Re: Windows 2003 Server RRAS and IPSEC

From: Janani V[MSFT] (jananiv_at_online.microsoft.com)
Date: 07/29/04 

Date: Thu, 29 Jul 2004 20:56:43 +0530

You can check out the following link for info regarding the ports to be
opened for IPSEC traffic:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_VPN_und13.asp

Thanks,
Janani

"huskyphan" <huskyphan@discussions.microsoft.com> wrote in message
news:627AC9C5-15E4-4255-9D64-F8E844D7F79E@microsoft.com...
> I work at a university whose central computing network doles out live IP
address to all the campus buildings. To top it off we cannot utilize true
firewall or NAT boxes to secure the buildings, as the central comput network
support needs to manage each port. So what we have to do is install
parallel firewalls or utilize filters like IPSEC to protect our servers (we
use client firewalls for the desktops).
>
> With that being the case, our Windows 2003 and 2000 servers have IPSEC
with rules restricting access to just our subnet, access to the port 80,
443, our campus DNS servers, and campus time servers. Everything else is
blocked. As it stands, we haven't had any major problems, and it is the
best (and cheapest route). I want to add RRAS to one of our Windows 2003
servers for VPN access and followed the knowledge base article 323381 that
shows how to do so. Just to be sure, I added permission filters in IPSEC
that allows access to/from port 1723 and 47.
>
> After doing so, I tested the vpn connection. I dialed up from a laptop to
our campus dialup service then dialed the vpn connection to the new RRAS
server. after a fashion, I get "connecting" dialing box, then " verifying
username/password" dialog box, then error dialog box indicating that the
remote computer did not respond (and will redial in xx seconds). Just as a
test, I un-assigned the IPSEC filters, dialup the RRAS server again, and am
connected no problem. So I'm assuming my IPSEC filters are blocking, but I
am allowing ports 1723 and 47 (to/from). Is there other ports I'm missing,
and if so, are they dynamic ( ie, will they be different each time)? Or is
there another solution?
>
> thanks!
>

Relevant Pages

  • Re: assigning ip addresses on a secure way
    ... > superscope scenario to configure the DHCP to assign 10.3.ip s just to the ... >> allows you to filter mac addresses in a learn mode that can lock ports to ... >> configurations and can allow all computers internet access while not ... >> Within a domain ipsec by default will use kerberos authentication and any ...
    (microsoft.public.security)
  • Re: I am sick of windows firewall
    ... the XP FW if you need to stop outbound packets. ... I have made my adjustments to IPsec to supplement BlackIce ... the Windows networking ports even though BI was stopping ...
    (comp.security.firewalls)
  • Re: Firewall between DC and Member Server
    ... Steve's article actually lists all the protocols required between AD client ... We have decided not to use IPsec to deploy AD in our multiDMZ environment. ... > traffic - or limit RPC to known ports as well as the AD ports. ... >> member servers at another. ...
    (microsoft.public.security)
  • RE: Setting up IPSEC with servers in and out of a domain
    ... The conditions are that you will have to open the IPSEC ports on FWs on both ... IKE on UDP 500, IP 50 or IP 51 depending on either you are using AH or ESP ... If both servers are behind NAT devices the only ports you'll need will be ...
    (Focus-Microsoft)
  • Re: Win2K Security & Firewall - long post
    ... for your other ports. ... >>at implementing an IPSec policy on Win2K for extra security. ... >>Today I went a stage further and did a fresh installation of Win2K, ... number of programs that use secondary connections. ...
    (comp.security.firewalls)