Deploying Enterprise Mobility and CollaborationBy Jerry Honeycutt, Roslyn LutschPublished December 2002

Abstract

Microsoft Windows XP wireless networking and the Microsoft Office XP collaboration features enable users to be more productive and help organizations reduce the costs of their infrastructures. This paper describes decision points and technologies for deploying this empowering combination of products. It also contains Microsoft’s best practices that the company learned from its own massive wireless-and-collaboration deployment project.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2002 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, the Office logo, Windows, the Windows logo, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA

Deploying Enterprise Mobility and Collaboration 0

Contents

Acknowledgments..................................................................................3

Introduction............................................................................................4

Plan Overview.........................................................................................5

Scope.......................................................................................................7

Objectives 7

User Profiles 8

Environment Planning...........................................................................9

Network Infrastructure 10

Wireless Topologies 10

Placement and Coverage 11

Wireless Clients 12

Configuration Planning........................................................................14

Certificates 15

Active Directory 16

RADIUS 17

Client Certificates 19

Client Configuration 20

Pilot Planning.......................................................................................22

Rollout Planning...................................................................................23

Summary...............................................................................................24

For More Information...........................................................................25

Glossary................................................................................................26

AcknowledgmentsMark Hassall, Microsoft Corporation

Bruce Kember, Microsoft Corporation

Warren Barkley, Microsoft Corporation

Anton Krantz, Microsoft Corporation

Drew Baron, Microsoft Corporation

Joseph Davies, Microsoft Corporation

David Talbott, Studio B

Elsa Rosenberg, Studio B

Deploying Enterprise Mobility and Collaboration 2

IntroductionWindows XP and wireless networking make mobile computing less costly and more effective. Users can be more productive because they can access their corporate network resources by using public and private wireless networks, as well as roam the building with their laptop computers and remain connected to the network. And Office XP adds collaboration features that keep users in touch with their partners, customers, and peers—anytime, anywhere.

The combination of Windows XP, Office XP, and wireless networking isn’t just beneficial to mobile users; it’s also beneficial to IT professionals. It helps reduce infrastructure costs, and it makes network connections more feasible to add at unconventional locations, such as conference rooms and dining areas. Features such as Wireless Zero Configuration make wireless networking easier for typical mobile users to configure, reducing deployment and support costs significantly. The paper Wireless Networking for Mobility and Collaboration gives you more information about the benefits of Windows XP and wireless networking. It also describes the important issues to consider and how Windows XP and the latest wireless standards address these issues.

This paper discusses issues and decision points you’ll encounter when deploying Windows XP and Office XP with wireless networking and describes how to create a deployment plan for this combination. After reading this paper, technical decision makers should understand the issues involved in deploying wireless networking, the steps necessary to create a deployment plan, and Microsoft’s own best practices.

In this paper, you find the following sections:

This section: Describes:

Plan Overview The contents of a deployment plan

Scope How to define the scope of your project

Environment Planning How to plan for required environmental changes

Configuration Planning How to configure Windows XP for wireless networking

Pilot Planning How to pilot-test your wireless and collaboration plan

Rollout Planning How to roll out your wireless and collaboration configuration

Deploying Enterprise Mobility and Collaboration 3

Plan OverviewThis paper explains how to build a wireless-and-collaboration deployment plan. Depending on the scope of your project, you might require additional documentation or might comfortably skip some portions. Figure 1 shows each portion of the deployment plan that this paper describes:

Figure 1. Wireless and collaborative deployment phases

Scope. This part of the deployment plan defines the overall scope of the project, which clearly defines what the project includes. You should begin with the business case for deploying wireless-and-collaboration technologies, even though the decision to deploy has already been taken. Also, document the timing, budget, methods for prompting user cooperation, projected service levels, and acceptable results. Most importantly, clearly outline the objectives that the project is trying to reach.

Environment Planning. This section of the deployment plan documents the current environment as well as the planned wireless and collaborative environment. It includes the hardware, software (e.g., Windows XP, Office XP, server operating systems), and network infrastructure required to implement the project. This part of the plan also describes the locations of wireless access points (APs) and coverage planned in each conference room.

Configuration Planning. This part of the deployment plan describes how to migrate from the current environment to the planned wireless and collaborative environment. It clearly defines the Windows XP and Office XP configurations required to implement the plan. It also defines the configuration of servers, including Remote Authentication Dial-In User Service (RADIUS), Active Directory®, and Certificate Services. For example, this portion of the plan documents the security configuration for client computers, APs, and servers.

Pilot Planning. This section of the deployment plan describes how to pilot-test the project on a small but representative group of users. Feedback from this phase folds back into the deployment plan.

Rollout Planning. This part of the deployment plan contains a detailed strategy for rolling out your new environment. It also includes a detailed rollout schedule and logistics plan for actual deployment.

This paper describes deployment planning for wireless networking and collaboration with Windows XP and Office XP, which is less complex than a complete deployment of both products. If you’re deploying wireless networking and collaboration features as part of a larger deployment project, however, your deployment plan is going to be necessarily more complex. Microsoft maintains two papers that specifically help you deploy Windows XP and Office XP. The first paper is Office XP Deployment Planning Blueprint. It’s a strong guide for planning and rolling out Office XP in an enterprise. The second paper is Deploying Windows XP Part I:

Deploying Enterprise Mobility and Collaboration 4

Planning, which describes the considerations for which you plan when deploying Windows XP. Both of these papers are suitable for technical decision makers. A third paper, Deploying Windows XP Part II: Implementing, is suitable for professionals who are implementing your plans because it’s more of a prescriptive guide for using the technologies available to deploy Windows XP. This paper is in part based on the advice and methodologies that these papers describe.

Deploying Enterprise Mobility and Collaboration 5

ScopeThe first part of the deployment plan is to define the project’s scope and objectives, ensuring they’re in line

with the long-term goals of the enterprise. The plan should clearly identify the specific phases of the process and provide a clear, functional outline. It should clarify the scope of the project, the people and groups that the project affects, and the time frame that the project involves.

The following sections describe content that you should consider documenting in your deployment plan. Pick and choose content based on your organization’s established methodologies and practices. Other things to consider while documenting the scope of the project include the following:

Deployment numbers (computers, networks, users, buildings)

Deployment scope (Windows XP upgrades, hardware upgrades, server configurations)

Wireless locations (conference rooms, dining areas, and other locations to deploy APs)

Wireless requirements (bandwidth, security requirements, bandwidth requirements)

ObjectivesThroughout planning and deployment, you’ll make decisions based on your organization’s vision for the project, which is based on factors relating to how your organization works and manages change. For instance, does IT let users handle their own desktop computing needs or does IT make decisions, control software distribution, and support user desktops (i.e., a locked-down environment)? The answer to this question affects the division of labor and who is responsible for various tasks.

A clear vision for the deployment makes it easier to decide issues and to include everyone in your plan, so you need to get all project stakeholders to agree to this vision and approve it before you move forward. Stakeholders aren’t just management—they’re also users, designers, and support. For example, describe why you’re deploying wireless networking and collaboration features, when the project starts, how long it should last, and who is responsible for the project. Keep the statement succinct (about one paragraph in length) and communicate it to everyone involved in the project. Use this vision statement as a decision-making guide.

Also, define the objectives that the project should achieve to be successful. Objectives are easier to read in a list format, with one objective per list item. Examples of objectives include the following:

Access. Ensure wireless access by planning for obstructions.

Connectivity. Improve connectivity for wireless laptop users.

Deploying Enterprise Mobility and Collaboration 6

Availability. Ensure availability of the wireless network.

Security. Secure the wireless network by implementing wireless security protocols.

Collaboration. Enable users to collaborate with other users and partners.

User ProfilesConsider the four types of mobile users (road warrior, corridor warrior, telecommuter, and data collector) and document their special requirements. For more information about the different types of mobile users, see the paper Windows XP and Office XP for Mobile Users. Here’s an overview of each profile:

Road Warrior. Road warriors are concerned with keeping in contact with peers, partners, and customers. They make decisions quickly, based on information they receive. They travel 80 percent of the time or less, and they often rely on public wireless networks to access the corporate network.

Corridor Warrior. Corridor warriors also keep in contact with peers, partners, and customers, but they don’t travel. Instead, they roam the building, darting from meeting to meeting. Wireless networking keeps them in touch and provides access to the corporate network while they’re away from their desks.

Telecommuter. Telecommuters travel between work and home about 25 percent of the time. They don’t usually require access to the corporate network while traveling, and they use cable or DSL modems to connect to the network by using a virtual private network (VPN) connection. Wireless networking benefits telecommuters when they use it to inexpensively network their homes. Also, telecommuters who use laptop computers benefit from using the wireless network at the office.

Data Collector. Data collectors travel 80 percent or more of the time and use traditional methods to connect to the corporate network, which are inconvenient, especially while visiting a customer’s site. They can rely on public wireless networks to access the corporate network.

Deploying Enterprise Mobility and Collaboration 7

Environment PlanningBefore designing a wireless configuration for Windows XP and Office XP, document your current network

infrastructure and conventions. This evaluation helps you determine strengths and weaknesses in your network so that you can more easily determine how to integrate wireless networking into it. If you already have an asset database, you can start with it. Typical items to document include the following:

How many wide area network (WAN) circuits are there?

How many wireless devices does your network have?

How many wireless APs are there?

How many IP subnets do you have?

How many Network Layer 2 switches are there?

How many worldwide servers does your network have?

How many LAN ports are there?

What network operating systems are you using?

What resources do you have or will you need?

What is the topology of your network?

Which computers require Windows XP upgrades?

Which computers require Office XP upgrades?

The answers to these questions give you a better idea about your network's physical topology. Next, consider upgrading older devices at the same time, or you might want to prepare for future technology and the growth of the company. Consult with your network specialist to determine whether you need to plan for the future or whether the current capabilities are enough.

Microsoft provides tools to help with this chore. You can use Microsoft Systems Management Server (SMS) to track hardware and software inventory. For more information about deployment procedures using SMS, see the white paper Using SMS 2.0 to Deploy Windows 2000. Also, Microsoft Visio Professional is an excellent tool for documenting your network’s topology.

Deploying Enterprise Mobility and Collaboration 8

Network InfrastructureCollect information about both the hardware and software in your network infrastructure. Include the logical organization of your network, name- and address-resolution methods, naming conventions, and network services in use. Documenting the location of network sites and the available bandwidth between them can help you decide which deployment methods to use.

