What's New in DirectAccess for Windows Server R2 SP1
The Windows Server® 2008 R2 SP1 operating system includes DirectAccess performance enhancements that allow more efficient usage of resources on the DirectAccess server to get connected and stay connected. These enhancements allow DirectAccess servers to support higher numbers of concurrent connections from end users.
New DirectAccess performance features covered in this topic include:
Teredo Inbound Packet Size Increase, which increases the Maximum Transmission Unit (MTU) on the DirectAccess server allowing clients to accept Teredo packets at a larger size, thereby reducing packet fragmentation and CPU usage.
Certificate Handle Caching, which causes Authenticated Internet Protocol(AuthIP) to cache its credential handle and authenticate multiple clients instead of creating new credentials for each, reducing CPU usage.
IP-in-IP Packet Classify Bypass, which causes the DirectAccess server to bypass classifying IP-in-IP packets, thereby saving CPU cycles.
The following groups might be interested in these features:
System architects and administrators
Network architects and administrators
With DirectAccess, domain member computers running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2 can connect to enterprise network resources whenever they are connected to the Internet. On clients receiving data over Teredo, the MTU will be raised to 1472 bytes to accept incoming packets from the DirectAccess server. The size of outgoing Teredo client packets is not increased to the higher MTU. Down-level or unpatched clients will be unable to accept the larger packet size.
By default, the Teredo Packet Size Increase included in this update is disabled on Windows Server 2008 R2 SP1. On Windows 7, the change is enabled by default, but will not be in use until the server change is also enabled. Serious connectivity problems can occur if you enable the server change prior to patching your entire Windows 7 DirectAccess client base, including DirectAccess clients’ inability to connect to the DirectAccess server over Teredo,
To enable the server to use the increased MTU, the following command can be used:
netsh int ipv6 set int <Teredo Interface Number> mtu=1472
The Teredo interface number needed for the command above can be derived by running:
netsh int ipv6 show int
DirectAccess uses the Security Support Provider Interface (SSPI) to allow DirectAccess to use various security models available on a computer or network without changing the interface to the security system. SSPI does not establish logon credentials because that is generally a privileged operation handled by the operating system. However, for DirectAccess, SSPI creates a credential handle for the local certificate using the API AcquireCredentialsHandle (ACH). AuthIP calls into this API to create a new credential handle every time a peer negotiates a connection with the server. When DirectAccess uses AuthIP to call into ACH repeatedly and frequently to authenticate clients, CPU usage can increase undesirably. The certificate handle cache mitigates this problem by reducing the number of calls into the API, and thus reducing CPU usage.
Certificate Handle Caching requires no administrative tuning or intervention.
Classifying packets can put increased strain on system resources, especially when there are a large number of conditions on which packets can be filtered. Typically, filtering on IP-in-IP packets is not required by enterprises, and may be explicitly discouraged in order to maintain IPsec compatibility. In Windows server 2008 R2 SP1, the DirectAccess server bypasses classifying IP-in-IP packets, thereby reducing CPU usage.
IP-in-IP Packet Classify Bypass requires no administrative tuning or intervention.