Re: Problem with IPSEC

No it is not a bug in ipsec. Many websites, especially the larger volume
websites use multiple websites links/IP addresses. What you want to do may
work if you are trying to allow a simple website that uses a singe or a
couple IP address. You can see what I mean if you use something like
Ethereal while connecting connect to a website. Also when you enter a DNS
name it will resolve to the IP addresses it currently finds to create the
filter. However I have seen many large websites then seem to use dozens of
IP addresses for their main website that seem to change frequently time you
access them. You can sometimes see this when use nslookup to resolve a
domain name and try it a couple of times. A better solution would be to use
something like ISA 2004 to restrict access though that is not a trivial
investment in software/licenses and configuration time. Otherwise try using
a packet sniffer like Ethereal to see if you can track down all necessary
IPs needed to allow the website to work though again that will not work if
the website starts resolving to different IPs not included in the filter
list. TDImon fee from SysInternals can also give you an idea of IPs and
ports/protocols the operating system accesses when connecting to a website
and it does not need to be installed as an application.

Steve


"Greg O" <gregorme@xxxxxxxxx> wrote in message
news:1153148032.486898.123020@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I use IPSEC to control internet access on a domain. I block port 80 for
browsers and ports 8080 and 3128 for most internet proxies. I also
block all UDP since most internet games will run on UDP even with all
TCP blocked. I want to allow individual web sites into the domain
though. In IPSEC there is a setting for a particular domain, if you try
it with say nytimes.com it looks up DNS and makes filters with each of
the IP addresses listed there. IPSEC I think is supposed to work so
that more specific filters (like allowing a web site) override more
general filters (like blocking port 80. So allowing the IP addresses of
nytimes.com should make it work, but it is still filtered by IPSEC. I
know that's the problem because if I list the port 80 block the
nytimes.com site starts working. Is this a big in IPSEC? Also is there
another way to do this without IPSEC, I see that network adaptor
filters and RRAS filters don't seem to have the settings for this.



.

Relevant Pages

  • Re: Problem with IPSEC
    ... It is not unusual not to be able to access a website by entering the IP ... troubleshooting ipsec rules. ... protocol:TCP, and filter action permit. ... I have tried other web sites too and couldn't connect with the IPSEC ...
    (microsoft.public.windows.server.security)
  • RE: allowed web site.
    ... How did you create the IPSec policy? ... Give me the screen shot of IE when you visit FedEx website. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with IPSEC
    ... The IP addresses IPSEC sets up are correct. ... Ethereal while connecting connect to a website. ... I use IPSEC to control internet access on a domain. ... that more specific filters override more ...
    (microsoft.public.windows.server.security)
  • Re: Problem with IPSEC
    ... DNS] and then port 80 TCP to the websites you want to access? ... Turn off IPSEC. ... It is not unusual not to be able to access a website by entering the ... yes ipsec filters are weighted such that a specific rule ...
    (microsoft.public.windows.server.security)
  • Re: Problem with IPSEC
    ... yes ipsec filters are weighted such that a specific rule overrides ... ipsec in XP like you can for Windows 2003 to see events for dropped traffic. ... Ethereal while connecting connect to a website. ... I use IPSEC to control internet access on a domain. ...
    (microsoft.public.windows.server.security)