Also document the structure of your network, including server operating systems, file and print servers, directory services, domain and tree structures, server protocols, and file structure. You should also include information about network administration procedures, including backup and recovery strategies, antivirus measures, and data storage and access policies. If you use multiple server operating systems, note how you manage security and users' access to resources on the different platforms. You should also include network security measures in your assessment of the network. Include information about how you manage client authentication, user and group access to resources, and Internet security. Document the network’s firewall and proxy configurations, too.

Create physical and logical diagrams of your network to organize the information you gather. The physical and logical network diagrams should include the following information:

Physical Diagram Logical Diagram

Physical communication links, including cables, and the paths of analog and digital lines

Server names, IP addresses, and domain membership

Location of printers, hubs, switches, routers, bridges, proxy servers, and other network devices

WAN communication links, their speeds, and available bandwidth between sites. If you have slow or heavily used connections, it’s important to note them.

Domain architecture

Server roles, including primary and backup domain controllers, Windows Internet Naming Service (WINS), and DNS servers

Trust relationships and any policy restrictions that might affect your deployment

In addition to documenting your existing network infrastructure, document any changes that your wireless network requires. For example, document any changes to the network’s security infrastructure. If you must add RADIUS servers for centralized authentication and authorization of wireless connections, document them as well. The paper Wireless Networking for Mobility and Collaboration contains more information about the specific infrastructure requirements for wireless networking and collaboration. The section “Configuration Planning” also describes the infrastructure required for a typical wireless network with Windows XP.

Wireless TopologiesDocument the wireless network topologies that you’re building and how they’ll integrate with your wired network. Two wireless topologies are possible, but infrastructure is the most common in enterprises.

Deploying Enterprise Mobility and Collaboration 9

Infrastructure Topology. Infrastructure topologies require APs to provide wireless clients access to the wired network. They’re bridges that pass network traffic from the wireless client to the wired network. In this topology, you deploy wireless APs throughout each building as required to provide the coverage and performance specified in your deployment plan. Figure 2 shows an example of this topology.

Ad Hoc Topology. Ad hoc topologies don’t require APs. Instead, wireless clients connect directly with other wireless clients to form a temporary peer-to-peer network. Windows XP automatically tries to create an ad hoc network connection anytime a wireless AP isn’t available or users configure the wireless client in ad hoc mode exclusively. Exclusive ad hoc topologies aren’t suitable for most enterprise deployments.

Figure 2. Example of infrastructure topology

The paper Windows XP Wireless Deployment Technology and Component Overview describes the infrastructure and ad hoc topologies in great detail. It also provides more information about how wireless APs work and the technologies they use to pass wireless client traffic to the wired network.

Placement and CoverageFrom Microsoft’s experience with its own large-scale deployment (which you can read more about in the paper Microsoft Wireless LAN Deployment and Best Practices), you need to plan and document the placement of each wireless AP as well as each AP’s coverage area. There are a variety of issues to consider when planning the placement of APs. The following list provides an overview of the issues to document and plan for each building:

Document obstructions to wireless signals. You must plan to remove these obstructions or place APs to provide access around them.

Document the building areas that require wireless coverage. For example, you might determine that certain conference rooms require wireless coverage while others don’t, the dining areas require coverage, and community areas require coverage.

Determine the maximum number of users in each wireless area. Areas that will provide wireless access to limited numbers of users, such as small conference rooms, don’t require as much tweaking as areas where you anticipate large groups of wireless users, such as dining areas. Techniques are available for maximizing performance in densely populated areas. The note below at the end of this section gives more detail about tuning wireless performance in specific coverage areas.

Deploying Enterprise Mobility and Collaboration 10

When choosing and deploying wireless APs, use the best practices that Microsoft learned from its own wireless-and-collaboration deployment project as follows:

Use wireless APs that support 802.1X, 128-bit WEP, and the use of both multicast/global and unicast session encryption keys.

Change the administration configuration of the wireless AP, such as administrator-level usernames and passwords, from its default configuration.

If you’re installing wireless APs in the plenum area (the space between the ceiling tiles and the ceiling), you must obtain plenum-rated wireless APs to comply with fire-safety codes.

To minimize cross talk on the 802.11b wireless frequencies in the ISM frequency band, overlapping coverage areas should have a five-channel separation. For example, in the United States, use the channels 1, 6, and 11.

If you’re using SNMP to manage or configure wireless APs, change the default SNMP community name. If possible, use wireless APs that support SNMPv2.

Note: Overloading APs can easily become a problem and slow down the performance of your wireless network. Ensure that you don't overload APs by keeping the limit to 20–25 connected wireless clients. To maximize your wireless network for performance, set your AP average users to two to four. Where you expect denser concentration of wireless connections, such as in a conference room, lower the signal strength of your wireless APs. Doing so will reduce the coverage area of each AP, which allows more APs to be in closer proximity and also provides more bandwidth distributed to more clients, thus increasing performance. For more performance information, see Windows XP Performance.

