Re: IPSec on webserver

Thanks for the reply. The goal is to prevent unauthorised traffic, not
to encrypt the traffic. Like a firewall basically. I just want to hide
all ports except those public ones, such as html port 80, and to
restrict other ports via IP address, such as msSQL, remote desktop etc.

Thank you

Miha Pihler [MVP] wrote:

Hi,

As long as server is not part of domain it won't be able to use Kerberos as
authentication and it will either use certificates or pre-shared secret
depending on your configuration. Kerberos only works in domain.

What is your goal with these filters? Just filtering traffic or also
encrypting it between server and your network?

--
Mike
Microsoft MVP - Windows Security

<rolf@xxxxxxxxxxxx> wrote in message
news:1160034545.449588.317000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,

Im using IPsec to help lock down a webserver. I have a simple block
rule for all UDP and TCP traffic then various rules to allow sql server
trafic from 'allowed' IPs, terminal services and https, http traffic
plus ftp. Most of the ruleset I originally copied from here;

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

The webserver is not part of any domain and is hosted remotely.

At the local office the intranet runs behind a public IP. That IP is
given access through the IPsec policy. It does work but periodically
the connection takes 5-10 seconds to authenticate. Without the IPsec
policy enabled it is instantaneous.

The local intranet is on a domain with AD and DHCP etc. DNS resolving
is done via the router, no netbios is used.

Is there something I should do at the intranet end to 'help' this speed
issue...?

Any help greatly appreciated as Im having no luck.

PS Ive also tried reducing the number of rules (there were only 6 or so
anyways), everything is set to authenticate using kerbos.


.

Relevant Pages

  • Re: assigning ip addresses on a secure way
    ... > superscope scenario to configure the DHCP to assign 10.3.ip s just to the ... >> allows you to filter mac addresses in a learn mode that can lock ports to ... >> configurations and can allow all computers internet access while not ... >> Within a domain ipsec by default will use kerberos authentication and any ...
    (microsoft.public.security)
  • Re: I am sick of windows firewall
    ... the XP FW if you need to stop outbound packets. ... I have made my adjustments to IPsec to supplement BlackIce ... the Windows networking ports even though BI was stopping ...
    (comp.security.firewalls)
  • Re: Windows 2003 Server RRAS and IPSEC
    ... You can check out the following link for info regarding the ports to be ... parallel firewalls or utilize filters like IPSEC to protect our servers (we ... 443, our campus DNS servers, and campus time servers. ... our campus dialup service then dialed the vpn connection to the new RRAS ...
    (microsoft.public.win2000.ras_routing)
  • Re: Win2K Security & Firewall - long post
    ... for your other ports. ... >>at implementing an IPSec policy on Win2K for extra security. ... >>Today I went a stage further and did a fresh installation of Win2K, ... number of programs that use secondary connections. ...
    (comp.security.firewalls)
  • Re: any logging when ipsec blocks a port? how to determine which ports need to be opened?
    ... You can also enable IPSec Driver dropped packet event logging. ... Windows Networking ... > help on what ports are necessary for network functioning in a NT4.0> domain. ...
    (microsoft.public.win2000.networking)