Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

What's New in DirectAccess for Windows Server R2 SP1

The Windows Server® 2008 R2 SP1 operating system includes DirectAccess performance enhancements that allow more efficient usage of resources on the DirectAccess server to get connected and stay connected. These enhancements allow DirectAccess servers to support higher numbers of concurrent connections from end users.

New DirectAccess performance features covered in this topic include:

The following groups might be interested in these features:

  • IT managers

  • System architects and administrators

  • Network architects and administrators

With DirectAccess, domain member computers running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2 can connect to enterprise network resources whenever they are connected to the Internet. On clients receiving data over Teredo, the MTU will be raised to 1472 bytes to accept incoming packets from the DirectAccess server. The size of outgoing Teredo client packets is not increased to the higher MTU. Down-level or unpatched clients will be unable to accept the larger packet size.

By default, the Teredo Packet Size Increase included in this update is disabled on Windows Server 2008 R2 SP1. On Windows 7, the change is enabled by default, but will not be in use until the server change is also enabled. Serious connectivity problems can occur if you enable the server change prior to patching your entire Windows 7 DirectAccess client base, including DirectAccess clients’ inability to connect to the DirectAccess server over Teredo,

To enable the server to use the increased MTU, the following command can be used:

  • netsh int ipv6 set int <Teredo Interface Number> mtu=1472

The Teredo interface number needed for the command above can be derived by running:

  • netsh int ipv6 show int

DirectAccess uses the Security Support Provider Interface (SSPI) to allow DirectAccess to use various security models available on a computer or network without changing the interface to the security system. SSPI does not establish logon credentials because that is generally a privileged operation handled by the operating system. However, for DirectAccess, SSPI creates a credential handle for the local certificate using the API AcquireCredentialsHandle (ACH). AuthIP calls into this API to create a new credential handle every time a peer negotiates a connection with the server. When DirectAccess uses AuthIP to call into ACH repeatedly and frequently to authenticate clients, CPU usage can increase undesirably. The certificate handle cache mitigates this problem by reducing the number of calls into the API, and thus reducing CPU usage.

Certificate Handle Caching requires no administrative tuning or intervention.

Classifying packets can put increased strain on system resources, especially when there are a large number of conditions on which packets can be filtered. Typically, filtering on IP-in-IP packets is not required by enterprises, and may be explicitly discouraged in order to maintain IPsec compatibility. In Windows server 2008 R2 SP1, the DirectAccess server bypasses classifying IP-in-IP packets, thereby reducing CPU usage.

IP-in-IP Packet Classify Bypass requires no administrative tuning or intervention.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.