Wireless ClientsDocument the following information about your wireless clients (add to this list to suit your needs):

Inventory of potential wireless users and clients in the company

Inventory of Windows versions on each potential wireless client computer

Inventory of wireless network adapters already deployed

Inventory of types and versions of wireless device drivers already deployed

Inventory of existing wireless clients requiring Windows XP upgrades

Additional hardware required, including smart cards and readers

Windows XP supports a variety of wireless LAN adapters. In other words, the operating system ships with the device drivers for various wireless NICs. Still other NICs support Windows XP, and their device drivers are available for download from the independent hardware vendors’ (IHVs’) Web sites. While selecting a wireless NIC for use with Windows XP, check the Hardware Compatibility List (HCL), however. You can find the Microsoft Hardware Compatibility List Web site at http://www.microsoft.com/hwdq/hcl/. It contains a list of wireless NICs that have passed the Hardware Compatibility Tests (HCTs) for the most recent version of Windows XP. This list is neither complete nor comprehensive; there are many devices that use compatible device identifiers or emulate other devices that work on Windows XP.

Deploying Enterprise Mobility and Collaboration 11

When choosing and deploying wireless network adapters, use the following best practices:

Use wireless network adapters whose drivers support the Windows XP Wireless Zero Configuration service.

Use wireless network adapters that support IEEE 802.1x, 128-bit WEP encryption keys, and both multicast/global and unicast session keys.

For easier deployment, use wireless network adapters that have Plug and Play (PnP) drivers already included with Windows XP or are available through Windows Update.

Avoid installing wireless configuration utilities that are provided with the wireless network adapter, and use the Windows XP Wireless Zero Configuration service.

Deploying Enterprise Mobility and Collaboration 12

Configuration PlanningUsing this section as a guide, document the configuration of your wireless clients, wireless APs, and

infrastructure servers. This section is an overview of the decisions you must make and directs you to resources where you can get more detailed, technical information about each topic. This paper assumes that you’re deploying a typical wireless configuration, such as the following:

Wireless client computers running Windows. Windows XP has built-in support for Wi-Fi (IEEE 802.11b) wireless networking and IEEE 802.1X authentication using the Extensible Authentication Protocol (EAP). Windows XP is the best choice for wireless networking, but Windows 2000 supports IEEE 802.1X authentication when the Microsoft 802.1X Authentication Client is installed.

At least two Windows 2000 Internet Authentication Service (IAS) servers. Using two IAS servers (one primary and one secondary) provides fault tolerance for RADIUS-based authentication. If only one RADIUS server is configured and it becomes unavailable, wireless access clients cannot connect. By using two IAS servers and configuring all wireless APs (which are the RADIUS clients) for both the primary and secondary IAS servers, the RADIUS clients can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server. The Windows 2000 IAS servers must have Service Pack 3 (SP3) or later and Microsoft 802.1X Authentication Client installed.

Active Directory service domains. Active Directory domains contain the user and computer accounts and their dial-in properties that each IAS server requires to authenticate credentials and evaluate both authorization and connection constraints. While not a requirement, to both optimize IAS authentication and authorization response times and minimize network traffic, IAS should be installed on Active Directory domain controllers. The domain controllers must have SP3 or later installed.

Computer certificates installed on the IAS servers. Regardless of which wireless authentication method you use, you must install computer certificates on the IAS servers.

For EAP-Transport Level Security (TLS) authentication, a certificate infrastructure. The EAP-(TLS authentication protocol is used with locally installed computer certificates, user certificates, and smart cards to authenticate wireless clients. A certificate infrastructure, also known as a public key infrastructure (PKI), is needed to issue and provide validation for certificates.

For Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) authentication, install root certification authority (CA) certificates on each wireless client. PEAP-MS-CHAP v2 is a password-based secure authentication method for wireless connections. Depending on the issuer of the IAS server computer certificates, you might also need to install root CA certificates on each wireless client.

Deploying Enterprise Mobility and Collaboration 13

Wireless remote access policy. A remote access policy is configured for wireless connections so that employees can access the enterprise intranet.

Multiple wireless APs. Multiple third-party wireless APs provide wireless access in different buildings of an enterprise. The wireless APs must support IEEE 802.1X. The section “Placement and Coverage” describes planning the placement and coverage area of each AP.

CertificatesTable 1 summarizes the certificates needed for the different types of authentication.

Table 1. Authentication types and certificates

Authentication Type

Credentials on Wireless Client Certificates on IAS Server

PEAP-MS-CHAP v2

Account name and password

Root CA certificates for issuers of IAS server computer certificates

Computer certificates

EAP-TLS or PEAP-TLS

Computer certificates

User certificates

Root CA certificates for issuers of IAS server computer certificates

Computer certificates

Root CA certificates for issuers of wireless client computer and user certificates

Regardless of which authentication method you use for wireless connections, EAP-TLS or PEAP-MS-CHAP v2, you must install computer certificates on the IAS servers.

For PEAP-MS-CHAP v2, you do not need to deploy a certificate infrastructure to issue computer and user certificates for each wireless client computer. Instead, you can obtain individual certificates for each IAS server in your enterprise from a commercial CA and install them on the IAS servers. For more information, see PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access. Windows XP wireless clients include a number of root CA certificates for well-known and trusted commercial CAs. If you obtain computer certificates from a commercial CA for which there is already an installed root CA certificate, there are no additional certificates to install on the Windows wireless clients. If you obtain computer certificates from a commercial CA for which there isn’t already an installed root CA certificate, you must install the root CA certificates for the issuers of the computer certificates installed on the IAS servers on each Windows wireless client.

For computer authentication using EAP-TLS, you must install a computer certificate (also known as a machine certificate) on the wireless client computer. A computer certificate installed on the wireless client computer is used to authenticate the wireless client computer so that the computer can obtain network connectivity to the enterprise intranet prior to user login. For user authentication with EAP-TLS after a network connection is made and the user logs in, you must install a user certificate on the wireless client computer. The computer certificate is installed on the IAS server computer so that during EAP-TLS authentication, the IAS server has a certificate to send to the wireless client computer for mutual authentication, regardless of whether the wireless client computer authenticates with a computer certificate or a user certificate.

Deploying Enterprise Mobility and Collaboration 14

In a typical implementation, the certificate infrastructure is configured by using a single-root CA in a three-level hierarchy consisting of root CA/intermediate CAs/issuing CAs. Issuing CAs are configured to issue computer certificates or user certificates. When the computer or user certificate is installed on the wireless client, the issuing CA certificate, intermediate CA certificates, and the root CA certificate are also installed. When the computer certificate is installed on the IAS server computer, the issuing CA certificate, intermediate CA certificates, and the root CA certificate are also installed. The issuing CA for the IAS server certificate can be different than the issuing CA for the wireless client certificates. In this case, both the wireless client and the IAS server computer have all the required certificates to perform certificate validation for EAP-TLS authentication.

When installing a certificate infrastructure, use the following best practices from Microsoft’s own deployment:

Plan your PKI before deploying CAs.

The root CA should be offline, and its signing key should be secured by a Hardware Security Module (HSM) and kept in a vault to minimize potential for key compromise.

Organizations should not issue certificates to users or computers directly from the root CA but rather should deploy the following: an offline root CA, offline intermediate CAs, and online issuing CAs (using Windows 2000 Certificate Services as an enterprise CA). This CA infrastructure provides flexibility and insulates the root CA from attempts to compromise its private key by malicious users. The offline root and intermediate CAs don’t need to be Windows 2000 CAs. Issuing CAs can be subordinates of a third-party intermediate CA.

Backing up the CA database, the CA certificate, and the CA keys is essential to protect against the loss of critical data. You should back up the CA on a regular basis (daily, weekly, monthly) based on the number of certificates issued over the same interval. The more certificates issued, the more frequently you should back up the CA.

You should review the concepts of security permissions and access control in Windows, as enterprise CAs issue certificates based on the security permissions of the certificate requester.

Additionally, if you want to take advantage of auto-enrollment for computer certificates, use Windows 2000 Certificate Services and create an enterprise CA at the issuer CA level. For more information, see the topic titled "Checklist: Deploying certification authorities and PKI for an intranet" in Windows 2000 Server Help.

If you already have a certificate infrastructure for EAP-TLS authentication and are using RADIUS for dial-up or VPN remote access connections, you can use the same certificate infrastructure for wireless connections. However, you must ensure that computer certificates are installed for computer authentication.

For an in-depth discussion about improving security with PKI, see Public Key Infrastructure.

Active DirectoryTo configure Active Directory user and computer accounts and groups for wireless access, do the following:

1. Install Windows 2000 SP3 or later on all domain controllers.

2.Ensure that all users that are making wireless connections have a corresponding user account.

3.Ensure that all computers that are making wireless connections have a corresponding computer account.

Deploying Enterprise Mobility and Collaboration 15

4.Based on your remote access policy administrative model, set the remote access permission on user and computer accounts to the appropriate settings. The remote access permission setting is on the Dial-in tab on the properties of a user or computer account in the Active Directory Users and Computers snap-in.

5.Organize your wireless access user and computer accounts into the appropriate groups. For a native-mode domain, you can use universal and nested global groups. For example, create a universal group named WirelessUsers that contains global groups of wireless user and computer accounts for intranet access.

Note: Although you might not see Active Directory mentioned specifically here, it’s responsible for all objects on a network and is thus involved in Group Policy and managing domains. Configure all appropriate domain system containers for automatic enrollment of certificates. You can do this through Group Policy inheritance or explicit configuration. For native-mode domains that use group-based wireless remote access policy, you can use global and universal groups to organize your accounts into a single group. Set remote access permissions for computer and user accounts to Control access through Remote Access Policy. With Windows 2000 enterprise CA as the issuing CA, you can set the Automatic Certificate Request Settings group policy to issue computer certificates to all domain members automatically. For more information, see Active Directory.

RADIUSIAS in Windows 2000 Server is the Microsoft implementation of a RADIUS server. IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and VPN remote access, and router-to-router connections. IAS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment and can be used with Windows 2000 Routing and Remote Access service. When an IAS server is a member of an Active Directory-based domain, IAS uses Active Directory as its user account database and is part of a single sign-on (SSO) solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network) and to log on to an Active Directory-based domain.

Do the following to configure a primary and secondary IAS server:

Configure IAS to be able to access account information, perform logging, and for the UDP ports for the RADIUS clients corresponding to the wireless APs.

The primary IAS server computer must be able to access account properties in the appropriate domains. If IAS is being installed on a domain controller, no additional configuration is required in order for IAS to access account properties in the domain of the domain controller. If IAS isn’t installed on a domain controller, you must configure the primary IAS server computer to read the properties of user accounts in the domain. If the IAS server authenticates wireless connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Then, configure the IAS server computer to read the properties of user accounts in other domains. If there are accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains. If there are accounts in other Active Directory forests, you must configure a RADIUS proxy between the forests. For more information, including step-by-step instructions, see Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service.

Configure remote access policies for wireless access.

