communication still works after turning off ipsec service?? - Network

This is a discussion on communication still works after turning off ipsec service?? - Network ; i have a sql server (2003) that is configured to accept traffic on tcp 1433 only via IPSEC, using a certificate. It appears that the client must have the client request ipsec policy assigned and have it configured to use ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: communication still works after turning off ipsec service??

  1. communication still works after turning off ipsec service??

    i have a sql server (2003) that is configured to accept traffic on tcp 1433
    only via IPSEC, using a certificate.

    It appears that the client must have the client request ipsec policy
    assigned and have it configured to use the certiciate for
    authentication....but I can then turn off the IPSEC service on the client and
    it is still able to communicate? also, ipsecmon mmc does not seem to
    indicate much traffic - yet another client without the initial setup, cannot
    connect.

    what am I missing? thanks

  2. Re: communication still works after turning off ipsec service??

    The Ip Security monitor when run on the server should show if ipsec is still
    being used between the server and the client for that port and also show
    failed SA and the source IP address. The server would need to be configured
    with an ipsec require policy to make sure that it is not possible to access
    that port without an ipsec SA which you may want to verify. I would also try
    stopping and disabling the ipsec service on that client and rebooting it to
    see what happens then. --- Steve



    "richwray" wrote in message
    news:7EC52696-F3E2-4825-9F0A-B24D843ADAD1@microsoft.com...
    >i have a sql server (2003) that is configured to accept traffic on tcp 1433
    > only via IPSEC, using a certificate.
    >
    > It appears that the client must have the client request ipsec policy
    > assigned and have it configured to use the certiciate for
    > authentication....but I can then turn off the IPSEC service on the client
    > and
    > it is still able to communicate? also, ipsecmon mmc does not seem to
    > indicate much traffic - yet another client without the initial setup,
    > cannot
    > connect.
    >
    > what am I missing? thanks




  3. Re: communication still works after turning off ipsec service??

    Thanks for the quick response.

    Yes, the server has a policy specifically for 1433/tcp assigned to it - and
    another client that does not have the trusted root certificate in it's
    computer cert store, cannot connect via the ODBC System DSN test connection
    function.

    A client with that certificate, can connect; seemingly whether ipsec is
    enabled on the client or not.

    I rebooted it, stopped the ipsec service, and was still able to successfully
    test the connection; whereas at the very same time, another client cannot
    connect.

    Wondering if there's something about using certificates that I'm missing vs.
    using Kerberos.

    thx

    "Steven L Umbach" wrote:

    > The Ip Security monitor when run on the server should show if ipsec is still
    > being used between the server and the client for that port and also show
    > failed SA and the source IP address. The server would need to be configured
    > with an ipsec require policy to make sure that it is not possible to access
    > that port without an ipsec SA which you may want to verify. I would also try
    > stopping and disabling the ipsec service on that client and rebooting it to
    > see what happens then. --- Steve
    >
    >
    >
    > "richwray" wrote in message
    > news:7EC52696-F3E2-4825-9F0A-B24D843ADAD1@microsoft.com...
    > >i have a sql server (2003) that is configured to accept traffic on tcp 1433
    > > only via IPSEC, using a certificate.
    > >
    > > It appears that the client must have the client request ipsec policy
    > > assigned and have it configured to use the certiciate for
    > > authentication....but I can then turn off the IPSEC service on the client
    > > and
    > > it is still able to communicate? also, ipsecmon mmc does not seem to
    > > indicate much traffic - yet another client without the initial setup,
    > > cannot
    > > connect.
    > >
    > > what am I missing? thanks

    >
    >
    >


  4. Re: communication still works after turning off ipsec service??

    Interesting. Did you use IP Security Monitor on the server to verify that
    the client in question actually had an ipsec SA on port 1433 TCP when it had
    the ipsec service disabled?? Did you disable and stop the ipsec service on
    the client before rebooting? You could also try running the command netdiag
    /test:ipsec on the client to see what it reports as far as ipsec on the
    client as shown in the example below. Netdiag is a support tool that would
    need to be installed if it was not on the computer. The links below may be
    helpful if reviewed. --- Steve

    IP Security test . . . . . . . . . : Passed
    Service status is: Started
    Service startup is: Automatic
    IPSec service is available, but no policy is assigned or active
    Note: run "ipseccmd /?" for more detailed information

    http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    http://www.microsoft.com/technet/sec.../ipsecapa.mspx

    "richwray" wrote in message
    news:339EF399-2108-420D-9FC9-ABB621676419@microsoft.com...
    > Thanks for the quick response.
    >
    > Yes, the server has a policy specifically for 1433/tcp assigned to it -
    > and
    > another client that does not have the trusted root certificate in it's
    > computer cert store, cannot connect via the ODBC System DSN test
    > connection
    > function.
    >
    > A client with that certificate, can connect; seemingly whether ipsec is
    > enabled on the client or not.
    >
    > I rebooted it, stopped the ipsec service, and was still able to
    > successfully
    > test the connection; whereas at the very same time, another client cannot
    > connect.
    >
    > Wondering if there's something about using certificates that I'm missing
    > vs.
    > using Kerberos.
    >
    > thx
    >
    > "Steven L Umbach" wrote:
    >
    >> The Ip Security monitor when run on the server should show if ipsec is
    >> still
    >> being used between the server and the client for that port and also show
    >> failed SA and the source IP address. The server would need to be
    >> configured
    >> with an ipsec require policy to make sure that it is not possible to
    >> access
    >> that port without an ipsec SA which you may want to verify. I would also
    >> try
    >> stopping and disabling the ipsec service on that client and rebooting it
    >> to
    >> see what happens then. --- Steve
    >>
    >>
    >>
    >> "richwray" wrote in message
    >> news:7EC52696-F3E2-4825-9F0A-B24D843ADAD1@microsoft.com...
    >> >i have a sql server (2003) that is configured to accept traffic on tcp
    >> >1433
    >> > only via IPSEC, using a certificate.
    >> >
    >> > It appears that the client must have the client request ipsec policy
    >> > assigned and have it configured to use the certiciate for
    >> > authentication....but I can then turn off the IPSEC service on the
    >> > client
    >> > and
    >> > it is still able to communicate? also, ipsecmon mmc does not seem to
    >> > indicate much traffic - yet another client without the initial setup,
    >> > cannot
    >> > connect.
    >> >
    >> > what am I missing? thanks

    >>
    >>
    >>




  5. Re: communication still works after turning off ipsec service??

    I agree with Steven, check ipsecmon to see what the SA state looks like. It
    sounds to me like you have a mis-config in the IPsec IP rules. Are you
    denying all other traffic? Are you only allowing one IP to connect on 1433,
    or are you allowing ANY?


    --
    Jeff Sigman [MSFT]
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.msdn.com/nap

    * Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no
    rights.



    "Steven L Umbach" wrote in message
    news:OWpNPbXkGHA.1320@TK2MSFTNGP04.phx.gbl...
    > Interesting. Did you use IP Security Monitor on the server to verify that
    > the client in question actually had an ipsec SA on port 1433 TCP when it
    > had the ipsec service disabled?? Did you disable and stop the ipsec
    > service on the client before rebooting? You could also try running the
    > command netdiag /test:ipsec on the client to see what it reports as far as
    > ipsec on the client as shown in the example below. Netdiag is a support
    > tool that would need to be installed if it was not on the computer. The
    > links below may be helpful if reviewed. --- Steve
    >
    > IP Security test . . . . . . . . . : Passed
    > Service status is: Started
    > Service startup is: Automatic
    > IPSec service is available, but no policy is assigned or active
    > Note: run "ipseccmd /?" for more detailed information
    >
    > http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    > http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    >
    > "richwray" wrote in message
    > news:339EF399-2108-420D-9FC9-ABB621676419@microsoft.com...
    >> Thanks for the quick response.
    >>
    >> Yes, the server has a policy specifically for 1433/tcp assigned to it -
    >> and
    >> another client that does not have the trusted root certificate in it's
    >> computer cert store, cannot connect via the ODBC System DSN test
    >> connection
    >> function.
    >>
    >> A client with that certificate, can connect; seemingly whether ipsec is
    >> enabled on the client or not.
    >>
    >> I rebooted it, stopped the ipsec service, and was still able to
    >> successfully
    >> test the connection; whereas at the very same time, another client cannot
    >> connect.
    >>
    >> Wondering if there's something about using certificates that I'm missing
    >> vs.
    >> using Kerberos.
    >>
    >> thx
    >>
    >> "Steven L Umbach" wrote:
    >>
    >>> The Ip Security monitor when run on the server should show if ipsec is
    >>> still
    >>> being used between the server and the client for that port and also show
    >>> failed SA and the source IP address. The server would need to be
    >>> configured
    >>> with an ipsec require policy to make sure that it is not possible to
    >>> access
    >>> that port without an ipsec SA which you may want to verify. I would also
    >>> try
    >>> stopping and disabling the ipsec service on that client and rebooting it
    >>> to
    >>> see what happens then. --- Steve
    >>>
    >>>
    >>>
    >>> "richwray" wrote in message
    >>> news:7EC52696-F3E2-4825-9F0A-B24D843ADAD1@microsoft.com...
    >>> >i have a sql server (2003) that is configured to accept traffic on tcp
    >>> >1433
    >>> > only via IPSEC, using a certificate.
    >>> >
    >>> > It appears that the client must have the client request ipsec policy
    >>> > assigned and have it configured to use the certiciate for
    >>> > authentication....but I can then turn off the IPSEC service on the
    >>> > client
    >>> > and
    >>> > it is still able to communicate? also, ipsecmon mmc does not seem to
    >>> > indicate much traffic - yet another client without the initial setup,
    >>> > cannot
    >>> > connect.
    >>> >
    >>> > what am I missing? thanks



+ Reply to Thread