With Windows Server 2008 R2, IP-HTTPS used standard SSL cipher suites to encrypt sessions. However, those sessions are already encrypted using IPsec, which is needlessly redundant. The protocol overhead for this double encryption placed an extreme burden on the DirectAccess server in terms of CPU utilization and memory consumption. Throughput and performance suffered greatly in large deployments. To address this issue, Microsoft included two new SSL cipher suites in Windows Server 2012 and Windows 8 that use NULL encryption. IP-HTTPS sessions are fully authenticated, but encrypted only once using IPsec. This significantly reduced resource demand on the DirectAccess gateway and improves performance greatly. Unfortunately, only Windows 8 clients can take advantage of this new IP-HTTPS functionality in Windows Server 2012 DirectAccess. When Windows 7 clients establish an IP-HTTPS session with a Windows Server 2012 DirectAccess gateway they will still request the use of fully encrypted cipher suites, as shown here:
Windows 7 IP-HTTPS Client Hello
Windows 8 IP-HTTPS Client Hello
Windows 8.1 IP-HTTPS Client Hello
So, if you want to take advantage of the IP-HTTPS performance improvements in Windows Server 2012 DirectAccess, be sure to use Windows 8 clients!
Update: Recently with the help of the folks at F5, I developed a solution to emulate Windows 8 client behavior for Windows 7 DirectAccess clients using the F5 BIG-IP Local Traffic Manager (LTM). Using this technique allows you to *effectively* offload SSL for Windows 7 DirectAccess clients. Fore more details click here.
Artyom Sinitsyn
/ February 15, 2013Richard, do you know how to disable IP-HTTPS NULL encryption even for Windows 8 DirectAccess clients?
Richard Hicks
/ February 16, 2013You could accomplish this by removing the cipher suite from the server, but since the client only requests NULL encryption algorithms in the client hello this would effectively disable IP-HTTPS altogether. I can’t think of a scenario in which you would want to enable SSL encryption though. The traffic is already encrypted using IPsec so the data is well protected. Encrypting again would add nothing to the security of the communication and only services to needlessly consume more resources on the DirectAccess server.
Simon
/ September 1, 2014Hey Richard, Is there any statistics or performance measures on Null encryption vs double encryption? I’m interested in seeing how much of a performance hit the clients get with connection speed. Also what tool do you use to view cipher suites?
Richard Hicks
/ September 8, 2014I’m not aware of any documented statistics comparing IP-HTTPS configured with and without encryption. For evaluating SSL/TLS configuration I prefer the Qualys SSL Labs test site – https://www.ssllabs.com/ssltest/.