Deploying Enterprise Mobility and Collaboration 16

Remote access policies are rules that define how connections are accepted or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. If a connection is authorized, the remote access policy profile specifies restrictions. The dial-in properties of the user account also provide restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions. You can define remote access policies based on information such as group membership, connection type, time of day, and so on. You can also restrict access after allowing a connection. For example, you can specify an idle timeout period and maximum session time. For more information, including step-by-step instructions, see Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service.

After installing the primary and secondary IAS servers, you must configure the RADIUS client on your third-party wireless APs by using the following settings:

The IP address or name of the primary IAS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings

The IP address or name of the secondary IAS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings

For more information, see the documentation for the wireless AP. For information about Enterasys wireless APs, see http://www.enterasys.com/. For information about Cisco access points, see Cisco’s home page at http://www.cisco.com/. For information about Agere Systems access points, see Agere's ORiNOCO Web site at http://www.orinocowireless.com/.

When deploying your RADIUS infrastructure for wireless access, use the following best practices from Microsoft’s own wireless-and-collaboration deployment project:

If supported by your wireless APs, use Internet Protocol Security (IPSec) and Encapsulating Security Payload (ESP) to provide data confidentiality for RADIUS traffic between the wireless AP and the IAS servers and between IAS servers. Use 3DES encryption and, if possible, certificates for Internet Key Exchange (IKE) main mode authentication. IPSec settings for RADIUS traffic sent between IAS servers can be configured by using Group Policy and assigned at the Active Directory system container level. For more information about IPSec, see the Windows 2000 IPSec Web site.

To provide the maximum security for unprotected RADIUS traffic, choose RADIUS shared secrets that are random sequences of uppercase and lowercase letters, numbers, and punctuation at least 22 keyboard characters long. If possible, use a random character generation program to determine shared secrets to configure on the IAS server and the wireless AP.

Use as many different RADIUS shared secrets as possible. The actual number of RADIUS shared secrets depends on configuration constraints and management considerations. For example, IAS allows the configuration of RADIUS shared secrets on a per-client or per-server basis. However, many wireless APs allow for the configuration of a single RADIUS shared secret for both primary and secondary RADIUS servers. In this case, a single RADIUS shared secret is used for two different RADIUS client-RADIUS server pairs: the wireless AP with its primary RADIUS server and the wireless AP with its secondary RADIUS server. Additionally, if you’re using the netsh aaaa show and netsh exec commands to copy the configuration of one IAS server (the primary) to another (the secondary), the RADIUS shared secret for each wireless AP/primary IAS server pair must be the same as the RADIUS shared secret for each wireless AP/secondary IAS server pair. Because the Windows .NET Server 2003 version of IAS allows

Deploying Enterprise Mobility and Collaboration 17

you to configure a range of IP addresses to define a single RADIUS client (for example, all the wireless APs on a single subnet in a single building at Microsoft), all the wireless AP/IAS server pairs defined by the IAS RADIUS client are configured with the same RADIUS shared secret.

When there are separate account databases, such as different Active Directory forests or domains that don’t have two-way trusts, you must use a RADIUS proxy between the wireless APs and the RADIUS servers providing the authentication and authorization processing. Windows .NET Server 2003 IAS supports RADIUS proxy functionality through the configuration of connection request policies and remote RADIUS server groups. For this example, connection request policies are created to match different portions of the User-Name RADIUS attribute corresponding to each account database (such as different Active Directory forests). RADIUS messages are forwarded to a member of the corresponding remote RADIUS server group matching the connection request policy.

Investigate whether the wireless APs need RADIUS vendor-specific attributes (VSAs) and configure them during the configuration of the remote access policy on the Advanced tab of the remote access policy profile.

For a large amount of authentication traffic within an Active Directory forest, use a layer of RADIUS proxies running Windows .NET Server 2003 IAS between the wireless APs and the RADIUS servers. By default, an IAS RADIUS proxy balances the load of RADIUS traffic across all the members of a remote RADIUS server group on a per-authentication basis and uses failover and failback mechanisms. Members of a remote RADIUS server group can also be individually configured with priority and weight settings so that the IAS proxy favors specific RADIUS servers.

Client CertificatesFor computer authentication with EAP-TLS, you must install a computer certificate on the wireless client computer. To install a computer certificate on a wireless client computer running Windows XP or Windows 2000, users connect to the intranet using an Ethernet connection and then do one of the following:

If the domain is configured for automatic enrollment of computer certificates, a computer certificate is issued for each computer that is a member of the domain when computer Group Policy is refreshed.

If the domain isn’t configured for automatic allocation, you can request a “Computer” certificate using the Certificates snap-in or you can execute a CAPICOM script to request a computer certificate. For information about CAPICOM, see CAPICOM. The IT department can install a computer certificate before delivering the computer (typically a laptop) to its user.

For user authentication with EAP-TLS, you must use a user certificate that is installed in the Current User certificate store. The user certificate must first be obtained through Web enrollment, by requesting the certificate using the Certificates snap-in, by importing a certificate file, or by running a CAPICOM script. Next, EAP-TLS on the Windows XP computer for the wireless LAN network adapter might need to be configured for increased security when validating the certificate of the IAS server. The easiest methods of installing user certificates assume that network connectivity already exists, such as an Ethernet connection. When users connect to the intranet, they can obtain a user certificate by submitting a user certificate request using Web enrollment or the Certificate Manager. For an enterprise deployment, users can run a CAPICOM script that the IT department provides. The execution of the CAPICOM script can be automated through the user logon script or as part of an intranet Web page that contains instructions for installing wireless networking.

