Hello,

I am trying to following the MS white paper to use IPsec to secure Exchange 2010 Outlook Anywhere via TMG.

However, I am having trouble with getting IPsec configured properly on the TMG server. When I configure the IPsec Connection rule, Exchange site is still accessible without any restrictions.

- I assigned an additional IP to the TMG server and created a new Web Listener

- As a first step to ensure that everything works without IPsec, I have published Exchange on TMG and verified that I can access the server normally using OWA and Outlook Anywhere

- The Root CA have been imported on the TMG servers.

- I then follow the steps to create the Connection Security Rules where endpoint1 is any IP, and endpoint-2 is the IP of the TMG server, and configured it for computer authentication for inbound and outbound

- At this point I believe that the published Exchange site should no longer be accessible since it requires IPsec for HTTPS access to the Web Listener. However, this is not the case. I suspect that it is ignoring the Connection Security Rule that was configured within Windows 2008 R2 and not TMG

The part I am confused with is that the white paper outlines adding the Connection Security Rule in the Windows Firewall advanced security. However, I thought that TMG basically overrides any Windows firewall configuration with the firewall policies within TMG. So is there another way to set this up on TMG without having to configure any IPsec rules on the actual Exchange server.

Hi,

you do not have to configure the IPSEC rules on the Exchange server.

Verify that you have selected "Require inbound and outbound" as authentication mode and not only "Request...."

You have to configure the connection security rules on both sides, so client and server. - see also http://secattic.blogspot.com/2013/11/creating-ipsec-tunnel-with-windows.html

Also if TMG is behind a NAT device make sure you use the actual IP address configured in Windows and not the IP address on the NAT device.

Regards,

Lutz

Lutz,

I already have "Require inbound and outbound" selected. It seems like TMG is just ignoring the connection security rule.

Environment:

TMG: Workgroup

External NIC: x.x.1.1, gw set, no DNS

- additional IP binded to external NIC x.x.1.2 dedicated for the web listener

- Public NAT: x.1.1.2 translates to x.x.1.2

ran "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"

Internal NIC: x.x.2.1, no gw, DNS set

The Web listener network is set to x.x.1.2

OWA publishing rule is set to use the Web listener

I verified that OWA is working normally without IPSec. The TMG logs shows HTTPS connections to the destination IP for x.x.1.2 (listener) during logon. After successful logon the log shows the Exchange server in the destination IP address column.

I create a Connection Security Rule

- Endpoint 1: any IP

- Endpoint 2: x.x.1.2 (listener IP)

- Protocols: TCP, endpoint 1: all ports, Endpoint 2: Specific: 443 (I also tried selecting the protocol to ANY)

- Authentication: Require inbound and outbound

- Advanced: all profiles selected

When I enable this Connection filter, I can still access Exchange normally without using IPSec on the client. I can see that TMG still allows 443 access to the web listener without requiring IPSec authentication. It behalves exactly the same as before I created the connection filter.

• Edited by Anderson Chan Thursday, January 09, 2014 10:15 PM

Lutz,

I already have "Require inbound and outbound" selected. It seems like TMG is just ignoring the connection security rule.

Environment:

TMG: Workgroup

External NIC: x.x.1.1, gw set, no DNS

- additional IP binded to external NIC x.x.1.2 dedicated for the web listener

- Public NAT: x.1.1.2 translates to x.x.1.2

ran "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"

Internal NIC: x.x.2.1, no gw, DNS set

The Web listener network is set to x.x.1.2

OWA publishing rule is set to use the Web listener

I verified that OWA is working normally without IPSec. The TMG logs shows HTTPS connections to the destination IP for x.x.1.2 (listener) during logon. After successful logon the log shows the Exchange server in the destination IP address column.

I create a Connection Security Rule

- Endpoint 1: any IP

- Endpoint 2: x.x.1.2 (listener IP)

- Protocols: TCP, endpoint 1: all ports, Endpoint 2: Specific: 443 (I also tried selecting the protocol to ANY)

- Authentication: Require inbound and outbound

- Advanced: all profiles selected

When I enable this Connection filter, I can still access Exchange normally without using IPSec on the client. I can see that TMG still allows 443 access to the web listener without requiring IPSec authentication. It behalves exactly the same as before I created the connection filter.

• Edited by Anderson Chan Thursday, January 09, 2014 10:15 PM

Lutz,

I already have "Require inbound and outbound" selected. It seems like TMG is just ignoring the connection security rule.

Environment:

TMG: Workgroup

External NIC: x.x.1.1, gw set, no DNS

- additional IP binded to external NIC x.x.1.2 dedicated for the web listener

- Public NAT: x.1.1.2 translates to x.x.1.2

ran "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"

Internal NIC: x.x.2.1, no gw, DNS set

The Web listener network is set to x.x.1.2

OWA publishing rule is set to use the Web listener

I verified that OWA is working normally without IPSec. The TMG logs shows HTTPS connections to the destination IP for x.x.1.2 (listener) during logon. After successful logon the log shows the Exchange server in the destination IP address column.

