IPSEC through DMZ with W2K3

  • Thread starter Thread starter Anthony Harper
  • Start date Start date
A

Anthony Harper

Hi,

I'm trying to place a Windows 2003 Server IIS server in my DMZ, that
can talk to DCs on the internal lan using IPSEC (for the purposes of
authenticating domain users to certain areas of the website).

Now I've followed the example
(http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.a
sp) and all was working happily with a Windows 2000 server in the DMZ,
however the ipsec fails when using a W2K3 server.

When pinging from the W2K3 server, in the event log I get failure
messages like this:

-----------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 08/12/2004
Time: 09:00:36
User: NT AUTHORITY\NETWORK SERVICE
Computer: DARWIN
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

<snipped IPs>

Failure Point:
Me

Failure Reason:
No authority could be contacted for authentication.

Extra Status:
Processed first (SA) payload
Initiator. Delta Time 25
0x0 0x0
---------------------------------

If anyone could shed any light on this, I'd be most grateful.

Regards,


Anthony Harper
 
Ipsec "negotiation" is not supported between domain controllers and non
domain controllers per Microsoft. If your W2K server was not a domain
controller, I am surprised you got it to work so well. Windows 2003
introduced extra protection for ipsec via boot up and default exemptions
have been removed. For more details I suggest you refer to the free download
for the Windows 2003 Deployment Kit which has an excellent chapter on
implementing ipsec. I pasted a pertinent part of the guide under the link.
Unfortunealy they never get into "the complexity of the ipsec policy"
sue. --- Steve

http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx
-- look under deploying network services/deploying ipsec.

IPSec Uses That Are Not Recommended
IPSec can reduce processing performance and increase network bandwidth
consumption. Additionally, IPSec policies can be quite complex to configure
and manage. Finally, the use of IPSec can introduce application
compatibility issues. For these reasons, IPSec is not recommended for the
following uses:

· Securing communication between domain members and their domain
controllers. In addition to reduced network performance, using IPSec for
this scenario is not recommended because of the complexity of the IPSec
policy configuration and management required.
 
Thanks for the info Stephen, I too was quite surprised that it was
working with a w2K member server - especially since it was working over
a NATed device. I thought that the revisions in W2K3 would help rather
than hinder IPSEC.

Cheers,

Anthony
 
Back
Top