Deploying Enterprise Mobility and Collaboration 18

For the certificates used for wireless access, use the following best practices from Microsoft’s own wireless-and-collaboration deployment:

To install computer certificates, use auto-enrollment. To do so, you must use a Windows 2000 Certificate Services server as an enterprise CA at the issuer CA level.

To install user certificates, use a CAPICOM script.

Alternately, use a CAPICOM script to install both computer and user certificates.

Because certificate revocation checking can prevent wireless access due to the unavailability or expiration of certificate revocation lists (CRLs) for each certificate in the certificate chain, design your PKI for high availability of CRLs. For instance, configure multiple CRL distribution points for each CA in the certificate hierarchy and configure publication schedules so that the most current CRL is always available.

Client ConfigurationWindows XP includes new and improved support for wireless networking. It’s the best desktop operating system for connecting to wireless networks:

Wireless Network Adapter Support. Microsoft partnered with Wi-Fi network adapter vendors to improve the roaming experience by automating the process of configuring the network adapter to associate with an available network. The wireless network adapter and its Network Driver Interface Specification (NDIS) driver need to do very little beyond supporting some new NDIS Object Identifiers (OIDs) used for the querying and setting of device and driver behavior. The wireless network adapter scans for available wireless networks and passes the list of available wireless networks to Windows XP.

Windows XP Wireless Zero Configuration Service. The Windows XP Wireless Zero Configuration service configures the wireless network adapter with an available wireless network. If there are two networks covering the same area, the user can configure a preferred network order, and the computer will try each network in the order defined until it finds one that is active. It’s even possible to limit association to only the configured, preferred networks. If a preferred network isn’t found nearby, Windows XP configures the wireless adapter so that there is no accidental connection until the wireless client roams within the range of a preferred network. It’s possible for the user to configure the wireless network adapter either to disable or be forced into ad hoc mode. These network adapter enhancements are integrated with security features so that if authentication fails, Windows XP will attempt to authenticate with the additional preferred wireless networks. Windows XP attempts to perform an IEEE 802.11 shared key authentication if the network adapter has been preconfigured with a WEP shared key. In the event that shared key authentication fails or the network adapter isn’t preconfigured with a WEP shared key, the network adapter reverts to open system authentication. For more information, see The Windows XP Wireless Zero Configuration Service. Microsoft 802.1X Authentication Client doesn’t support the Wireless Zero Configuration service.

Roaming Support. The media sense feature of Windows 2000 is enhanced in Windows XP to allow for detection of a move to a new wireless AP, forcing re-authentication in order to ensure appropriate network access. Along with re-authentication, a Windows XP wireless client also performs a DHCP renewal of the IP address configuration for the wireless network adapter. Within the same Extended Service Set (ESS), which is two or more APs on the same subnet, the IP address configuration doesn’t change. When the Windows XP wireless client crosses an ESS boundary (a new subnet), the DHCP renewal obtains a new

Deploying Enterprise Mobility and Collaboration 19

IP address configuration relevant for that subnet. Through Windows Sockets extensions, network-aware applications are notified of changes in network connectivity and can update their behavior based on these changes. The auto-sensing and reconfiguration minimize the need for a mobile IP when a wireless node roams to another subnet.

Support for IEEE 802.1X Authentication. Windows XP supports IEEE 802.1X authentication for all LAN-based network adapters, including Ethernet and wireless. IEEE 802.1X authentication using the EAP-TLS authentication type is enabled by default.

The primary user interfaces for configuring IEEE 802.11 and 801.1x settings in Windows XP are the Wireless Networks and Authentication tabs for the properties of a connection in the Network Connections folder that corresponds to an installed wireless adapter. The Wireless Networks tab appears only for wireless adapters that support the Windows XP Wireless Configuration Service. In Windows XP SP1, the Authentication tab appears with the properties of a wireless network. For Windows 2000, the Wireless Networks tab doesn’t appear. Document the settings required for users to connect to the wireless network and make those instructions available on the intranet. For example, you might need to provide instructions for configuring 802.1X on users’ client computers. For more information about configuring Windows XP for wireless networking, see Windows XP Wireless Deployment Technology and Component Overview.

Deploying Enterprise Mobility and Collaboration 20

Pilot PlanningBefore rolling out your deployment project, you need to test it for functionality in a controlled environment. But

before beginning your tests, create the following documents:

A test plan that describes the tests you’ll run and the expected results. The test plan must specify the criteria for achieving the objectives. The test plan should also include exit criteria, which specify when the tests are finished.

A schedule for performing tests and who will run each test.

The testing phase is essential because a single error propagates to all of the servers, clients, and access points if it’s not corrected before you roll out. Piloting the project allows you to assess its success in a production environment before rolling it out to all users. Microsoft recommends that you roll out the deployment to a small group of users after you test the project in a lab environment. First, create a test lab that isn’t connected to your network but that mirrors, as closely as possible, your organization's network and hardware configurations. Set up your hardware, software, and network services as they exist in your users' environment. Perform comprehensive testing on each hardware platform, testing both application installation and operation. Doing so can greatly increase the confidence of the project teams and the business decision makers, resulting in a higher-quality deployment.

