locked
DirectAccess (Windows 2012R2) single NIC using IP-HTTPS for Windows 7 clients. Double encryption still a concern overhead wise? RRS feed

  • Question

  • I am currently planning for DirectAccess on Windows server 2012 R2. I am considering to use a single nic on the server and behind a firewall (NAT). As such I will be using IP-HTTPS.

    The concern here is the clients are all Windows 7 x64 Enterprise. I had read in the past that using IP-HTTPS for these clients would be an issue due to double encryption coming into play and causing too much overheard for the DA server (Windows 8 does not have this problem).

    Is this still with Windows 7 and DA or has anything changed? Also how bad is the over head in reality with say 50-100 clients?


    Note: If a Windows 7 client is connecting from home behind a NAT router (as most users do) doesn't this mean it will be connecting to DA via IP-HTTPS anyway (not Teredo)?
    Thursday, January 22, 2015 8:02 PM

All replies

  • When the DirectAccess server is behind a NAT, all clients will use IP-HTTPS regardless of their connectivity. No other IPv6 transition protocols are supported in this configuration. Regarding support for Windows 7, there is a lot of protocol overhead with IP-HTTPS, but for 50-100 clients it might not be that noticeable, assuming you have plenty of system resources (CPU and memory) on the DirectAccess server.
    Friday, January 23, 2015 4:41 PM
  • Richard. Thank you for your reply.

    The server we are going to use is a dedicated physical machine (Xeon E5-2430 @ 2.5Ghz 6 physical core, 12 logical) with 8GB RAM).
    Hopefully it will be enough, we shall see.

    By the way, thank you for your great work on the TrainSignal (Pluralsight) Windows Server 2012 DirectAccess lesson.
    Very useful for anyone looking to implement Direct Access!

    Tuesday, February 3, 2015 1:07 AM
  • I just setup a single Win2012 R2 server With DA, with similar specs as you.

    So far 20 clients have connected and I see rarely more than 3-4% CPU load, all running Win7. The double encryption performance penalty is still present With Win2012 R2 in combination of Win7 Clients, only Win8 clients can use Null session encryption.

    But, if you happen to use BIG-IP or something similar, you can make the Win7 Clients imitate the Win8 Client behaviour, see this: 

    http://directaccess.richardhicks.com/2013/07/10/ssl-offload-for-ip-https-directaccess-traffic-from-windows-7-clients-using-f5-big-ip/

    

    Tuesday, February 3, 2015 8:00 AM