IPSec tunneling through ISA - Network

This is a discussion on IPSec tunneling through ISA - Network ; I have two servers in two different subnets (the main LAN and a DMZ), connected through an ISA Server 2006 firewall; the two networks are routed. I need to setup everything so that all traffic between the two servers is ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: IPSec tunneling through ISA

  1. IPSec tunneling through ISA

    I have two servers in two different subnets (the main LAN and a DMZ),
    connected through an ISA Server 2006 firewall; the two networks are routed.

    I need to setup everything so that all traffic between the two servers is
    encapsulated in an IPSec tunnel, thus opening only the bare minimum ports
    required for IPSec on the ISA server.

    Only the communications between the two servers need to be encrypted; they
    need to be able to talk to their respective networks without using IPSec.

    All TCP and UDP traffic should be allowed between the servers, but it will
    need to go through the IPSec tunnel.

    No certificates will be available; the encryption will be done using
    pre-shared keys.


    Can someone please point me in the right direction? I'm not really used at
    IPSec, and I'm having quite a bit of troubles making it work.


    Thanks


    Massimo



  2. Re: IPSec tunneling through ISA

    "Massimo" wrote in message
    news:uvbvN8dEJHA.4092@TK2MSFTNGP06.phx.gbl...
    > I need to setup everything so that all traffic between the two servers is
    > encapsulated in an IPSec tunnel, thus opening only the bare minimum ports
    > required for IPSec on the ISA server.


    It is pointless. ISA is already limiting it to "bare minimum ports
    required",...in fact the default is *none* until you tell it otherwise

    > All TCP and UDP traffic should be allowed between the servers, but it will
    > need to go through the IPSec tunnel.


    You can't allow "all TCP & UDP" and at the same time allow only "bare
    minimum ports required",...they are exact opposite of each other.

    The only thing the IPsec would be doing is preventing "packet
    sniffing",...which isn't going to happen anyway on a Switched network unless
    you configure a Monitoring Port on a Switch sitting between the two Hosts
    and plug a machine into that port with a packet sniffer running on it.

    So it is all pointless.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  3. Re: IPSec tunneling through ISA

    "Phillip Windell" ha scritto nel messaggio
    news:OnnZYMeEJHA.5104@TK2MSFTNGP02.phx.gbl...

    >> I need to setup everything so that all traffic between the two servers is
    >> encapsulated in an IPSec tunnel, thus opening only the bare minimum
    >> ports required for IPSec on the ISA server.

    >
    > It is pointless. ISA is already limiting it to "bare minimum ports
    > required",...in fact the default is *none* until you tell it otherwise
    >
    >> All TCP and UDP traffic should be allowed between the servers, but it
    >> will need to go through the IPSec tunnel.

    >
    > You can't allow "all TCP & UDP" and at the same time allow only "bare
    > minimum ports required",...they are exact opposite of each other.


    Maybe I didn't explain the issue well.
    The TCP and UDP traffic between the two servers should flow "inside" the
    IPSec tunnel, so the firewall will only need to allow the ports used by the
    IPSec tunnel itself (IP 50 and UDP 500, if I'm correct).

    > So it is all pointless.


    I know it is; but some manager thinks this is "a lot more secure", so I
    should answer him if it can be done, and how :-/


    Massimo


  4. Re: IPSec tunneling through ISA

    "Massimo" wrote in message
    news:e3IfVqeEJHA.5224@TK2MSFTNGP03.phx.gbl...
    >> So it is all pointless.

    >
    > I know it is; but some manager thinks this is "a lot more secure", so I
    > should answer him if it can be done, and how :-/


    Ok, well I guess I can understand that anyway :-)

    Better wait and see what someone else has to say about that who migh have
    more experience with the IPsec itself. You and I are probably in the same
    boat with respect to that,..heck you probably know know more than me about
    that part. I have never set it up at all apart from L2TP/IPsec with a
    static key in a VPN situation.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  5. Re: IPSec tunneling through ISA

    Oh, by the way. I really don't think ISA will even have a role it in. ISA
    is not going to be reading the insides of the IPsec packets,..and it is not
    "proxying" anything,..it is just acting as a simple LAN router. It just
    needs the correct protocol allowed to let the IPsec packets move acrossed it
    "unmolested".

