Share via


Using IPsec

IPsec is a framework of open standards for guaranteeing private, secure communications over Internet Protocol (IP) networks by using cryptographic security services. IPsec provides aggressive protection against attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec enables the protection of communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roaming clients.

IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to protect a whole IP packet. For more information, see IPsec Protocol Types (https://go.microsoft.com/fwlink/?LinkId=169502).

Forefront UAG IPsec is for the following in Forefront UAG DirectAccess:

  1. Data integrity

  2. Data encryption

  3. Authentication of DirectAccess clients and servers

DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall with Advanced Security snap-in, and the Network Shell (Netsh) command-line tool advfirewall context. Multiple rules can be applied to a computer simultaneously, each providing a different function. The result of all these rules working together is a DirectAccess client that has protected communications with the Forefront UAG DirectAccess server and intranet servers, encrypting traffic sent over the Internet, and optionally protecting end-to-end traffic.

Note

Windows Server 2003 and earlier versions of Windows Server do not fully support the use of IPsec with IPv6. IPv6-capable resources on servers that are running Windows Server 2003 will only be available to DirectAccess clients if you use the end-to-edge access model. IPv4-only resources on servers that are running Windows Server 2003, including most built-in applications and system services, require a Network Address Translation-Protocol Translation (NAT-PT) or NAT64 to be available to DirectAccess clients.

Data integrity

Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible to specify data integrity without encryption. This might be helpful in order to reduce the threat of spoofing or man-in-the-middle attacks and allow you to make sure that DirectAccess clients are connecting to their intended servers.

Note

When sensitive data is transmitted, IPsec with only data integrity should be used only when some other form of encryption is also implemented. It is possible to have end-to-end data integrity using transport mode rules while you are using end-to-edge encryption for the tunnel mode rules, which is how the specified server access model works.

Forefront UAG DirectAccess provides data integrity by using transport and tunnel mode IPsec settings. These settings can be applied to DirectAccess clients, Forefront UAG DirectAccess servers, or application servers and provide data integrity by requiring ESP-NULL (recommended). Some network infrastructure devices or traffic monitoring and inspection solutions might not be able to parse packets with an IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to perform IPsec peer authentication, but no per-packet data integrity.

Data encryption

When a DirectAccess client sends data to the intranet, the traffic is encrypted over the Internet. For the end-to-edge and selected server access models, multiple connection security rules configured on the DirectAccess client, define tunnel mode IPsec settings for communication between the DirectAccess client and the intranet:

  • The first rule for the infrastructure tunnel requires authentication with a computer certificate and encrypts traffic with IPsec and the Encapsulating Security Payload (ESP). This rule provides protected communication with Active Directory domain controllers, DNS servers, and other intranet resources before the user has logged on.

  • The second rule for the intranet tunnel requires authentication with a computer certificate and user-based Kerberos credentials. This rule provides protected communication to all intranet resources after the user has logged on.For the end-to-edge access model and in the end-to-end model for specified servers, termination of IPsec tunnels between the DirectAccess client and the intranet is done by the IPsec Gateway feature on the Forefront UAG DirectAccess server.

Authentication

For information about authentication, see Client authentication.