Solved

IPSec point-to-point implemenation

Posted on 2006-07-12
6
493 Views
Last Modified: 2007-12-19
We have a off-site "backup" web server that is being hosted by another company and is connected directly to the internet (not using a NAT router).  Our corporate network is behind an ISA 2004 firewall/gateway.  I need to set up an IPSec connection between the remote server and at least one server in our internal network so that we can securely transmit data between our network and the remote server.  

I have tried setting up a VPN connection to the ISA from the remote server, but I only want communication between the two networks secured; regular internet traffic to/from the server does not need to go through the ISA.  I just want IPSec without NAT.

Can I / how do I set up a direct IPSec connection between the two networks?  Do I set up the connection between the ISA gateway and the remote server, or can I do it for specific internal servers?  All servers are running Windows Server 2003 Standard.

I know this is a pretty broad question, so I don't expect detailed step-by-step answers, just some key points to set up and pitfalls to look for.

TIA,

Don
0
Comment
Question by:dstanley9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 500 total points
ID: 17092945
both servers must run Windows 200x os.

You can create a local policy on each server to allow IPSEC communication between the two servers.  This is all or nothing...  Meaning that once you turn it on, ALL traffic between these two servers will go over IPSEC.

IPSEC, in your situation, should be IP based.  Meaning...  you will setup an IPSEC rule to show source and destination IP addresses.  Use MY Address as source and Destination will be the remote IP address.

You will have to open your firewall to allow IPSEC traffic through...



Firewall Ports Needed for IPSEC
________________________________________

Configuring Firewalls to Permit ESP, ISAKMP (IKE), and AH Traffic

When a firewall exists between IPSec peers, as it does in the example, you must configure the firewall to forward IPSec traffic on UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH). First, to permit IPSec traffic on UDP source and destination port 500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 500:
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = UDP
•      Source port = 500
•      Destination port = 500
To permit IPSec traffic on IP protocol 50 (ESP) or IP protocol 51 (AH), use the following settings to create a firewall filter called Permit IPSec traffic on ESP or AH protocol (50 or 51):
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = 50 or 51


More Information:  http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/network/ipsec/ipsecfaq.mspx

0
 
LVL 25

Author Comment

by:dstanley9
ID: 17092999
If I implement this policy between the gateway and the remote server, will all traffic between our internal network and the remote be encrypted?  Meaning, can I set this up on the gateway and cover all traffic to.from the remote server, regardless of where it originated?  I don't care if it's encrypted between the internal servers and the remote server, so long as it's encrypted outside of our network.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 17093112
you can if you gateway is a windows 200x machine.  
0
 
LVL 25

Author Comment

by:dstanley9
ID: 17101311
OK, I think I have this working, but how do I verify that encryption is being used?  I have policies on both machines to Require Security, but how do I prove to someone that the connection is secure?

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question