Re: IPSEC between Member Server and Domain Controller - How?

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 08/12/02 

From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Mon, 12 Aug 2002 18:37:16 +1000

You can use the firewall log as a diagnostic tool: I'd recommend to add IP
proto 51, and also Kerberos (88/TCP) unless you're using certificates.

See Steve Riley's whitepaper:

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

HTH 

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"Rowan Smith" <usenet@microsoft.com> wrote in message
news:#TjWBhaQCHA.2472@tkmsftngp09...
> I have a Windows 2000 Member Server and a Domain Controller.
>
> The Member Server is on a "insecure" segment, and the DC is on a "secure"
> segment.  A firewall joins the two segments together.
>
> I have developed a IPSEC policy to request security for the IP addresses
of
> the DC and the Member Server.  This has been applied using a GPO to the
> Domain Controller OU and the OU in which the Member Server lives.
>
> When I open the firewall (permit ip any any) communication between the DC
> and the Member Server is fine with IPSEC flowing freely (monitored using
> ipsecmon).  When I close the Firewall and only allow UDP 500 and IP
Protocol
> 50 ipsec communication works sporadically.  Sometimes it won't work after
a
> reboot, sometimes it will.
>
> I am guessing this is something to do with the MS not being able to get
the
> IPSec policy from the DC, although it has already got it cached (would
> understand if this was the first attempt).
>
> I am using Kerboros Authentication for the IPSEC Negotiation.  And I am
> using the "Request Security" model as opposed to the "Require Security".
>
> Thanks for any advice.
>
> -Rowan
>
>

Relevant Pages

  • IPSEC between Member Server and Domain Controller - How?
    ... I have a Windows 2000 Member Server and a Domain Controller. ... When I open the firewall communication between the DC ... and the Member Server is fine with IPSEC flowing freely (monitored using ... using the "Request Security" model as opposed to the "Require Security". ...
    (microsoft.public.win2000.security)
  • Re: Win2K Security & Firewall - long post
    ... IPSec, and more so some reasons why it might be a bad idea for MS to ... realize that tailoring an IPSec policy for a specific home user, ... disabled their personal firewall. ... Won't work if the malware uses a "legitimate" means of disabling ...
    (comp.security.firewalls)
  • Re: Isolate systems
    ... some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering, ... firewall yourself from outside the network, even if you use a self scan site ... If legitimate users are trying to attack your computers you may have to see ...
    (microsoft.public.win2000.security)
  • Re: Win2K Security & Firewall - long post
    ... coupled with the fact that most Win2K users are not home users. ... > the regard of disabling insecure functionality within specific ... > of whether or not IPSec is a good thing or not it is just one of those ... > disabled their personal firewall. ...
    (comp.security.firewalls)
  • Re: External trust and a member server
    ... I was not sure about that whether this issue is caused by firewall. ... please help me to capture a screen shot of the error ... Restricting Active Directory Replication Traffic to a Specific Port ... External trust and a member server ...
    (microsoft.public.win2000.active_directory)