Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IPSec Between Multiple Internal Nets

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> IPSec Between Multiple Internal Nets Page: [1]
Login
Message << Older Topic   Newer Topic >>
IPSec Between Multiple Internal Nets - 18.May2004 7:52:00 PM   
senad

 

Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline 		I have multiple internal interfaces - 3 network segment using routing between them (no NAT). There are multiple Win2k3 servers on each segment, all belonging to the same AD domain. I wish to limit traffic between individual nets to only IPSec.

What rule(s) should be applied in ISA 2003 to allow IPSec traffic between segments (in order to allow AD traffic)?

Thx
Post #: 1
RE: IPSec Between Multiple Internal Nets - 18.May2004 9:14:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Senad,

You should be able to use ESP and IKE to allow IPSec traffic through.

HTH,
Tom

(in reply to senad)
Post #: 2
RE: IPSec Between Multiple Internal Nets - 18.May2004 11:26:00 PM   
senad

 

Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline 		Hi Tom,
Thank you for (as always) quick response.

If I understood correctly, creating new access rule allowing "IPSec-ESP Client" and "IKE Client" protocols should be sufficiant to allow IPSec communication between servers on different segments?

Senad

(in reply to senad)
Post #: 3
RE: IPSec Between Multiple Internal Nets - 19.May2004 12:28:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Senad,

That's right. I meant to include that in the ISA 2004/Exchange Kit doc on FE/BE and using IPSec between the FE and BE. I'll include that info in the book, because its a nice way of doing things.

HTH,
Tom

(in reply to senad)
Post #: 4
RE: IPSec Between Multiple Internal Nets - 19.May2004 5:40:00 PM   
senad

 

Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline 		Hi Tom,

I can't agree more. Microsoft recommends using IPSec as a default protocol for all server communications. Using IPSec is best way to protect RPC (and any other internal) traffic from packet sniffing. Many admins don't realize that 90% off all security breaches happen on the inside, not through the firewall. Anybody who worked for larger company knows how easy it is to walk into the building and get physical access to the LAN.

You may want to consider including some scenarios on network partitioning and internal IPSec tunneling in your upcoming book. I believe biggest advantage of new ISA Server over competition is ability to segment network and fine-tune the rules for each pair of segments.

Senad

(in reply to senad)
Post #: 5
RE: IPSec Between Multiple Internal Nets - 21.May2004 12:39:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Senad,

Thanks! I'm almost done with the first chapter and its already 25K words. [Smile]

I thought about including some information on how to create domain IPSec policies as well as the FE/BE and any other server in the DMZ to Internal communcations.

Thanks!
Tom

(in reply to senad)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> IPSec Between Multiple Internal Nets Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts