Trust, Firewall and IPSEC - Network

This is a discussion on Trust, Firewall and IPSEC - Network ; All, I’ve a customer with two active directory forest one (A) Windows 2000 with about 180 sites, the other (B) Windows 2003 with one site. User in forest B needs to access resources in forest A, so we need to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Trust, Firewall and IPSEC

  1. Trust, Firewall and IPSEC

    All,

    I’ve a customer with two active directory forest one (A) Windows 2000 with
    about 180 sites, the other (B) Windows 2003 with one site.

    User in forest B needs to access resources in forest A, so we need to setup
    a trust.
    These forests are linked by a customer external provider that doesn’t like
    to open ports required to setup trust and he ask us to use ipsec.
    If I remember correctly cross forest trust ipsec can be done only if
    Windows 2003 exists on both sides, right?
    Is there some other way to setup ipsec trust in this customer environment?
    Pros and cons ?
    Many thanks!


  2. Re: Trust, Firewall and IPSEC

    IPsec between domain controllers will work on Win2000. There are some
    caveats depending on the authentication method used.

    Microsoft recommends that you use cert-based authentication when you
    configure domain controller-to-domain controller IPSec policy rules. For
    detailed information see the document: Active Directory in Networks
    Segmented by Firewalls document.
    http://www.microsoft.com/downloads/d...DisplayLang=en
    (http://www.microsoft.com/downloads/d...DisplayLang=en)

    If you have to use Kerberos, take a look at the following articles:
    http://support.microsoft.com/kb/254949/en-us

    http://support.microsoft.com/kb/254728/en-us

    thanks,
    Jason Popp
    Program Manager


    "Luca Barale" Barale@discussions.microsoft.com> wrote in message
    news:A13FB969-C718-4DB4-BB2D-B304A3E742D9@microsoft.com...
    > All,
    >
    > I’ve a customer with two active directory forest one (A) Windows 2000 with
    > about 180 sites, the other (B) Windows 2003 with one site.
    >
    > User in forest B needs to access resources in forest A, so we need to
    > setup
    > a trust.
    > These forests are linked by a customer external provider that doesn’t like
    > to open ports required to setup trust and he ask us to use ipsec.
    > If I remember correctly cross forest trust ipsec can be done only if
    > Windows 2003 exists on both sides, right?
    > Is there some other way to setup ipsec trust in this customer environment?
    > Pros and cons ?
    > Many thanks!
    >



  3. Re: Trust, Firewall and IPSEC

    Kerberos is the default authentication mechanism for Win2000 domains, but
    that does not mean that the Authentication mechanism used for your IPsec
    policies has to be Kerberos. IPsec supports 3 different authentication
    mechanisms: Kerberos, x.509 certificates and preshared keys. By default
    IPsec policies will list Kerberos as the authentication mechanism, because
    as noted it is the default for Win2000+ domains, but you can configure a
    certificate server and then use IPsec certificates for authenticationm or
    even use preshared keys (not generally recommended)

    When considering the use of IPsec between domain controllers, there are some
    potential issues with using Kerberos to secure communications. By default
    IPsec does not protect Kerberos traffic (described in the KB articles listed
    in my original post) so if you want to protect all traffic between domain
    controllers, it is recommended that you use certificates to ensure all
    traffic is protected. If you still want to use kerberos, you shoudl look at
    modifying the NeDefaultExempt registry key to force IPsec to protect
    Kerberos else you'll need to get the Kerberos ports opened up in addition to
    the IKE and ESP/AH protocols opened up....

    Jason






    "Luca Barale" wrote in message
    news:50A29B66-C67F-4E99-983A-1C47D983D07D@microsoft.com...
    > What do you mean when you say: "If you have to use Kerberos" ?
    > is not Kerberos the default authentication protocol for Windows 2000
    > computers?
    > What type of options did I have? Sorry but I'm a little bit confused...
    > If I setup the external trust between two domains, I can setup ipsec to
    > encrypt traffic between DCs of two domains but, when the client of domain
    > A
    > needs to access resources of domain B what type of connections take
    > places?
    > In this case what are the path of authentication traffic?
    > Thanks.
    >
    >
    > "Jason Popp [MS]" wrote:
    >
    >> IPsec between domain controllers will work on Win2000. There are some
    >> caveats depending on the authentication method used.
    >>
    >> Microsoft recommends that you use cert-based authentication when you
    >> configure domain controller-to-domain controller IPSec policy rules. For
    >> detailed information see the document: Active Directory in Networks
    >> Segmented by Firewalls document.
    >> http://www.microsoft.com/downloads/d...DisplayLang=en
    >> (http://www.microsoft.com/downloads/d...DisplayLang=en)
    >>
    >> If you have to use Kerberos, take a look at the following articles:
    >> http://support.microsoft.com/kb/254949/en-us
    >>
    >> http://support.microsoft.com/kb/254728/en-us
    >>
    >> thanks,
    >> Jason Popp
    >> Program Manager
    >>
    >>
    >> "Luca Barale" Barale@discussions.microsoft.com> wrote in message
    >> news:A13FB969-C718-4DB4-BB2D-B304A3E742D9@microsoft.com...
    >> > All,
    >> >
    >> > I’ve a customer with two active directory forest one (A) Windows 2000
    >> > with
    >> > about 180 sites, the other (B) Windows 2003 with one site.
    >> >
    >> > User in forest B needs to access resources in forest A, so we need to
    >> > setup
    >> > a trust.
    >> > These forests are linked by a customer external provider that doesn’t
    >> > like
    >> > to open ports required to setup trust and he ask us to use ipsec.
    >> > If I remember correctly cross forest trust ipsec can be done only if
    >> > Windows 2003 exists on both sides, right?
    >> > Is there some other way to setup ipsec trust in this customer
    >> > environment?
    >> > Pros and cons ?
    >> > Many thanks!
    >> >

    >>
    >>



+ Reply to Thread