Re: IPSEC through firewall for DC replication

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/04/04

  • Next message: Mark Renoden [MSFT]: "Re: Certificate Problem for ISA" 
    Date: Thu, 03 Jun 2004 22:19:05 GMT

    ESP uses "protocol 50" as described in the KB below. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B233256

    IPSec does not disturb the original IP header and can be routed as normal IP traffic.
    Routers and switches in the data path between the communicating hosts simply forward
    the packets to their destination. However, when there is a firewall or gateway in the
    data path, IP forwarding must be enabled at the firewall for the following IP
    protocols and UDP ports:
      a.. IP Protocol ID 50:
      For both inbound and outbound filters. Should be set to allow Encapsulating
    Security Protocol (ESP) traffic to be forwarded.
      b.. IP Protocol ID 51:
      For both inbound and outbound filters. Should be set to allow Authentication Header
    (AH) traffic to be forwarded.
      c.. UDP Port 500:

    "tony" <anonymous@discussions.microsoft.com> wrote in message
    news:178a101c44994$a47f4c50$a601280a@phx.gbl...
    > ALL,
    >
    > I am trying to use IPSEC to send Domain Controller
    > replication through the firewall for a one-way trust with
    > the Domain controllers in the DMZ. However, IPSec (ESP)
    > packet dropped keeps occuring at the firewall because the
    > destination port is being randomly assigned, the source
    > port for IPSEC(ESP) is port 0. Is there a way to force
    > the destination port to a specific port number so I can
    > allow it in my firewall rules?
    >
    > Thank you,
    >
    > Tony

  • Next message: Mark Renoden [MSFT]: "Re: Certificate Problem for ISA"

    Relevant Pages

    • Re: Firewall and Home Network
      ... >>> that PC should have a firewall installed. ... to access the internet and on what port using what protocol. ... You can periodically review the logs and look for strange ...
      (comp.security.firewalls)
    • Re: Firewall and Home Network
      ... Here is exactly where most of these Desktop Firewall have an up on a HW ... to access the internet and on what port using what protocol. ... You can periodically review the logs and look for strange ...
      (comp.security.firewalls)
    • Re: sysvol replication breaks when IPSec running between DCs & firewal
      ... Also have a look here about UDP port 500: ... open the firewall for ports required by IPSec, ... We have two root DCs and three child domain DCs. ...
      (microsoft.public.windows.server.active_directory)
    • Re: UDP Port 500 open
      ... I use a free software firewall ... >> I have recently installed a firewall and it says that UDP Port 500 is ... > ISAKMPD uses this port to negotiate IPSec. ... >> perhaps a registry key and/or disabling some service or other in ...
      (comp.security.misc)
    • Re: Microsoft Strategic Technology Protection Program
      ... LANguard Security Event Log Monitor offer! ... > with your IPSec ... a suboptimal replacement for firewall. ... common server port like port 80 (so that the computer can browse the web ...
      (NT-Bugtraq)