IPSEC and NLB Web farm
Hi
I have two node web farm with windows nlb (Windows 2008 R2). I want to enable IPSEC policy on them to require IPSEC for inbound connection (IPSEC with kerberos Computer account)
How can machines connect using IPSEC to the NLB name of the web farm node?ammarhasayen
April 27th, 2011 9:36am
Hi Customer,
You could first to test to setup outbound to server farm IP connection security rules on one client, setup inbound from client ip connection security rules on all NLB servers.
If test passed, use IPsec GPO to deploy these two policy:
1. outbound to server farm IP port 80
2. inbound from client ip port 80
Creating Connection Security Rules
http://technet.microsoft.com/en-us/library/cc725940(WS.10).aspx
Configure IPsec GPOs
http://technet.microsoft.com/en-us/library/dd314176(WS.10).aspx
How to configure Network Load Balancing to work with IPsec
http://support.microsoft.com/kb/820752Regards, Rick Tan
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 6:03am
Hi Customer,
You could first test with create IP connection security rule:
1.outbound to NLB IP rule on one client
2.inbound to NLB IP rule on one NLB server which this client visit
If test pass, use IPsec GPO to deploy these two policy:
1. outbound to NLB IP policy to clients
2. inbound to NLB IP policy to NLB all server
Creating Connection Security Rules
http://technet.microsoft.com/en-us/library/cc725940(WS.10).aspx
Configure IPsec GPOs
http://technet.microsoft.com/en-us/library/dd314176(WS.10).aspx
How to configure Network Load Balancing to work with IPsec
http://support.microsoft.com/kb/820752
Regards, Rick Tan
April 28th, 2011 6:04am
My question is how will IPSEC using kerberos computer authentication work when you hit an NLB name which is int security principle. Any one ?ammarhasayen
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2011 8:50am
Hi Customer,
When you create connection security rules, you could select computer kerberos v5 authenticate method in the wizards.
Windows firewall with advanced security--connection security rules--new rule--custom--choose IP--choose inbound/outbound authentication--choose computer kerberos v5.Regards, Rick Tan
May 3rd, 2011 2:10am