    So the IPsec configuration would just be between the originating machine and
    the receiving machine as if the ISA never existed.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  6. Re: IPSec tunneling through ISA

    In fact, this is almost a half-day in the Microsoft Ninjitsu class Tim & I
    present each year at Black Hat Las Vegas.
    Since you have a routed relationship between the two networks where the
    IPSec endpoints operate, it's as simple as adding a single IPSec policy to
    enforce IPSec for all traffic to and from each host.
    The place to be extra careful is in the "to" and "from" parts of the policy.
    It's all too easy to get them backwards or inside-out and completely block
    all traffic to and from them.
    The good new is that you need only disable the IPSec policy that's blocking
    and you'll be back in business.

    If you're using IPSec to limit the domain traffic across ISA (good idea) and
    IPSec bothers you that much, you might want to take a read here:
    http://technet.microsoft.com/library/cc891503.aspx. This article discusses
    domain traffic to, across and through ISA in painful detail.

    --
    Jim Harrison (ISA SE)

    This posting implies no warranty and confers no rights.
    http://catb.org/~esr/faqs/smart-questions.html



    "Phillip Windell" wrote in message
    news:OnnZYMeEJHA.5104@TK2MSFTNGP02.phx.gbl...
    "Massimo" wrote in message
    news:uvbvN8dEJHA.4092@TK2MSFTNGP06.phx.gbl...
    > I need to setup everything so that all traffic between the two servers is
    > encapsulated in an IPSec tunnel, thus opening only the bare minimum ports
    > required for IPSec on the ISA server.


    It is pointless. ISA is already limiting it to "bare minimum ports
    required",...in fact the default is *none* until you tell it otherwise

    > All TCP and UDP traffic should be allowed between the servers, but it will
    > need to go through the IPSec tunnel.


    You can't allow "all TCP & UDP" and at the same time allow only "bare
    minimum ports required",...they are exact opposite of each other.

    The only thing the IPsec would be doing is preventing "packet
    sniffing",...which isn't going to happen anyway on a Switched network unless
    you configure a Monitoring Port on a Switch sitting between the two Hosts
    and plug a machine into that port with a packet sniffer running on it.

    So it is all pointless.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  7. Re: IPSec tunneling through ISA

    "Phillip Windell" ha scritto nel messaggio
    news:%23xd2SffEJHA.680@TK2MSFTNGP03.phx.gbl...

    > Oh, by the way. I really don't think ISA will even have a role it in.
    > ISA is not going to be reading the insides of the IPsec packets,..and it
    > is not "proxying" anything,..it is just acting as a simple LAN router. It
    > just needs the correct protocol allowed to let the IPsec packets move
    > acrossed it "unmolested".


    True.
    But I don't see anything in ISA that lets me allow specific IP protocols
    other than TCP, UDP and ICMP...


    Massimo


  8. Re: IPSec tunneling through ISA

    "Jim Harrison (ISA SE)" ha scritto nel
    messaggio news:8F483A79-E992-46AC-B044-DE0F93AEABF2@microsoft.com...

    > In fact, this is almost a half-day in the Microsoft Ninjitsu class Tim & I
    > present each year at Black Hat Las Vegas.
    > Since you have a routed relationship between the two networks where the
    > IPSec endpoints operate, it's as simple as adding a single IPSec policy to
    > enforce IPSec for all traffic to and from each host.
    > The place to be extra careful is in the "to" and "from" parts of the
    > policy.
    > It's all too easy to get them backwards or inside-out and completely block
    > all traffic to and from them.
    > The good new is that you need only disable the IPSec policy that's
    > blocking
    > and you'll be back in business.


    Thanks. I've played for a while with IPSec policies, but I still wasn't able
    to make them work... tomorrow I'll try again. I'm quite confused.
    I've tried setting up a policy on ServerA with the default answer rule
    configured to allow security using a pre-shared key, and a policy on ServerB
    requiring security for all TCP connections to ServerA (using the same key),
    but all traffic to/from ServerB just stops. What I'm missing?
    And what should I configure where I'm asked for the tunnel endpoint? The
    server itself? The ISA firewall? The remote server?
    How about ISA? Now it's just letting all traffic flow between the two
    networks, but is it enough? Everything I've read about IPSec tunnels
    involves specific IP protocols (50 or 51), how should I tell ISA to let them
    through?

    > If you're using IPSec to limit the domain traffic across ISA (good idea)
    > and
    > IPSec bothers you that much, you might want to take a read here:
    > http://technet.microsoft.com/library/cc891503.aspx. This article
    > discusses
    > domain traffic to, across and through ISA in painful detail.


    Thanks, my situation is in fact somewhat similar: we're putting Exchange
    2003 front-end servers in a DMZ, and they're asking me to let them talk with
    domain controllers and Exchange back-ends without opening the firewall "too
    much".
    I've found similar documents describing ports and protocols needed by
    Exchange, and they replied "use IPSec, so you'll only need to open two or
    three ports in the firewall". I still didn't manage to get them to
    understand how completely foolish is this... :-/


    Massimo


  9. Re: IPSec tunneling through ISA

    IPSec is always defined in the context of "endpoints".
    Since you want IPSec between the two hosts in opposite networks, you define
    them in as each other's remote.
    The biggest problem you will have is that Exch FE is not communicating only
    to Exch BE; it must also communicate with the domain controllers and other
    relevant services that you may have imposed on them.

    ISA cannot "see inside" IPSec channels; that's the whole point of IPSec.
    Thus, you ISA policies have to allow IPSec Client and IKE between any hosts
    that are trying to communicate to each other.
    since this definition is somewhat dynamic, simply creating IPSec policies
    between you two Exchange servers is not going to cut it.

    If this is a deployment blocker, you may be better off allowing domain
    traffic only between the Exch FE and the domain network as described in the
    article I linked and play with IPSec in a virtual lab until you get the
    definitions nailed.

    --
    Jim Harrison (ISA SE)

    This posting implies no warranty and confers no rights.
    http://catb.org/~esr/faqs/smart-questions.html



    "Massimo" wrote in message
    news:%23zO5QFgEJHA.4488@TK2MSFTNGP04.phx.gbl...
    "Jim Harrison (ISA SE)" ha scritto nel
    messaggio news:8F483A79-E992-46AC-B044-DE0F93AEABF2@microsoft.com...

    > In fact, this is almost a half-day in the Microsoft Ninjitsu class Tim & I
    > present each year at Black Hat Las Vegas.
    > Since you have a routed relationship between the two networks where the
    > IPSec endpoints operate, it's as simple as adding a single IPSec policy to
    > enforce IPSec for all traffic to and from each host.
    > The place to be extra careful is in the "to" and "from" parts of the
    > policy.
    > It's all too easy to get them backwards or inside-out and completely block
    > all traffic to and from them.
    > The good new is that you need only disable the IPSec policy that's
    > blocking
    > and you'll be back in business.


    Thanks. I've played for a while with IPSec policies, but I still wasn't able
    to make them work... tomorrow I'll try again. I'm quite confused.
    I've tried setting up a policy on ServerA with the default answer rule
    configured to allow security using a pre-shared key, and a policy on ServerB
    requiring security for all TCP connections to ServerA (using the same key),
    but all traffic to/from ServerB just stops. What I'm missing?
    And what should I configure where I'm asked for the tunnel endpoint? The
    server itself? The ISA firewall? The remote server?
    How about ISA? Now it's just letting all traffic flow between the two
    networks, but is it enough? Everything I've read about IPSec tunnels
    involves specific IP protocols (50 or 51), how should I tell ISA to let them
    through?

    > If you're using IPSec to limit the domain traffic across ISA (good idea)
    > and
    > IPSec bothers you that much, you might want to take a read here:
    > http://technet.microsoft.com/library/cc891503.aspx. This article
    > discusses
    > domain traffic to, across and through ISA in painful detail.


    Thanks, my situation is in fact somewhat similar: we're putting Exchange
    2003 front-end servers in a DMZ, and they're asking me to let them talk with
    domain controllers and Exchange back-ends without opening the firewall "too
    much".
    I've found similar documents describing ports and protocols needed by
    Exchange, and they replied "use IPSec, so you'll only need to open two or
    three ports in the firewall". I still didn't manage to get them to
    understand how completely foolish is this... :-/


    Massimo


  10. Re: IPSec tunneling through ISA

    "Jim Harrison (ISA SE)" ha scritto nel
    messaggio news:F247F293-CB3F-40A9-82E5-313AFF66D86E@microsoft.com...

    > IPSec is always defined in the context of "endpoints".
    > Since you want IPSec between the two hosts in opposite networks,
    > you define them in as each other's remote.


    Ok, now it's definitely clearer.

    > The biggest problem you will have is that Exch FE is not
    > communicating only to Exch BE; it must also communicate
    > with the domain controllers and other relevant services that
    > you may have imposed on them.


    No problem about this, that has been already planned; those servers will be
    allowed to freely communicate with Exchange BEs and DCs. But they're asking
    me to do that inside an IPSec tunnel.

    > ISA cannot "see inside" IPSec channels; that's the whole point of IPSec.
    > Thus, you ISA policies have to allow IPSec Client and IKE between any
    > hosts that are trying to communicate to each other.


    This is ok, ISA's role will not be to filter application traffic here; it'll
    simply allow IPSec connections between the relevant hosts, what they're
    exchanging inside the IPSec channel isn't its business.

    > If this is a deployment blocker, you may be better off allowing domain
    > traffic only between the Exch FE and the domain network as described
    > in the article I linked and play with IPSec in a virtual lab until you get
    > the
    > definitions nailed.


    I'm actually doing exactly that, playing with it in a virtual lab :-)


    Massimo


  11. Re: IPSec tunneling through ISA

    "Jim Harrison (ISA SE)" wrote in message
    news:8F483A79-E992-46AC-B044-DE0F93AEABF2@microsoft.com...

    > If you're using IPSec to limit the domain traffic across ISA (good idea)
    > and
    > IPSec bothers you that much, you might want to take a read here:
    > http://technet.microsoft.com/library/cc891503.aspx. This article
    > discusses
    > domain traffic to, across and through ISA in painful detail.


    Ok, I'll look it over.

    It there anything out there that is fairly short and "to the point" with
    setting up an IPsec between two host?,..maybe a walk through type of thing.
    You know me, I always hate everything I'm not familar with till I get to
    know it, and of course I'm not very patient :-)

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  12. Re: IPSec tunneling through ISA

    "Phillip Windell" ha scritto nel messaggio
    news:%23YcdaloEJHA.3488@TK2MSFTNGP02.phx.gbl...

    > It there anything out there that is fairly short and "to the point" with
    > setting up an IPsec between two host?,..maybe a walk through type of
    > thing. You know me, I always hate everything I'm not familar with till I
    > get to know it, and of course I'm not very patient :-)


    Looks like I've got it up and running, so I'm going to be your mentor
    here... even if I didn't know almost anything about IPSec two days ago :-)

    Let's say you have two servers, ServerA and ServerB.

    On ServerA, open the local security policy console and go to IPSec policies.

    Create a new policy, give it a name and disable the default answer rule.

    Add a new rule, don't use any tunnel, apply it to all network connections
    (or only to the relevant ones if this matters for your setup), then choose
    to use a pre-shared key for authentication.

