Re: sysvol replication breaks when IPSec running between DCs & firewal

Hello bRad,

Also have a look here about UDP port 500:

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

Theoretically, when all traffic between DCs is IPSec, you only have to
open the firewall for ports required by IPSec, and everything will
work . However, I am having trouble with Sysvol replication. Sysvol
will not replicate as long as the firewall is enabled on the DC with
the PDC role. I have the following rule in the Windows Firewall to
enable IPSec traffic to pass:

50:ip protocol:*:enabled:IPSec ESP
51:ip protocol:*:enabled:IPSec AH
We have two root DCs and three child domain DCs. Sysvol works fine on
the child domain. Since it was not working on the root domain, I
configured a static port for FRS, as per KB319553 and enabled that
port on all DCs. That did not solve the problem. Actually, that step
should not have been necessary anyway since all traffic is between DCs
is already encapsulated with IPSec.

Summary: 5 domain controllers, all using IPSec, all firewalls
configured identically, yet one server's firewall, when enabled,
breaks replication of sysvol for root domain. Sysvol replication works
OK for child domain but not for root domain.

It would seem that the problem lies with the firewall configuration on
the DC with the PDC role. However, if the firewall was misconfigured,
it seems that no traffic at all could pass between the two root DCs,
since all traffic must use IPSec.

(1) DO I have the syntax correct for the Windows firewall rule to
IPSec traffic to pass?
(2) If not, how is it that IPSec is working on all 5 DCs?
(3) On Windows 2003 Server SP2 ; does IPSec traffic bypass the
firewall by
default? I do not have the "Windows Firewall:Allow authenticated IPSec
bypass" policy configured.
(4) Would the above-mentioned policy setting be the best way to get
this problem? If so, I need some help with the SDDL string. My DCs
are in an
OU but not in a group. Must I create a group for them in order to be
able to
have an SID for the SDDL?


Relevant Pages

  • Re: UDP Port 500 open
    ... I use a free software firewall ... >> I have recently installed a firewall and it says that UDP Port 500 is ... > ISAKMPD uses this port to negotiate IPSec. ... >> perhaps a registry key and/or disabling some service or other in ...
  • Re: Microsoft Strategic Technology Protection Program
    ... LANguard Security Event Log Monitor offer! ... > with your IPSec ... a suboptimal replacement for firewall. ... common server port like port 80 (so that the computer can browse the web ...
  • Re: IPSEC
    ... IPSEC works differently than a firewall in that a firewall will allow ... IPSEC will not allow any inbound traffic regardless of the origin, ... A quick and easy way to assign an IPSEC policy is to search the Microsoft ... > I block ALL inbound traffic on ANY port, ...
  • Re: VPN client will not connect behind firewall
    ... My firewall does not have any special rules to forward port 4500. ... does have the option to allow IPSec pass through enabled. ... used the VPN wizard to make a client VPN, ...
  • Re: Using IPSec; Firewall breaks sysvol replication
    ... There you can find a special topic for IPSec: ... I am having trouble with Sysvol replication. ... replicate as long as the firewall is enabled on the DC with the PDC role. ... We have two root DCs and three child domain DCs. ...