Re: automated IPSEC policy creation and SMB traffic

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/27/05 

Date: Wed, 26 Oct 2005 22:12:07 -0700

What OS versions are involved?
There are commandline tools for defining an IPsec filter (use the IPsec
context
of netsh in W2k3, for W2k you need the ipsecpol download, if XP is involved
see
the ipseccmd utility in XP)
What you need to do at the firewall depends on what you are doing. If you
are
using IPsec for L2TP VPN with the VPN servers inside then it is just VPN
traffic
you need to let through, while if it is just IPsec protected packets, then
the packets
are whatever they are (i.e. from./to ports) but the payload of the packet is
protected
to the extent IPsec is used. 

-- 
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"UWide User" <iseek2no@nospam.postalias> wrote in message 
news:096FA4E1-C0DA-4FCF-AEDD-4ED081AFA03E@microsoft.com...
> Hello, can anyone point me in the right direction as to how to create an
> IPSEC policy using vbscript/batch file. I would like to automate this
> proceedure for several remote sites. The remote sites have servers that 
> will
> need to have data synced via robocopy with a central backup server at our
> home site. Since robocopy uses SMB, I figured IPSEC would be the best (and
> only native) solution for securing the transfer. Am I wrong? Is there a
> better option? I do not want to have to use rsync on Windows.
> Also, in doign this what ports need to be opened in our local and remote
> firewalls? Do I just get IPSEC working then use whatever app I want or 
> will I
> need to open SMB/Netbios ports (please say no)?
> Thanks in advance!
>
> -----------
> Anyone who knows everything, leads a pretty boring life

Relevant Pages

  • Re: Windows 2003 Server RRAS and IPSEC
    ... You can check out the following link for info regarding the ports to be ... parallel firewalls or utilize filters like IPSEC to protect our servers (we ... 443, our campus DNS servers, and campus time servers. ... our campus dialup service then dialed the vpn connection to the new RRAS ...
    (microsoft.public.win2000.ras_routing)
  • Re: Securing Communication Between Domain Members and their Domain Controllers
    ... look into using an ipsec tunnel into a gateway computer or ipsec endpoint device or ... > located stand alone servers. ... > integrte them into a single secure Active Directory Domain. ... > member servers to communicate this way, looking through the MS tech. support ...
    (microsoft.public.win2000.security)
  • Win2003 Servers hidden from Network Browse list when using IPSec
    ... computers in that OU to use IPSec. ... in the Domain Controllers OU, and are exempted completely from IPSec, ... IPSec where they are supposed to, and all show up in the Network ... My Windows 2003 Servers (member servers, ...
    (microsoft.public.windows.server.security)
  • Re: Firewall between DC and Member Server
    ... Steve's article actually lists all the protocols required between AD client ... We have decided not to use IPsec to deploy AD in our multiDMZ environment. ... > traffic - or limit RPC to known ports as well as the AD ports. ... >> member servers at another. ...
    (microsoft.public.security)
  • OU GPO Corrupts 2003 Servers only??
    ... I setup a GPO on the Servers OU and began moving servers into it a ... connectivity to it, so I brought up the remote console through the iLo ... First error msg in the System eventlog was for IPSec. ... inbound and outbound TCP/IP network traffic that is not permitted by ...
    (microsoft.public.windows.group_policy)