Need ipsec help
I have a windows domain networkwith a server 2008 DC and a Server 2003 webserver. The webserver is domain boundso that we can have share access for users to deposit files onto their FTP sites from the internal network. I am trying to get the webserver installed into a DMZ on our watchguard firewall. My watchguard support has told me to setup ipsec to allow for secure connection between the webserver and the domain controller so that i have fewer ports open for the share access from the trusted to the optional (DMZ) sides of the firewall. I am having a very difficult time trying to figure out how to setup ipsec for this connection. I have read alot of MS's stuff (amongst other references on the net) but am very confused and have had little luck getting ipsec configured correctly. Here are the details:The trusted network has the domain controller located at 10.10.10.40 (static). The DMZ has the webserver at 192.168.1.2 (static). The firewall has ipsec filters set to allow ipsec traffic in both directions. It also has an SMB filter to allow share access from trusted to DMZ. And an RDP policy for remote access for testing and setup (i will disable RDP once it is all working.) I can ping the webserver from trusted, but cannot access the shares (I get a DC not able to authenticate error). I can RDP to the server and log on as the local admin, but get a failure when using a domain account (no logon servers are available to service the request). If i move the webserver over to trusted, i can access shares and RDP without trouble. I have tried to configure ipsec filters several times in several ways, both with the webserver in trusted and in DMZ. But no luck on getting ipsec to work correctly. Can anyone give me an idea of what policy,filter to setup to make this work? Obviously, the web server will still need to communicate unsecurely with external clients. I only want secure communication with the DC for share authentication for the trusted network. I would think that this is a pretty common setup. But maybe i am wrong. Any help would be appreciated.
August 13th, 2008 10:13pm

Russell,It appears that you configured your firewall to pass IPsec and SMB traffic, but you must also allow the ports for Active Directory traffic in order to use those services. How to configure a firewall to permit this traffic is discussed at:http://support.microsoft.com/kb/179442. You should configure the firewall to only allow traffic to/from the trusted addresses, of course.I hope this helps.DaveDave Bishop
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2008 7:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics