Re: TCP/IP Filtering Question
From: Herb Martin (news_at_LearnQuick.com)
Date: 01/27/05
- Next message: suyatno: "remote access conection manager"
- Previous message: Herb Martin: "Re: TCP/IP Filtering Question"
- In reply to: Marcus: "Re: TCP/IP Filtering Question"
- Next in thread: Herb Martin: "Re: TCP/IP Filtering Question"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 26 Jan 2005 18:19:23 -0600
"Marcus" <Marcus@discussions.microsoft.com> wrote in message
news:C2BBBD78-683B-4DA0-8599-EE13C5EB20AF@microsoft.com...
> The idea behind what I'm trying to do is to implement the open source SSL
> Explorer on the Windows 2000 Server, which would supply secure
communications
> to workstations with a SSL VPN tunnel. Since the VPN is SSL, it only needs
> access to port 443.
If you are using Win2000+ as your router you might just
(about as) easily just use the actual IPSec facilities.
> By shutting down all TCP/IP ports, except 443, this will
> allow users to have a secure gateway into the other network through the
> Windows server. The main goal is to avoid IPSec. Does anyone have any
other
> ideas? Thanks.
Your GOAL is to avoid the built-in IPSec in favor of
something add-on?
As for using the SSL then we were answering your
question about blocking all other traffic (pairs) using
IPSec FILTERS -- not IPSec itself.
IPSec filters have three behaviors:
1) BLOCK
2) PASS
3) NEGOTIATE (actual IPSec)
This is a much better filtering method than the trivial and
near useless NIC filters.
If you really MUST AVOID IPSec (Filters) then use the
RRAS filters (which are actually even better.)
-- Herb Martin > > "Steven L Umbach" wrote: > > > For what you are doing you might want to try ipsec filtering policy using > > permit and block fitter actions instead on that router computer. If you do > > not want the same ipsec policy applied to both adapters, then configure the > > actual IP address of the network adapter you want to filter instead of "my > > address". Ipsec filtering will not block multicast and broadcast traffic, > > kerberos, IKE, or RSVP traffic by default if that is a concern, though a > > registry mod can change most of that. Ipsec can also manage traffic in both > > directions. The link below explains more. ---- Steve > > > > http://www.securityfocus.com/infocus/1559 > > > > "Marcus" <Marcus@discussions.microsoft.com> wrote in message > > news:9A90D9A0-EC72-4982-9A75-E1AA60323DDB@microsoft.com... > > >I have a Windows 2000 Server acting as a router between two different > > > networks (10.29.x.x and 10.22.x.x). I want to configure network 10.29.x.x > > > to > > > be only able to get to the server/router through port 443. I have tried > > > enabling TCP/IP filtering on that network's NIC accepting only port 443, > > > however, all this has done is block the PCs from getting an IP address > > > from > > > the DHCP server. Once I give the workstation a static IP in the 10.29.x.x > > > range all traffic goes right through NIC and ignores the TCP/IP filters. > > > Thanks for any help. > > > > > >
- Next message: suyatno: "remote access conection manager"
- Previous message: Herb Martin: "Re: TCP/IP Filtering Question"
- In reply to: Marcus: "Re: TCP/IP Filtering Question"
- Next in thread: Herb Martin: "Re: TCP/IP Filtering Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
