This month Microsoft released an important hotfix to address a DirectAccess connectivity issue for Windows 7 clients connecting to a Windows Server 2012 DirectAccess Server. The hotfix specifically resolves an issue where Windows 7 clients face a very long delay reestablishing a DirectAccess session using the IP-HTTPS IPv6 transition protocol after recently disconnecting from a VPN session. In this scenario, Windows 7 DirectAccess clients may take as long as 15 minutes to automatically reestablish a DirectAccess session using IP-HTTPS. During this time the IP-HTTPS adapter state is displayed as disconnected. Refer to Microsoft KB 2796313 more information and to download the hotfix.
Awards
Consulting
Pluralsight
Newsletter
All posts tagged IPHTTPS
Hotfix for Windows 7 DirectAccess Clients
Posted by Richard M. Hicks on February 17, 2013
https://directaccess.richardhicks.com/2013/02/17/hotfix-for-windows-7-directaccess-clients/
Windows Server 2012 DirectAccess IP-HTTPS and Windows 7 Clients
With Windows Server 2008 R2, IP-HTTPS used standard SSL cipher suites to encrypt sessions. However, those sessions are already encrypted using IPsec, which is needlessly redundant. The protocol overhead for this double encryption placed an extreme burden on the DirectAccess server in terms of CPU utilization and memory consumption. Throughput and performance suffered greatly in large deployments. To address this issue, Microsoft included two new SSL cipher suites in Windows Server 2012 and Windows 8 that use NULL encryption. IP-HTTPS sessions are fully authenticated, but encrypted only once using IPsec. This significantly reduced resource demand on the DirectAccess gateway and improves performance greatly. Unfortunately, only Windows 8 clients can take advantage of this new IP-HTTPS functionality in Windows Server 2012 DirectAccess. When Windows 7 clients establish an IP-HTTPS session with a Windows Server 2012 DirectAccess gateway they will still request the use of fully encrypted cipher suites, as shown here:
Windows 7 IP-HTTPS Client Hello
Windows 8 IP-HTTPS Client Hello
Windows 8.1 IP-HTTPS Client Hello
So, if you want to take advantage of the IP-HTTPS performance improvements in Windows Server 2012 DirectAccess, be sure to use Windows 8 clients!
Update: Recently with the help of the folks at F5, I developed a solution to emulate Windows 8 client behavior for Windows 7 DirectAccess clients using the F5 BIG-IP Local Traffic Manager (LTM). Using this technique allows you to *effectively* offload SSL for Windows 7 DirectAccess clients. Fore more details click here.
Posted by Richard M. Hicks on February 15, 2013
https://directaccess.richardhicks.com/2013/02/15/windows-server-2012-directaccess-ip-https-and-windows-7-clients/
December 2012 Windows Updates and DirectAccess Connectivity Issues
The December 2012 collection of Windows updates included a number of changes that may adversely affect connectivity for DirectAccess clients. The December updates included changes to the Windows Root Certificate store and a hotfix for the IP Helper Service. Either or both of these updates could potentially prevent DirectAccess clients from connecting via the IPHTTPS IPv6 transition protocol. For more information read this post from the Forefront UAG Product Team.
Posted by Richard M. Hicks on February 8, 2013
https://directaccess.richardhicks.com/2013/02/08/december-2012-windows-updates-and-directaccess-connectivity-issues/
Workplace Ninjas US
Always On VPN Book
DirectAccess Book
