All posts tagged IPHTTPS

Windows Server 2012 DirectAccess IP-HTTPS and Windows 7 Clients

With Windows Server 2008 R2, IP-HTTPS used standard SSL cipher suites to encrypt sessions. However, those sessions are already encrypted using IPsec, which is needlessly redundant. The protocol overhead for this double encryption placed an extreme burden on the DirectAccess server in terms of CPU utilization and memory consumption. Throughput and performance suffered greatly in large deployments. To address this issue, Microsoft included two new SSL cipher suites in Windows Server 2012 and Windows 8 that use NULL encryption. IP-HTTPS sessions are fully authenticated, but encrypted only once using IPsec. This significantly reduced resource demand on the DirectAccess gateway and improves performance greatly. Unfortunately, only Windows 8 clients can take advantage of this new IP-HTTPS functionality in Windows Server 2012 DirectAccess. When Windows 7 clients establish an IP-HTTPS session with a Windows Server 2012 DirectAccess gateway they will still request the use of fully encrypted cipher suites, as shown here:

Windows 7 IP-HTTPS Client Hello

Windows 7 DirectAccess IPHTTPS Cipher Suites

Windows 8 IP-HTTPS Client Hello

Windows 8 DirectAccess IPHTTPS Cipher Suites

Windows 8.1 IP-HTTPS Client Hello

Windows 8.1 DirectAccess SSL Cipher Suites

So, if you want to take advantage of the IP-HTTPS performance improvements in Windows Server 2012 DirectAccess, be sure to use Windows 8 clients!

Update: Recently with the help of the folks at F5, I developed a solution to emulate Windows 8 client behavior for Windows 7 DirectAccess clients using the F5 BIG-IP Local Traffic Manager (LTM). Using this technique allows you to *effectively* offload SSL for Windows 7 DirectAccess clients. Fore more details click here.

8 Comments
by Richard M. Hicks on February 15, 2013  •  Permalink
Posted in Important Links, IPv6, Remote Access, Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 15, 2013

https://directaccess.richardhicks.com/2013/02/15/windows-server-2012-directaccess-ip-https-and-windows-7-clients/

December 2012 Windows Updates and DirectAccess Connectivity Issues

The December 2012 collection of Windows updates included a number of changes that may adversely affect connectivity for DirectAccess clients. The December updates included changes to the Windows Root Certificate store and a hotfix for the IP Helper Service. Either or both of these updates could potentially prevent DirectAccess clients from connecting via the IPHTTPS IPv6 transition protocol. For more information read this post from the Forefront UAG Product Team.

Leave a comment
by Richard M. Hicks on February 8, 2013  •  Permalink
Posted in Important Links, IPv6, Remote Access, Windows Server 2012
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on February 8, 2013

https://directaccess.richardhicks.com/2013/02/08/december-2012-windows-updates-and-directaccess-connectivity-issues/

Newer Posts »