    Next, create a new IP filter, give it a name and add a new filter rule,
    choosing ServerA's IP address as the source address and ServerB's IP address
    as the destination one, and creating a mirrored filter; apply the rule to
    any protocol and close the wizard, going back to the IP filter selection
    page; choose the filter you just created.

    In the next screen, create again a new rule; give it a name, choose to
    negotiate security and then to not communicate without IPSec; then, choose
    the first option to enable both cryptography and integrity; go back to the
    rule selection page, and choose the rule you just created.

    End the wizard without editing additional properties, right-click on the
    policy you just created and choose "Assign".

    On ServerB, do the same as ServerA, but swap the source and destination IP
    addresses.

    This should be enough for a simple setup, and it also work through firewalls
    (tested with ISA, it just needs to allow IP protocol 50 (ESP) and UDP 500
    (IKE)).

    For more complex networks, you'd rather use domain policies than local ones:
    this would allow you to apply the same policy to a bunch of servers at the
    same time; but remember to be careful when enabling IPSec between domain
    members and domain controllers: if it doesn't work properly, you'll be
    unable to remove the policies, as the member computers won't be able to talk
    with DCs anymore and so they won't get new GPOs.

    If you get in troubles and your computers don't want to talk each other
    anymore, you can always fully disable IPSec by stopping the Windows IPSec
    service from Service Manager; if you stop it on all servers which can't
    communicate, they will come back to life and you can remove the offending
    policies.


    Massimo


  13. Re: IPSec tunneling through ISA

    "Massimo" ha scritto nel messaggio
    news:eEmWPirEJHA.616@TK2MSFTNGP06.phx.gbl...

    > choose to use a pre-shared key for authentication.


    Of course, this should be used only for testing purposes, or if no better
    system is available; it's the simplest but most unsecure option.


    Massimo


  14. Re: IPSec tunneling through ISA

    "Short" and "to the point" hints that you want something specific to a
    particular deployment and this just ain't happenin'.
    Beat back your impatience (or impatiens; whichever you prefer) and take the
    time to read through it.
    If you give a man a fish; he'll eat for a day.
    If you teach a man to fish, he'll sit in a boat and drink beer all day.


    --
    Jim Harrison (ISA SE)

    This posting implies no warranty and confers no rights.
    http://catb.org/~esr/faqs/smart-questions.html



    "Phillip Windell" wrote in message
    news:%23YcdaloEJHA.3488@TK2MSFTNGP02.phx.gbl...
    "Jim Harrison (ISA SE)" wrote in message
    news:8F483A79-E992-46AC-B044-DE0F93AEABF2@microsoft.com...

    > If you're using IPSec to limit the domain traffic across ISA (good idea)
    > and
    > IPSec bothers you that much, you might want to take a read here:
    > http://technet.microsoft.com/library/cc891503.aspx. This article
    > discusses
    > domain traffic to, across and through ISA in painful detail.


    Ok, I'll look it over.

    It there anything out there that is fairly short and "to the point" with
    setting up an IPsec between two host?,..maybe a walk through type of thing.
    You know me, I always hate everything I'm not familar with till I get to
    know it, and of course I'm not very patient :-)

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  15. Re: IPSec tunneling through ISA

    "Jim Harrison (ISA SE)" wrote in message
    news:eQDrOLsEJHA.5224@TK2MSFTNGP03.phx.gbl...
    > "Short" and "to the point" hints that you want something specific to a
    > particular deployment


    No, just something I can try in a simple VPC lab, between the 15 people
    wanting me for 16 different things throughout the day. By the time I get
    home I don't want to touch a PC or read anything more complex than a Pepsi
    lable.

    Massimo's reply will probably do, but yes, I'll keep the link from your
    other post.

    > and this just ain't happenin'.
    > Beat back your impatience (or impatiens; whichever you prefer) and take
    > the


    impatiens? http://en.wikipedia.org/wiki/Impatiens
    I'm not into flowers unless they are plastic. :-)
    Watering them is more a pain than IPsec, I beat them back with the
    lawnmower.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



+ Reply to Thread