I create a Connection Security Rule

- Endpoint 1: any IP

- Endpoint 2: x.x.1.2 (listener IP)

- Protocols: TCP, endpoint 1: all ports, Endpoint 2: Specific: 443 (I also tried selecting the protocol to ANY)

- Authentication: Require inbound and outbound

- Advanced: all profiles selected

When I enable this Connection filter, I can still access Exchange normally without using IPSec on the client. I can see that TMG still allows 443 access to the web listener without requiring IPSec authentication. It behalves exactly the same as before I created the connection filter.

• Edited by Anderson Chan Thursday, January 09, 2014 10:15 PM

Hi,

As far as i know, IPsec may be not triggered on client side. To confirm this issue, we could capture the packets on TMG(Ipsec gateway) to see if traffic has been encapsulated with IPsec Head.Additioanlly, wha is client's OS?

Best Regards

Quan Gu

Quan,

The client OS is Windows 7.

As a simple test I configured a Windows 2008 R2 Web server on my internal network. I setup a quick Connection Secuirty Rule that requires inbound and outbound authentication for port 80.

I did not configure the client portion since I just want to confirm that access is restricted when IPsec is enabled. As expected, I cannot open the web page to the test server after creating the rule. I then disable the rule and everything works.

I repeat the same steps on TMG for the IP address of my web listener. However, I can access the published resource even though I have a connection rule defined on Windows Advanced Firewall to require authentication. That leads me to believe TMG is completely ignoring the Connection Security Rule.

If IPSec is not triggered on the client side, would that not prevent me from accessing the site?

At this point, I can not even get TMG to restricts access to IPSec connections. It is behaving like I never configured the Connection Security Rule to require IPSec.

Best regards,

Anderson

• Edited by Anderson Chan Friday, January 10, 2014 4:45 AM

Quan,

The client OS is Windows 7.

As a simple test I configured a Windows 2008 R2 Web server on my internal network. I setup a quick Connection Secuirty Rule that requires inbound and outbound authentication for port 80.

I did not configure the client portion since I just want to confirm that access is restricted when IPsec is enabled. As expected, I cannot open the web page to the test server after creating the rule. I then disable the rule and everything works.

I repeat the same steps on TMG for the IP address of my web listener. However, I can access the published resource even though I have a connection rule defined on Windows Advanced Firewall to require authentication. That leads me to believe TMG is completely ignoring the Connection Security Rule.

If IPSec is not triggered on the client side, would that not prevent me from accessing the site?

At this point, I can not even get TMG to restricts access to IPSec connections. It is behaving like I never configured the Connection Security Rule to require IPSec.

Best regards,

Anderson

• Edited by Anderson Chan Friday, January 10, 2014 4:45 AM

Quan,

The client OS is Windows 7.

As a simple test I configured a Windows 2008 R2 Web server on my internal network. I setup a quick Connection Secuirty Rule that requires inbound and outbound authentication for port 80.

I did not configure the client portion since I just want to confirm that access is restricted when IPsec is enabled. As expected, I cannot open the web page to the test server after creating the rule. I then disable the rule and everything works.

I repeat the same steps on TMG for the IP address of my web listener. However, I can access the published resource even though I have a connection rule defined on Windows Advanced Firewall to require authentication. That leads me to believe TMG is completely ignoring the Connection Security Rule.

If IPSec is not triggered on the client side, would that not prevent me from accessing the site?

At this point, I can not even get TMG to restricts access to IPSec connections. It is behaving like I never configured the Connection Security Rule to require IPSec.

Best regards,

Anderson

• Edited by Anderson Chan Friday, January 10, 2014 4:45 AM

Anderson, have you created a rule in TMG allow IKE and IPSEC NAT? See the image. Sorry if I missed to ask this earlier.

Lutz,

I finally got TMG to honor the connection security filter. It turns out that the Windows firewall on the server was off before TMG was installed. I enabled the Windows firewall on all profiles, and it has started filter connections.

As a test I have configured pre-shared keys for the connection filter. I am able to now see the connections under main mode and quick on both the client and TMG server.

However, I cannot access the OWA site published via TMG. When monitoring the logs on TMG, I can only see the  the 1st log entry for IKE Client followed by IPSec NAT-T Client. There is no corresponding HTTPS connection in the TMG log for HTTPS. If I disable the Connection rule on both the client and TMG, then I can see OWA and the HTTPS entries show up in the log.

Also I have created the rule similar to the one you provided with the exception of the FROM. I have mine listed FROM: Perimeter, which is the network that the web listener IP address belongs to.

Anderson