Using IPsec

IPsec is a framework of open standards for guaranteeing private, secure communications over Internet Protocol (IP) networks by using cryptographic security services. IPsec provides aggressive protection against attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec enables the protection of communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roaming clients.

IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to protect a whole IP packet. For more information, see IPsec Protocol Types (https://go.microsoft.com/fwlink/?LinkId=169502).

Forefront UAG IPsec is for the following in Forefront UAG DirectAccess:

1. Data integrity

2. Data encryption

3. Authentication of DirectAccess clients and servers

DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall with Advanced Security snap-in, and the Network Shell (Netsh) command-line tool advfirewall context. Multiple rules can be applied to a computer simultaneously, each providing a different function. The result of all these rules working together is a DirectAccess client that has protected communications with the Forefront UAG DirectAccess server and intranet servers, encrypting traffic sent over the Internet, and optionally protecting end-to-end traffic.

Data integrity

Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible to specify data integrity without encryption. This might be helpful in order to reduce the threat of spoofing or man-in-the-middle attacks and allow you to make sure that DirectAccess clients are connecting to their intended servers.

Forefront UAG DirectAccess provides data integrity by using transport and tunnel mode IPsec settings. These settings can be applied to DirectAccess clients, Forefront UAG DirectAccess servers, or application servers and provide data integrity by requiring ESP-NULL (recommended). Some network infrastructure devices or traffic monitoring and inspection solutions might not be able to parse packets with an IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to perform IPsec peer authentication, but no per-packet data integrity.

Data encryption

When a DirectAccess client sends data to the intranet, the traffic is encrypted over the Internet. For the end-to-edge and selected server access models, multiple connection security rules configured on the DirectAccess client, define tunnel mode IPsec settings for communication between the DirectAccess client and the intranet:

• The first rule for the infrastructure tunnel requires authentication with a computer certificate and encrypts traffic with IPsec and the Encapsulating Security Payload (ESP). This rule provides protected communication with Active Directory domain controllers, DNS servers, and other intranet resources before the user has logged on.

• The second rule for the intranet tunnel requires authentication with a computer certificate and user-based Kerberos credentials. This rule provides protected communication to all intranet resources after the user has logged on.For the end-to-edge access model and in the end-to-end model for specified servers, termination of IPsec tunnels between the DirectAccess client and the intranet is done by the IPsec Gateway feature on the Forefront UAG DirectAccess server.

Authentication

For information about authentication, see Client authentication.