Then, roll out the deployment to a small group of users. The primary purpose is to get user feedback for the project team. For example, the pilot users can provide feedback on wireless performance and coverage areas. For pilot testing, choose a user population that represents a cross section of your business in terms of job function and computer proficiency. Install pilot components by using the same methods that you plan to use for the final rollout. After you make the necessary decisions about how to implement wireless networking and collaboration, use a final pilot to test the installation process. The pilot process provides a small-scale test of the eventual full-scale rollout, so you can use the results of the pilot, including any problems encountered, to finalize your rollout plan. Compile the pilot results and use the data to estimate the time line and support loads.

Deploying Enterprise Mobility and Collaboration 21

Rollout PlanningFor the final deployment, the steps are similar to the pilot deployment but on a larger scale:

AP Installation. Physically install wireless APs and their antennas in plenum-rated enclosures that meet fire-safety standards. Then, you can configure a central, low-voltage power supply on backup power using an uninterruptible power supply (UPS). Finally, build the RADIUS infrastructure.

Delivery. Spot-check AP installation for conformance with the commissioning checklist and verify RF coverage and network connectivity of each wireless AP. Deliver as-built documents that reflect the final placement of each wireless AP.

Rollout to Users. Deploy computer and user certificates as described earlier. You can deploy these certificates by using, for example, Group Policy and CAPICOM scripts. Last, create and advertise a Web site to host information for users that describes how to gain wireless access and update device drivers.

Training. Train users on how to gain wireless access. The type of training you provide depends on the users’ capabilities. For technically savvy users, you can point them to the Web site that you created in the last step. For less technical users, you can use brown-bag sessions, online training, or classroom training, depending on the training methodologies you already have in place.

Help Desk. Prepare the Help desk for wireless issues. The pilot test is the best tool for anticipating the types of issues users will have. Also, brief the Help desk personnel on the technology, such as the steps to configure wireless networking in Windows XP.

For more information about technologies involved in deploying wireless networking for Windows XP, see Windows XP Wireless Deployment Technology and Component Overview.

Deploying Enterprise Mobility and Collaboration 22

SummaryWindows XP Professional and Office XP are Microsoft’s best combination for wireless networking and collaboration. Windows XP supports the standards that make wireless networking easier to deploy, manage, secure, and support. It enables users to gain more productive hours by providing access to corporate network resources where access wasn’t previously available or was inconvenient. It enables IT professionals to reduce infrastructure costs, and it lowers support costs by enabling users to support themselves.

Upgrading enterprise networks to include secure wireless networking is a significant undertaking, but as you have seen in this paper, Windows XP Professional and a combination of infrastructure services available with Windows 2000 Server and Windows .NET Server 2003 simplify the process. Additional tools such as SMS and Visio facilitate asset tracking, planning, and deployment. With the information contained in this paper and the resources listed in the section “For More Information,” you have the tools necessary to successfully deploy wireless networking and collaboration with Windows XP and Office XP.

Deploying Enterprise Mobility and Collaboration 23

For More Information Deploying Windows XP Part I: Planning

Deploying Windows XP Part II: Implementing

Windows XP Wireless Deployment Technology and Component Overview

Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service

Troubleshooting Windows   XP IEEE 802.11 Wireless Access

IEEE 802.1X Authentication for Wireless Connections

Microsoft 802.1X Authentication Client

The Windows XP Wireless Zero Configuration Service

Microsoft Leads in Securing Wireless Networks

Microsoft Wireless LAN Deployment and Best Practices

Microsoft's Wi-Fi Web Site

Office XP Deployment Planning Blueprint

PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access

RADIUS Protocol Security and Best Practices

Windows 2000 Security Services

Wireless 802.11 Security with Windows XP

Wireless Network Security with IEEE 802.1X

Deploying Enterprise Mobility and Collaboration 24

Glossary Active Directory. Designed as a central clearinghouse for directory information. For wireless access,

Active Directory domains contain the user and computer accounts for authentication and the Group Policy settings to deploy computer certificates.

Certificates. Issued by a Certification Authority (CA), this digitally signed object uses public key cryptography to bind the value of a public key to the identity of a person, device, or service that holds the corresponding private key.

Extensible Authentication Protocol-Transport Level Security (EAP-TLS) Authentication. An authentication process that provides a secure secret key exchange, mutual authentication, and integrity-protected cipher suite negotiation. This authentication process is used for smart cards and locally installed user certificates.

IEEE 802.11b. An industry standard that defines the physical layer and media access control (MAC) sublayer for wireless communications. It also provides increased speed capability at a maximum of 11Mbps.

IEEE 802.1X. A port-based network access control protocol that provides authenticated access to wireless networks using Extensible Authentication Protocol (EAP).

Protected EAP (PEAP) Authentication. An EAP type that negotiates a one-way authenticated TLS-encrypted communications channel so that other EAP types, such as those utilizing passwords, can be safely used without the risk of an offline dictionary attack.

RADIUS. Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication, authorization, and accounting protocol originally developed for dial-up access but is now supported by wireless access points (APs), authenticating Ethernet switches, virtual private network (VPN) server, Digital Subscriber Line (DSL) switches, and other network access servers.

Wi-Fi. See IEEE 802.11b.

Deploying Enterprise Mobility and Collaboration 25