Re: IPSEC between Member Server and Domain Controller - How?
From: Rowan Smith (usenet@microsoft.com)
Date: 08/13/02
- Next message: Paul T Wang: "Re: LOCKED OUT OF MY COMPUTER..HELP!"
- Previous message: Paul T Wang: "Re: I need help with my log in and log off!"
- In reply to: S. Pidgorny [MVP]: "Re: IPSEC between Member Server and Domain Controller - How?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rowan Smith" <usenet@microsoft.com> Date: Tue, 13 Aug 2002 09:43:25 +1000
This article, while incredibly informative, relates to DC <-> DC traffic.
I am specifically trying to get Domain Member <-> Domain Controller traffic
to go via IPSEC when the IPSEC policy is applied using a GPO.
I have opened proto 51 and 88/TCP (Kerberos) but this still is not helping,
looking at the firewall logs, the domain member attempts to connect to the
DC using DNS, LDAP, CIFS and a few random rpc ports, it makes no attempt to
encapsulate any of these in IPSEC. It seems that once the DM has made
contact with the DC it then switches to using IPSEC, but this is after much
unsecured communication.
Thanks.
-Rowan
"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
news:epRSWxdQCHA.2752@tkmsftngp10...
> You can use the firewall log as a diagnostic tool: I'd recommend to add IP
> proto 51, and also Kerberos (88/TCP) unless you're using certificates.
>
> See Steve Riley's whitepaper:
>
> http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
>
> HTH
>
> --
> Svyatoslav Pidgorny, MS MVP, MCSE
> -= F1 is the key =-
>
> "Rowan Smith" <usenet@microsoft.com> wrote in message
> news:#TjWBhaQCHA.2472@tkmsftngp09...
> > I have a Windows 2000 Member Server and a Domain Controller.
> >
> > The Member Server is on a "insecure" segment, and the DC is on a
"secure"
> > segment. A firewall joins the two segments together.
> >
> > I have developed a IPSEC policy to request security for the IP addresses
> of
> > the DC and the Member Server. This has been applied using a GPO to the
> > Domain Controller OU and the OU in which the Member Server lives.
> >
> > When I open the firewall (permit ip any any) communication between the
DC
> > and the Member Server is fine with IPSEC flowing freely (monitored using
> > ipsecmon). When I close the Firewall and only allow UDP 500 and IP
> Protocol
> > 50 ipsec communication works sporadically. Sometimes it won't work
after
> a
> > reboot, sometimes it will.
> >
> > I am guessing this is something to do with the MS not being able to get
> the
> > IPSec policy from the DC, although it has already got it cached (would
> > understand if this was the first attempt).
> >
> > I am using Kerboros Authentication for the IPSEC Negotiation. And I am
> > using the "Request Security" model as opposed to the "Require Security".
> >
> > Thanks for any advice.
> >
> > -Rowan
> >
> >
>
>
- Next message: Paul T Wang: "Re: LOCKED OUT OF MY COMPUTER..HELP!"
- Previous message: Paul T Wang: "Re: I need help with my log in and log off!"
- In reply to: S. Pidgorny [MVP]: "Re: IPSEC between Member Server and Domain Controller - How?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
