surreality. I’ve just walked through tunnels reminiscent of THX1138, to emerge in a wonderful blue-bathed auditorium, and they’re playing the Akira soundtrack (specifically the bit from just after the first nuclear explosion). Weird.

Andy and I travelled all the way from Bradford, and the first guy we strike up conversation with… is from Salford! What are the odds?

Anyway, here’s a pic of the view from our seats. More after the keynote…The Tech Ed stage - waiting for the keyonte

TechEd EMEA IT: Day 1

It’s 7:25 AM. Andy and I are hoping to make a whistle-stop trip to the Cathedral before making it to the conference early enough to get good seats for the keynote.

I thought I’d take a picture of the conference pack, especially since I’ve heard grumblings about the PDC bag. The TechEd pack looks pretty much identical to the pack the devs brought home last year, to me.

TechEd EMEA Conference swag

However, when I opened the curtains I was greeted by a fantastic sunrise:

Sunrise over Barcelona

Here’s hoping it’s going to be a fun-packed day!

TechEd EMEA IT: Day 0 – Greetings from Barcelona

Ola! Andy and I are now in sunny Espana. Only it’s not sunny. Oh well… However, true to form we started our trip, having registered at the conference centre, by eating hot dogs in a german fast food joint in a Spanish shopping centre! If you’re passing, Kurz & Gut does pretty good food.

I’m also extremely impressed with the Metro system here in Barcelona. It’s my first time in the city, and the transport is pretty efficient, with a wonderful simple trip-based charging mechanism.

The only downside is that despite not travelling particularly far, we seem to have lost an entire day to travel. Up and out by 8:30am UK time, and we finally landed in the hotel here in Spain around 18:30 (17:30 UK time) – then we had to get across town to the conference centre.

Apparently, take-up on the shuttle service from the airport was low last year, so this year Microsoft didn’t bother. I can understand that, but at the same time it would have made our lives much easier, even if we would have needed to get from the conference centre to the hotel after registering. Perhaps that’s as much because we’re TechEd noobs – next year we’ll know where to go and how to get there, I guess.

So now we’re relaxing in the hotel bar, checking the conference schedules and noting the irony of how the prize-of-the-moment for all conference competitions is the Dell Mini 9 (I’m typing this on mine, and Andy stole Richard’s for the week!).

As I mentioned before, don’t be shy – if you’re in Barcelona at the moment and feel like being sociable, get in touch and we can try to meet up. Oh, and I hadn’t forgotten about Robert, but he’s effectively working!