VPN

[Chris hilton]

We currntly have a Cisco 5151e PIX separating our internal
web servers (IIS 5 and 6) and databases from our internal
network clients. In order to administer these web servers
we are required to load the CISCO VPN client and create a
VPN connection. All web servers are member servers of our
Win2k domain. All domain controllers are located outside
the firewall (ie on the side with the clients). I have
two problems.

1. Is it possible to use the builtin Windows VPN client
to connect to this firewall. I can find no documentation
and have been unsuccessful in any attempts to connect with
the Windows client.

2. Our Member servers (web servers) behind the firewall
do not seem to be properly talking to the domain
controllers (presumably because the firewall is blocking
certain traffic). I am able to successfully join them to
the domain, but loggin on to a domain account takes over
a minute (where as a local account is instantaneous), and
I am getting "Event: 1000, Source: Userenv, Unable to
contact domain controller" in the event log.

Can anyone please tell me what ports need to be defined to
enable proper communication between the doain contollers
and the member servers?

Thanks... Chris

 

[Eric Shen [MSFT]]

Hi Chris,

Actually, PIX firewall doesn't implement its VPN in the same way as
Windows. Windows VPN connection is generally used to connect to a RRAS
server. According to my experience, this cannot be used to connect to a PIX
firewall. It is because PIX use a different protocol as Windows VPN
connection. You need to use its VPN client to connect. You can check with
Cisco to see if they have any document on this.

Generally, it is not recommended to put a firewall between a DC and a
member server. The firewall will block a lot of connections and make the
client unable to connect to DC. Some communications will not succeed in
this scenario. The client computer may not be successfully authenticated
since the firewall exists. Actually, this is all caused by the firewall. As
you know, firewall is used to separate the network. Some firewalls are
designed to be unable to work with domain authentication. In this case, I
suggest you read the following article:

179442 How to Configure a Firewall for Domains and Trusts
http://support.microsoft.com/?id=179442

As we are not aware of how PIX is designed, I am not sure if it is doable
with a PIX firewall. However, you can try to open these ports and then
check if it works. Please let me know if this solves this issue or if you
need further assistance.

I look forward to hearing from you.

Regards,

Eric Shen
Product Support Services
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! - www.microsoft.com/security

 

[gaetano]

yes eric,
it's possible, with and without a CA:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094e6d.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml

http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/ispstep.asp