Windows Server 2012 DirectAccess IP-HTTPS and Windows 7 Clients

With Windows Server 2008 R2, IP-HTTPS used standard SSL cipher suites to encrypt sessions. However, those sessions are already encrypted using IPsec, which is needlessly redundant. The protocol overhead for this double encryption placed an extreme burden on the DirectAccess server in terms of CPU utilization and memory consumption. Throughput and performance suffered greatly in large deployments. To address this issue, Microsoft included two new SSL cipher suites in Windows Server 2012 and Windows 8 that use NULL encryption. IP-HTTPS sessions are fully authenticated, but encrypted only once using IPsec. This significantly reduced resource demand on the DirectAccess gateway and improves performance greatly. Unfortunately, only Windows 8 clients can take advantage of this new IP-HTTPS functionality in Windows Server 2012 DirectAccess. When Windows 7 clients establish an IP-HTTPS session with a Windows Server 2012 DirectAccess gateway they will still request the use of fully encrypted cipher suites, as shown here:

Windows 7 IP-HTTPS Client Hello

Windows 7 DirectAccess IPHTTPS Cipher Suites

Windows 8 IP-HTTPS Client Hello

Windows 8 DirectAccess IPHTTPS Cipher Suites

Windows 8.1 IP-HTTPS Client Hello

Windows 8.1 DirectAccess SSL Cipher Suites

So, if you want to take advantage of the IP-HTTPS performance improvements in Windows Server 2012 DirectAccess, be sure to use Windows 8 clients!

Update: Recently with the help of the folks at F5, I developed a solution to emulate Windows 8 client behavior for Windows 7 DirectAccess clients using the F5 BIG-IP Local Traffic Manager (LTM). Using this technique allows you to *effectively* offload SSL for Windows 7 DirectAccess clients. Fore more details click here.

Leave a comment

8 Comments

  1. Richard, do you know how to disable IP-HTTPS NULL encryption even for Windows 8 DirectAccess clients?

    Reply
    • You could accomplish this by removing the cipher suite from the server, but since the client only requests NULL encryption algorithms in the client hello this would effectively disable IP-HTTPS altogether. I can’t think of a scenario in which you would want to enable SSL encryption though. The traffic is already encrypted using IPsec so the data is well protected. Encrypting again would add nothing to the security of the communication and only services to needlessly consume more resources on the DirectAccess server.

      Reply
  2. Simon

     /  September 1, 2014

    Hey Richard, Is there any statistics or performance measures on Null encryption vs double encryption? I’m interested in seeing how much of a performance hit the clients get with connection speed. Also what tool do you use to view cipher suites?

    Reply
  1. DirectAccess and NAT | Richard Hicks' DirectAccess Blog
  2. DirectAccess IPv6 Transition Protocols Explained | Richard Hicks' DirectAccess Blog
  3. Configure DirectAccess with OTP Authentication | Richard Hicks' DirectAccess Blog
  4. DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler | Richard Hicks' DirectAccess Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: